Asymmetric Key vs Symmetric Key

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Maybe I am missing something but why exactly are Symmetrical keys "stronger" than Asymmetrical keys (in terms of encryption)? Can someone point me in the right direction?

Comments

  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,746 ■■■■■■■■■■
    Not stronger, but quicker!
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Not stronger, but quicker!


    The CCNA:S book says that it is Sym keys are both stronger and faster* but I am not sure why?



    (It doesn't say anything about harder or better though, I wish it did, viva la Daft Punk)
  • Met44Met44 Member Posts: 194
    A theoretical 256-bit RSA would not be considered as secure as 256-bit AES -- that's why RSA comes in flavors like 1024, 2048, and 4096. People still use asymmetric keys as part of an encryption scheme because they provide for non-repudiation of data and make key management easier than with strictly symmetric keys. From a high level, that is really the important bit about asymmetric crypto, as well as understanding that it is slow. Knowing all this, it becomes clear why asymmetric keys and symmetric keys work so well when they are used together.

    Asymmetric cryptography algorithms are slow because they are designed to use very computationally intensive mathematical functions, like the factoring of large prime numbers in the case of RSA. If you look at a walk through of the RSA or Diffie-Hellman key exchanges, you'll see that they don't look all that complex -- you can do them on paper if you use very small numbers (which might be a good experience and help put things in perspective). However, when you throw in huge prime numbers, it takes a while. There is a good one for Diffie-Hellman in the ISCW "Official Exam Guide" book, and I am sure you can find them on the net.
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    It also might be worth pointing out that even if you say one is "slower" than the other, we are talking computers with fast processors these days so by saying "slower" you could be talking secs/milliseconds.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    It also might be worth pointing out that even if you say one is "slower" than the other, we are talking computers with fast processors these days so by saying "slower" you could be talking secs/milliseconds.

    That was one thing I haven't been able to find out as well. How much slower is one over thee other?

    Sidenote: Is RSA the duct tape of IPSec? It seems that you can use it for anything!!1
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Two articles I quickly found say that asymmetric encryption is "1000" times slower the symmetric, meaning it can take 1000 times more CPU time to process. Again both these articles are written in 2005/2006 and things have come a long way since then so its all relative.

    Here is a slightly long, but quick read, on the two encryption schemes with some benchmark stats for your viewing pleasure icon_wink.gif You can find the benchmarks halfway through the article if you don't want to read the whole thing.

    Performance Analysis of Data Encryption Algorithms

    Note: They are using a PII and a P4 processor.
  • Met44Met44 Member Posts: 194
    Interesting article... would have also been interesting to see results for an asymmetric algorithm used for bulk encryption, since they were writing their own implementations anyway.

    knwminus: Since you mentioned you have the CCNA:S Exam Cert Guide, on pages 443-444 it talks briefly about symmetric vs asymmetric algorithms. They also mention the "up to 1000 times slower" figure.

    Some other food for thought... elliptic curve cryptography helps to solve some of the problem of slow asymmetric algorithms. This is well-supported by the OpenSSL libraries, and they have some good HOWTO pages that explain the process. I am unaware if Cisco supports EC-enabled algorithms or not.

    Forgetting for a second that this is the CompTIA section hehe.

    Edit: Also, while the delay induced by particular cryptography may not be as big of a deal on a big beefy server, if you have devices with additional constraints such as mobile devices concerned with power draw, or equipment without the horsepower of a rack mount server (like your Cisco router), there is additional reason not to have them chugging away with asymmetric keys all day. In those situations, delay can add up quick (such as for voice)... and if your device is encrypting, it is not doing whatever else it is supposed to be doing!
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Met44 wrote: »
    Interesting article... would have also been interesting to see results for an asymmetric algorithm used for bulk encryption, since they were writing their own implementations anyway.

    knwminus: Since you mentioned you have the CCNA:S Exam Cert Guide, on pages 443-444 it talks briefly about symmetric vs asymmetric algorithms. They also mention the "up to 1000 times slower" figure.

    Some other food for thought... elliptic curve cryptography helps to solve some of the problem of slow asymmetric algorithms. This is well-supported by the OpenSSL libraries, and they have some good HOWTO pages that explain the process. I am unaware if Cisco supports EC-enabled algorithms or not.

    Forgetting for a second that this is the CompTIA section hehe.

    Edit: Also, while the delay induced by particular cryptography may not be as big of a deal on a big beefy server, if you have devices with additional constraints such as mobile devices concerned with power draw, or equipment without the horsepower of a rack mount server (like your Cisco router), there is additional reason not to have them chugging away with asymmetric keys all day. In those situations, delay can add up quick (such as for voice)... and if your device is encrypting, it is not doing whatever else it is supposed to be doing!

    I read the 443-444. At the point when I posed the question I hadn't though icon_redface.gif. At any rate you actually answered a question that I hadn't posed but I was going to about why this slowness makes a big deal. I am going to need to review this chapter at least one more time before I sit the exam.
Sign In or Register to comment.