There are two main forms of data encryption in use today: symmetric encryption and asymmetric encryption. Every day, when you’re using your web browser, responding to emails, submitting website forms, and other activities, symmetric and asymmetric encryption processes are happening, sometimes unbeknownst to you. You may also be familiar with symmetric and asymmetric encryption because you have experience with OpenSSL, key management services, or maybe you’ve sent an encrypted email or encrypted a Microsoft Word or Adobe PDF file with a password before.
It’s important to understand the differences between symmetric and asymmetric encryption and how these security technologies work in the everyday secure transfer of communications. You’ll know what these terms mean when you see them, and you’ll also be knowledgeable of how they work, their various iterations, aware of their capabilities, and know which is more advisable to implement with regard to securing and authenticating the origin of sensitive information.
In this blog post, we’ll discuss the differences between symmetric and asymmetric encryption. At the end, we’ll summarize these differences and discuss related encryption options for securing your sensitive data.
Graphic: Symmetric encryption uses a single key to encrypt and decrypt information.
What is symmetric encryption?
Symmetric encryption is a widely used data encryption technique whereby data is encrypted and decrypted using a single, secret cryptographic key.
Specifically, the key is used to encrypt plaintext – the data’s pre-encryption or post-decryption state – and decrypt ciphertext – the data’s post-encryption or pre-decryption state.
Symmetric encryption is one of the most widely used encryption techniques and also one of the oldest, dating back to the days of the Roman Empire. Caesar’s cipher, named after none other than Julius Caesar, who used it to encrypt his military correspondence, is a famous historical example of symmetric encryption in action.
The goal of symmetric encryption is to secure sensitive, secret, or classified information. It’s used daily in many major industries, including defense, aerospace, banking, health care, and other industries in which securing a person’s, business’, or organization’s sensitive data is of the utmost importance.
Graphic: This is an illustration of the symmetric encryption process.
How does symmetric encryption work?
Symmetric encryption works by using either a stream cipher or block cipher to encrypt and decrypt data. A stream cipher converts plaintext into ciphertext one byte at a time, and a block cipher converts entire units, or blocks, of plaintext using a predetermined key length, such as 128, 192, or 256 bits.
Senders and recipients using symmetric encryption to transfer data to each other must know the secret key to, in the case of senders, encrypt the data they intend to share with recipients, and in the case of recipients, decrypt and read the encrypted data the senders share with them, as well as encrypt any necessary responses.
Here’s a simplified example of symmetric encryption: if Claire, the sender, wants to send Jacqueline, the recipient, a confidential document, Claire would use the secret key to encrypt the file and send it to Jacqueline, who would be unable to read its contents until she entered the same key that Claire just used to encrypt the file. Conversely, if Jacqueline makes changes to the document and wishes to share them with Claire, she’d use the same key to re-encrypt the file and send it back to Claire, who will use the same key to decrypt the file and access its contents, and the process repeats itself.
Note that this is just an example used to simplify how symmetric encryption works. Symmetric encryption may be carried out manually or automatically.
Symmetric encryption is not limited to the sharing of data between one sender and one recipient, however. Symmetrically encrypted information can be accessed by anyone – Claire, Jacqueline, their co-worker Frank, their boss, Jennifer, et al. – who knows the secret key. Therein lies the reason why concealing the shared cryptographic key from unauthorized parties is vital to the success of symmetric encryption and the integrity of symmetrically encrypted data.
Graphic: Examples of symmetric encryption include the Advanced Encryption Standard (AES) and TLS/SSL protocol.
What are some examples of symmetric encryption?
Popular examples of symmetric encryption include the:
- Data Encryption Standard (DES)
- Triple Data Encryption Standard (Triple DES)
- Advanced Encryption Standard (AES)
- International Data Encryption Algorithm (IDEA)
- TLS/SSL protocol
AES encryption, which uses block ciphers of 128, 192, or 256 bits to encrypt and decrypt data, is one of the most well-known and effective symmetric encryption techniques in use today. It would take billions of years to crack, and that’s why it’s used to secure sensitive, secret, or classified information in government, healthcare, banking, and other industries. It is more secure than DES, Triple DES, and IDEA.
DES encryption is now considered by the National Institute of Standards and Technology (NIST) to be a legacy symmetric encryption algorithm because it has long been ineffective at safeguarding sensitive information from brute-force attacks. In fact, the NIST has withdrawn the standard entirely, and its more secure big brother, Triple DES encryption, will have the same fate. Although still in use today, Triple DES encryption is being withdrawn and disallowed by the NIST in 2023 because of mounting security concerns.
IDEA encryption was developed as a replacement for DES in the 1990s, but AES was ultimately deemed more secure. The IDEA is now an open and free block-cipher algorithm, so anyone can use it, but it’s generally considered to be obsolete and ineffective at securing sensitive and top-secret information today. AES encryption is the gold standard for both purposes.
Transport Layer Security (TLS), as well as its predecessor, Secure Sockets Layer (SSL), uses symmetric encryption. Basically, when a client accesses a server, unique symmetric keys, called session keys, are generated. These session keys are used to encrypt and decrypt the data shared between the client and the server in that specific client-server session at that specific point in time. A new client-server session would generate new, unique session keys.
TLS/SSL uses not only symmetric encryption but both symmetric and asymmetric encryption, to ensure the security of client-server sessions and the information exchanged within them.
Graphic: Advantages of symmetric encryption include security, speed, and industry adoption and acceptance.
What are some advantages of symmetric encryption?
Symmetric encryption is used today because it can encrypt and decrypt large amounts of data quickly, and it’s easy to implement. It’s simple to use, and its AES iteration is one of the most secure forms of data encryption available.
Now, symmetric encryption has several advantages over its asymmetric counterpart, but we’ll talk about asymmetric encryption in this blog post a little later.
Some advantages of symmetric encryption include:
- Security: symmetric encryption algorithms like AES take billions of years to crack using brute-force attacks.
- Speed: symmetric encryption, because of its shorter key lengths and relative simplicity compared to asymmetric encryption, is much faster to execute.
- Industry adoption and acceptance: symmetric encryption algorithms like AES have become the gold standard of data encryption because of their security and speed benefits, and as such, have enjoyed decades of industry adoption and acceptance.
Graphic: Disadvantages of symmetric encryption include the need to ensure the security of key distribution mechanisms.
What are some disadvantages of symmetric encryption?
By far the biggest disadvantage of symmetric encryption is its use of a single, secret cryptographic key to encrypt and decrypt information.
Well, if this secret key is stored in an insecure location on a computer, then hackers could gain access to it using software-based attacks, allowing them to decrypt the encrypted data and thereby defeating the entire purpose of symmetric encryption.
In addition, if one party or entity is encrypting at one location and a separate party or entity decrypting at a second, then the key will need to be transmitted, leaving it vulnerable to interception if the transmission channel is compromised.
That’s why it’s crucial to ensure the security of the encryption key at rest and in transit. Otherwise, you’re just asking for a litany of independent and state-sponsored cyberattackers to access your mission-critical, safety-critical, or legally protected data.
The only other disadvantage to using symmetric encryption is its security efficacy when compared to asymmetric encryption, which is generally considered to be more secure but also slower to execute than symmetric encryption.
But is asymmetric encryption more secure than symmetric encryption? Let’s find out.
Graphic: Asymmetric encryption uses public- and private-key pairs to encrypt and decrypt sensitive information.
What is asymmetric encryption?
Unlike symmetric encryption, which uses the same secret key to encrypt and decrypt sensitive information, asymmetric encryption, also known as public-key cryptography or public-key encryption, uses mathematically linked public- and private-key pairs to encrypt and decrypt senders’ and recipients’ sensitive data.
As with symmetric encryption, plaintext is still converted into ciphertext and vice versa during encryption and decryption, respectively. The main difference is that two unique key pairs are used to encrypt data asymmetrically.
Graphic: This is an illustration of the asymmetric encryption process.
How does asymmetric encryption work?
Here’s a simplified example of asymmetric encryption: if Claire, the sender, and Jacqueline, the recipient, want to continually send a confidential file back and forth to each other, Claire and Jacqueline will give their unique and respective public keys to each other. Claire will then use Jacqueline’s public key to encrypt the file, since it’s intended for Jacqueline only, and send the file to Jacqueline. Upon receipt of the file, Jacqueline will use her private key – keyword, “private,” meaning no one else other than Jacqueline knows it – to decrypt the file and access its contents. No one other than Jacqueline, not even Claire, can decrypt this file, because no one other than Jacqueline knows Jacqueline’s private key. The same process applies when Jacqueline wants to send the file back to Claire. Jacqueline ties it to Claire’s public key, and Claire uses her private key to decrypt the file.
Note that this is a simplification of asymmetric encryption. Like symmetric encryption, asymmetric encryption may be carried out manually or automatically.
Now, do you see how asymmetric encryption could be seen as more secure than symmetric encryption? While this is an interesting inquiry, it’s not the right question to ask, really, because, technically, whether symmetric or asymmetric encryption is more secure depends largely on key size and the security of the media that stores or transmits cryptographic keys.
One reason asymmetric encryption is often regarded as more secure than symmetric encryption is that asymmetric encryption, unlike its counterpart, does not require the exchange of the same encrypt-decrypt key between two or more parties. Yes, public keys are exchanged, but users sharing data in an asymmetric cryptosystem have unique public and private key pairs, and their public keys, because they’re used for encryption only, pose no risk of unauthorized decryption by hackers should they become known, because the hackers, assuming private keys are kept private, don’t know the users’ private keys and thus cannot decrypt the encrypted data.
Asymmetric encryption also allows for digital signature authentication, unlike symmetric encryption. Basically, this involves using private keys to digitally sign messages or files, and their corresponding public keys are used to confirm that these messages originated from the correct, verified sender.