Symmetric vs Asymmetric Encryption

arthaxerxes · November 2004

Hi All,

I am studying for Security+ and plan to take it in a week. I find it hard to remember which protocol or Service uses which type of encryption. For example for SSL, which encryption (Symmetric or Asymmetric) is used? The problem is I have found different answers for the question mentioned in different sources. Based on Exam Cram 2 the answer is asymmetric. But on Exam Cram 2 Practice Questions in SSL section you find that SSL uses symmetric encryption.

Another example would be PGP which according to Exam Cram 2 "encrypts and decrypts email messages using either RSA or Diffie-Hellman asymmetric encryption schemes." But here in the Security+ Exam I after checking your answers you will find that: "The International Data Encryption Algorithm (IDEA) is a symmetric encryption algorithm that uses a 128 bits key and is applied in PGP systems."

In general is there a good and definite source for encryption topics?

Thanx

Artha

osprey · November 2004

My observation is that practice questions receive a lot less review than the text. I, too, found some errors in that same Exam Cram 2 practice questions. My suggestion is to just ignore whatever the practice exams say and take the text at their word, instead. Double-checking with another source (which you're doing), though, is a good idea.

SSL employs certificates, which use asymmetric encryption, so the text is correct in that case.
PGP can apparently use either. Evidence, from the PGP FAQ:
"IDEA - Developed in Switzerland and licensed for non-commercial use in PGP.
...
RSA is the public key encryption method used in PGP."

BTW, the folks at this site have put together nice tech notes on many exams. Their Security+ notes seem to be short on encryption types, but they cover most everything else.

arthaxerxes · November 2004

Thanx jnisbet for the help. I have read all very usefull Tech notes on this site and here wanna thank Johan, Russ and all others who have put together these notes and sample questions.

So one of my questions remain unanswered. How do you answer a question about PGP encryption that has both RSA or Diffie-Hellman (Asymmetric) and IDEA (Symmetric) as answers? Because that's one of the questions in the Security+ Exam I on this very site.

And if anybody knows any particular useful source for this topic (Encryption).

Thanx

Artha

RussS · November 2004

I will quote that sage of the Security+ certification ... Tcat Howser ....

PGP uses the Public-Private key encryption method. By
implementing PGP without relying on controlled/patented algorithms, so that it could be
distributed anywhere without license fees or patent issues, the developers hoped that the
idea of using privacy-enhanced email would really catch on.

As in S/MIME, 3DES is used for symmetric encryption of message data, and SHA-1 for
hashing. Unlike with S/MIME, individual users are responsible for exchanging their
public keys with each other and deciding that they trust the public key they received as
being proof of the other party’s identity before messages can be sent. Key exchange is
usually accomplished via a network of public servers.

arthaxerxes · November 2004

Thanx Russ,

As a matter of fact, I had checked Tcat's Security+ on this topic. But that's exactly what I mean when I say books and generally sources are contradicting each other or are confusing at best. Exam Cram 2 mentions only asymmetric encryption like RSA and Diffie-Hellman for PGP and confirms that with the answer to end of chapter quiz. But then you check another book and voilà! you find something different. Checking the answers after taking the quiz on this site (I mean those 30 sample questions posted by Johan whom I'd like to thank for this and other excellent posts and notes) reveals even another take on this. The question is which one can you trust? Listening to people on this site makes you think twice before taking the exam. I believe some failed the exam by only one or two questions. I have postponed my test twice so far not knowing for sure if I was ready. Now that I've spent some time on this and read a book or two and taken a few tests, I'm not sure which helps me more. Start reading another book or take more tests.

Any thoughts?

Artha

Webmaster · November 2004

arthaxerxes wrote:

So one of my questions remain unanswered. How do you answer a question about PGP encryption that has both RSA or Diffie-Hellman (Asymmetric) and IDEA (Symmetric) as answers? Because that's one of the questions in the Security+ Exam I on this very site.

I assume you mean this one (RSA is not an option in this question as that would be a valid answer):

Which of the following encryption algorithms is used in PGP?
a. IDEA
b. TripleDes
c. ECC
d. Diffie-Helman

Answer(s): a. IDEA

Explanation:
The International Data Encryption Algorithm (IDEA) is a symmetric encryption algorithm that uses a 128 bits key and is applied in PGP systems.

The conflicts you found are caused by the fact that there are different versions of PGP (mainly before and after version 5, and national/international). Although I wrote that question just months ago, it was already kinda outdated. I'll save the long version for the Encryption TechNotes (still have to double check a lot of things

) but in short:

IDEA is no longer the default cipher of choice in PGP due to patents issues (IDEA also requires a license for commercial use). Since PGP version 5, CAST became the default cipher in PGP. In international PGP versions 5 and up, a CAST, IDEA, or 3DES cipher can be used for the symmetric portion of PGP (which encrypts the data). That symmetric cipher, the resulting key, is asymmetrically encrypted with RSA (version 4 and earlier) or with DSS/Diffie-Hellman (version 5+).

Anyway, I'll make sure I'll write something very clear about this in the PGP part of the Encryption TechNotes, cause CompTIA can obviously make some tricky questions about it.

As for my practice question, I will rewrite and clone it to create two new questions...

arthaxerxes · November 2004

Thanx Johan for the excellent explanation. That should be the way in the books.

I also asked:

Listening to people on this site makes you think twice before taking the exam. I believe some failed the exam by only one or two questions. I have postponed my test twice so far not knowing for sure if I was ready. Now that I've spent some time on this and read a book or two and taken a few tests, I'm not sure which helps me more. Start reading another book or take more tests.

Any suggestion anybody?

Thanx,

Arthaxexes

RussS · November 2004

Very difficult to make a call there. I guess the most important thing is .... do you know your stuff and feel comfortable?
That is a prety reasonable list of certifications you have there - are they just from study or are they obtained after several years of work experience? If it is the latter I would thing that your experience should help get you through the exam.

arthaxerxes · November 2004

Thanx Russ for your comments.

I feel confident but it could be a false confidence. People say a great deal about unclear questions and the fact that they think this test is unlike any other test they might have taken. That makes you think. I have a few years of experience but not in Security. A+ and Net+ was easy for me. But I just don't want any surprises on this test.

One of the reasons that I asked about "books or tests" was the fact that some people here claim that they learned more from the test than the books. Or at least the tests covered some topics not covered by the books. That's all.

Arthaxerxes

RussS · November 2004

I guess it is really different with each individual. Me I learn well from lectures and discussion sessions rather than reading from books. Practice tests are good, however if you take one of them more than about twice you are just remembering the questions & answers.
With Sec+ I think that 'in the field' experience is something that is very valuable even if is it not directly security related. The administration of a network tends to give a lot better understanding of the many domains in this exam.

arthaxerxes · November 2004

Well, I should say that it doesn't matter now.

Yes I passed the test today with 844. It was easier than I thought. There wasn't really any obscure questions. The questions that I missed were those that I hadn't heard about.

Just to mention my sources:

1. Exam Cram II with Practice Questions and CDs that include one full Preplogic test and over 700 questions from MeasureUp.

2. Tcat Hauser Security+ (Revised Version - Not Free one).

3. This site. Specially the sample questions and the Forum.

4. Other sites, sample chapters from publishers, etc.

I just want to thank everybody specially Johan and Russ for their help.

Cheers,

Arthaxerxes

arthaxerxes · November 2004

It always helps to check your messages before posting

I mentioned my sources. It's Tcat Howser and not Tcat Hauser. Sorry :P

Arthaxerxes

RussS · November 2004

Congrats arthaxerxes - good score

Webmaster · November 2004

Congrats!

arthaxerxes · November 2004

Thank you all!

You're very kind!

Artha

Symmetric vs Asymmetric Encryption

Comments