Read time: 9 minutes

Asymmetric and symmetric encryptions are the types of encryptions used in cryptography. There is only one key involved in symmetric encryption, which is used for both encryption and decryption. The key has to be shared among the parties involved who wish to encrypt and decrypt data. In comparison, asymmetric encryption uses two separate keys which are related to each other mathematically. The keys are called Private keys and public keys. Generally, a certificate is associated with a public key, which holds the information about the public key owner. The certificate contains information such as name, organization name, algorithms used, etc. Even though symmetric and asymmetric encryption seems similar, symmetric encryption is comparably faster than asymmetric encryption; thus, performance-wise, asymmetric encryption is slower, which is why symmetric encryption is often used in conjunction with asymmetric encryption. We will explore more about this on the use cases discussed below.  

Symmetric Encryption

As discussed above, symmetric encryption uses the same key for encryption and decryption, so the sender would somehow send the key to the receiver to decrypt the encrypted data. The key involved has to be protected and transferred securely. If the key is lost, then the data cannot be decrypted, and if the key gets compromised, that will compromise the encryption. 

Thus, symmetric keys are transferred among parties using asymmetric encryption, ensuring that the symmetric key remains encrypted. Two different keys are now involved in encrypting and decrypting the data.  

Symmetric encryption is comparably much faster than asymmetric encryption, which is why it is still used massively today.  

Asymmetric Encryption

Asymmetric encryption uses two separate keys which are mathematically involved with each other. The first key is called the private key. The private key is the one that is heavily protected. Often this key remains in an HSM or an air-gapped computer to ensure the protection of the private key. The public key is derived from the private key and can be distributed. A certificate is often created with a public key containing information about the key’s owner and a few details about the key itself.  

The key pair relies on prime numbers of extended length. The public and private keys are computed simultaneously, using the same mathematical operation, namely trapdoor functions. The most characteristic of trapdoor functions is that they’re simple to calculate in one direction, nevertheless troublesome calculating in the reverse order. Using a private key, we can find the public key, but the private key cannot be obtained using the public key.  

Even though asymmetric encryption provides more protection to the keys, they are comparatively slower than symmetric encryption. For this reason, asymmetric encryption is often used to exchange the secret key, which can be used to establish symmetric encryption for faster data transfer and make encryption and decryption of the data faster. 

Use Cases

Symmetric Encryption
Symmetric Encryption uses one key for encryption and decryption, which is why it is best used to encrypt and decrypt local data. Some of the use cases involving symmetric encryption can be: 

  •  Data at rest: Data at rest refers to data stored in a physical drive and is not transferred among devices. This data can be stored in hard drives, SSD, flash drives, etc. Data at rest often involves data that can be valuable to attackers as it usually contains customer information, employee information, trade secrets, Intellectual Properties, etc. To be able to protect this data adequately, organizations use symmetric encryption.
    One effective way to encrypt all the data in a physical drive is to encrypt the drive itself. This is called whole disk or full disk encryption, which has fewer benefits than partial or folder encryption. Many files (such as Word files) create a temporary file while it is opened. This temporary file can remain unencrypted. Many Linux distribution does provide full disk encryption while installing the operating system, and Microsoft delivers BitLocker Drive Encryption for Windows. Full drive encryption does leave the boot volume unencrypted for the operating system to boot, but every other volume, including swap space and temporary files, remains encrypted.
  • Banking and Payment Industry: The banking and Payment Industry is one of the most secure industries, and there are many compliances involved in keeping it safe. Nevertheless, it is also one of the busiest industries, which requires them to be fast. Symmetric encryption provides fast encryption and decryption of a large amount of data, which includes the transaction. It can often contain Personal Identifiable Information (PII), which needs to be protected for being compliant with PCI DSS and preventing Identity Theft. They also need to ensure the identity of the user and the authenticity of the transactions fast. This is one of the reasons why the banking industry uses symmetric encryption.

Asymmetric Encryption 
Asymmetric Encryption is slower than symmetric encryption, so it is used for small amounts of data, such as exchanging secret keys or providing digital identities.

As organizations move to the digital age, digital signatures become crucial to identifying authentic data and ensuring someone’s identity. Digital signatures provide that the data involved has not been modified and if the data (which can include PDF, applications, etc.) is authentic.  The recipient of signed data will use a digital signature to demonstrate to a 3rd party that the claimed individual generated the signature. This is often called non-repudiation since the individual cannot simply repudiate the signature at a later time.

The following steps explain how a digital signature is used to exchange information between a sender and a receiver:

  1. First, the data that would be transferred is hashed using some hashing algorithms such as SHA-256. Hashing is a one-way function and produces a unique value for unique input. The original data cannot be obtained using the hash value. This ensures data integrity, as if the data is modified, the corresponding hash value will also change.
  2. The hash is then encrypted using the sender’s private key. This creates a digital signature.
  3. The digital signature would now be attached and sent to the sender.
  4. After receiving the data and the digital signature, the signature is decrypted using the sender’s public key, which provides the hash value generated on the first step.
  5. The receiver then hashes the obtained data.
  6. If the hash obtained on step 5 is equal to the hash receiver got on step 4, it ensured data integrity. If, however, the hashes do not match, then the data has been modified.

Digital signatures are meant to be used in emails, transferring data, distributing software, and other applications, requiring data integrity and ensuring the authenticity of the data origin.

Use case of Asymmetric and Symmetric Encryption

Asymmetric and symmetric encryption is often used in combination with each other to maintain a balance of performance, secure transfer, identification, etc. A single one may not be able to achieve alone. 

Use case 1: Messaging Applications

Many messaging applications such as WhatsApp, telegram, Signal provide end-to-end encryption to provide confidentiality of the users involved and authenticate users to communicate with each other securely. 

In end-to-end encryption, the messages and calls are encrypted so anyone apart from the users would not obtain plaintext information. Only the data is encrypted, but the headers, trailers, and routing information of the messages remain unencrypted.

One of the best features is that even if the key is somehow compromised from the user’s physical device, that key cannot be used to decrypt any previously encrypted text.

To be able to achieve this, both symmetric and asymmetric encryptions are used. Asymmetric encryption is used to initiate the conversation among the users, which involves exchanging secret keys for symmetric encryption. After the communication is established and a secret key is exchanged, symmetric encryption is used for the whole duration of the communication.

First, when the application is installed on the user’s end, the key pair is created. The user’s public key is registered and stored in the application server, but the private key remains in the user’s device. The user who wants to initiate the conversation obtains the receiver’s public key from the application server. Using the public key, the sender sends an encrypted message to the receiver. The encrypted message contains parameters to establish a symmetric session among the parties involved. The receiver would use their private key to decrypt the message and develop symmetric encryption between the sender and the receiver. Once the session has been established, clients exchange messages protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The encrypted session would be recreated only when the application is re-installed, or the device is changed.  

Use case 2: HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.  HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80. 

The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is essential for securing online activities such as shopping, banking, and remote work. HTTPS is now the standard protocol for all websites, whether they exchange sensitive data with users. 

An HTTPS connection between a client and a server uses both symmetric and asymmetric encryption. Like the previous one, asymmetric encryption is first used to establish communication and exchange secrets, and then symmetric encryption is used for the rest of the communication. The key used for symmetric encryption is called session keys. Session keys are randomly generated when a session is created and are used for that particular session only.  The steps involved in HTTPS are: 

  1. When the client tried to connect to the server, the server first sends a TLS certificate. The respective CA would verify the certificate to ensure the authenticity of the certificate and the server involved.
  2. The certificate also contains cipher suits and the maximum TLS version supported.
  3. After the certificate is verified and the algorithms and TLS versions are set to be the maximum among the client and the server, the client generates a session key. The session key is encrypted using the server’s public key and is sent to the server.
  4. The server decrypts the session key using its private key.
  5. The session key is then used for symmetric encryption, and data is exchanged among the server and the client using the session key.
  6. The session continues with only symmetric encryption.

Conclusion

Symmetric encryption is indeed one of the fastest encryption techniques, but the secret key needs to be exchanged securely to be effective. Asymmetric encryption is thus used to exchange the key involved for symmetric encryption. In both use cases, asymmetric encryption is used briefly to exchange parameters and establish symmetric encryption used for the rest of the communication.  Being slow and resource exhaustive, asymmetric encryption is only used to cover the shortcomings of symmetric encryption. Thus, both of them are used together to achieve ideal secure communication, maintain privacy, achieve authenticity, data integrity, and proper authentication. 

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 minutes 2 seconds

Organizations nowadays are storing and performing computation of the data on the cloud instead of handling themselves. Cloud Service Providers (CSPs) provide these services at an affordable cost and low maintenance. But to ensure compliance and retain privacy, organizations need to transfer the data in an encrypted format, which does ensure the confidentiality of the data. However, once the data reaches the cloud, the CSP has to decrypt the data to perform operation or computation.

Decrypting the data to the CSP loses the data’s confidentiality, which may concern the organization for not being compliant to data privacy regulations such as GDPR, FIPS, PCI DSS,  CCPA, etc.

What is Homomorphic Encryption?

Homomorphic Encryption makes it possible to do computation while the data remains encrypted. This will ensure the data remains confidential while it is under process, which provides CSPs and other untrusted environments to accomplish their goals. At the same time, we retain the confidentiality of the data.

Like other asymmetric encryptions, homomorphic encryption is encrypted using a public key and can only be decrypted by the respective private key. But while the data is encrypted, operations can be performed on the data, which retains confidentiality, and helps organizations achieve compliance even when using untrusted environments.

Why do we need Homomorphic Encryption?

Data creation has been increased tremendously in recent times, sent/stored in multiple environments belonging to other parties such as CSPs or other third-party organizations. From startups to big organizations, everyone uses CSPs to store or process data, where tools such as Big Query are used for data processing.

CSPs do provide some control over the data customers store in their environments, but those controls depend on CSPs. While users can encrypt and store data on CSPs, conducting computation on the data would be limited. Thus, standard encryption is only limited to data storage alone and does not provide any meaningful analysis that can be used.

To be able to process data while ensuring data privacy, researchers are focusing on privacy-enabled computation. Homomorphic Encryption (HE) is one of the promising approaches in this direction.

Types of Homomorphic Encryption

Homomorphic Encryption allows computation on encrypted data without decrypting. Mathematical operations that can be performed on the ciphertext differentiates the types of Homomorphic Encryptions.
They are mainly of two types:

  1. Partial Homomorphic Encryption (PHE) (supports either addition/multiplication, but not both)
  2. Fully Homomorphic Encryption (FHE) (supports both addition and multiplication)

Partial Homomorphic Encryption such as RSA and Paillier cryptosystems does support additive and multiplicative homomorphism. In 2009, Craig Gentry proposed an FHE scheme based on lattices for the first time. An FHE scheme usually supports addition and multiplication ciphertexts as follows:

HE(a+b) = HE(a) + HE(b) and HE(a*b) = HE(a) * HE(b)

Addition/Multiplication of plaintext is equal to the addition/multiplication of two ciphertexts.

Applications

HE makes it possible to achieve privacy-preserving computation in almost every scenario. Some of those include:

  1. Private Search

    Search Engines rely on ads to generate revenue. While serving searches to their users, search engines get a better view of the user’s preferences. This does help them provide customized ads for the user they serve. Homomorphic encryption does solve the problem. Search Engines can crawl the encrypted data, serve them as the algorithm is designed to, and serve the user with encrypted data. The user would get the desired result, while the search engines remain unaware of the data requested, which keeps preferences private and more challenging to serve ads.

  2. Encrypted Databases

    In any cyber-attacks, databases are often the most crucial infrastructure to protect. It may cost an organization a considerable fine in compliance and have a bad reputation to go along. Several security measures are kept in place, which includes Encrypting a database. In case of a breach, the database would remain encrypted and decrypted by a specific key, preventing unauthorized access to the database.
    If we employ the standard encryption, the encrypted database will not allow any operations on the records. We can use deterministic encryption, order-preserving encryption, and order-revealing encryption to support the encrypted database. But these would lead to leakages, such as memory access patterns and search patterns.
    With Homomorphic Encryption, it is possible to encrypt data in the database to obtain confidentiality, while we can also perform operations and computation on the data. Only authorized users with the key to decrypt the database can access the data in the database.

  3. Computation on Cloud

    Cloud Computing saves money and reduces maintenance that an organization needs to maintain its infrastructure for the services offered. Organizations can lease cloud infrastructure on a need basis to run their applications. CSPs also provides the ability to scale up according to the load on the infrastructure. Since the service providers typically manage clouds, organizations require the CSP to be compliant and get better privacy and security for their organization.
    If we choose to keep the data encrypted on the cloud and perform operations on those encrypted data, it will make CSP’s compliance and security measures less relevant. CSPs can maintain the infrastructure that store and process the encrypted data, while never accessing the plaintext.

Limitations and Drawbacks

Homomorphic Encryption computations are slow, and only a finite number of operations can be performed on the encrypted data. FHE based computation is at least 106 times slower than computation on the plaintext.

Homomorphic Encryption is also not feasible for multiple users. If we have a database, which we would need multiple users to access, we would need to create a separate database for every user, which is encrypted using the user’s public key. This would become impractical if the number of users increases or the size of the database increases.

Conclusion

Homomorphic Encryption in the current state is computationally expensive and practically inefficient. It can certainly be used to encrypt data, while we can perform different computations on the data. HE enables privacy-preserving computation, which helps us work with untrusted environments while maintaining the data’s confidentiality. Check out Format Preserving Encryption if interested in privacy-preserving computations.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

The human desire for privacy in communication is perhaps as old as the desire for communication itself. The scrambling of messages through encryption, into a form that only the intended recipient can understand, has been going on for centuries, with Julius Caesar’s cipher being one of the most cited early examples. A lot has changed since then, but in today’s digital, connected world the need for encryption is as strong as ever. This is reflected in the widespread adoption of encryption technologies and solutions in enterprises across the world. What are some of the business drivers for enterprises to adopt encryption? This article explores some of the important ones.

  1. Protecting sensitive/classified information: Every company deals with sensitive and confidential data. This could be their own data, such as information related to their core Intellectual Property (IP) or their contracts with customers and partners. This could also be as a custodian of sensitive data that has been shared with them by a customer or partner – an example being personally identifiable information (PII) of customers for enterprises which are in the Business to Consumer (B2C) space. Protecting such sensitive and confidential data is of paramount importance for any business and this is where encryption plays a key role.
  2. Compliance with data privacy security regulations & standards: Europe’s General Data Protection Regulation (GDPR), which came into force in May 2018, is a well-known example of how legislations are being put in place for data protection and privacy. In the US, data privacy laws are usually sector and state specific, an example being the California Consumer Privacy Act (CCPA) of 20181. Another example is the Payment Card Industry Data Security Standard (PCI DSS) for the financial services industry, which is applicable globally. The encryption of consumer data is one of the fundamental requirements for all these regulations, with both in-transit data as well as data at rest being covered within the scope for encryption. While the choice of encryption algorithms, technologies and vendors is left to the enterprise, non-compliance can lead to significant penalties, especially in the event of data breaches.
  3. Protection against known threats: There are several known threats to data security that exist today. An example could be the threat to data stored on the cloud. As enterprises move more and more data to the cloud, the risk of breaches increases since the data no longer resides within the organization’s physical boundaries and network security perimeter. It is not enough to depend only on the cloud service provider’s data security mechanisms. Enterprises need to have their own cloud data encryption strategy in place. Companies can choose to encrypt data on-premise before sending it to the cloud, or encrypt the data after it moves to cloud, using technologies and compute power from the cloud provider2. Another example of known threats could be at an application and application programming interface (API) level. Enterprise applications as well as APIs exposed to the outside world are always vulnerable to attack. It is critical that any interfaces and communication channels these applications have with the external world are protected using encryption protocols such as Secure Sockets Layer (SSL) and its newer version Transport Layer Security (TLS). As a third example, attacks on databases for such applications (or independent data stores maintained by the enterprise) are another known threat. Database security through encryption can be implemented at three levels – encryption of any configuration files with database access information (e.g. those used by web and application servers), encryption of the data stored in the database, and sometimes encryption of the entire file system where the database is stored.
  4. Limiting the liability of data breaches: Whatever the precautions, it is a fact that data breaches can happen – any enterprise that believes otherwise is living in a fool’s paradise. The fallout of data breaches can be significant, and the resulting liabilities can be enormous. Apart from the financial and legal liabilities of data breaches, enterprises also must deal with the reputational damage and the loss of customer trust. Strong encryption mechanisms applied to sensitive data in the enterprise can ensure that even in the event of a data breach, the stolen data cannot be used by the attackers. While these are some of the key business drivers for enterprises to adopt encryption today, must be noted that encryption alone is not a ‘silver bullet’ solution to all data threats. For example, insider threats account for a large number (reports vary between 60% – 75%) of data breach incidents. If insiders have access to encryption keys and once those keys are compromised, not much can be done. That’s why Enterprise Key Management goes hand-in-hand with any effective enterprise encryption strategy. And similarly, Encryption should be addressed as a part of a larger, holistic solution to implementing cyber security in the enterprise.

1A comparison between the CCPA and GDPR is available in an earlier blog, available at this link: https://www.encryptionconsulting.com/2019/01/10/summary-of-the-california-consumer-privacy-act-and-comparison-with-the-gdpr/

2In either scenario, key management becomes an important issue – but that is out of scope for this article and will be covered in a future topic

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

California voted and signed in the California Consumer Privacy Act in June 2018, which will go into effect January 1, 2020. California is no stranger to privacy laws. The state of California has introduced privacy laws such as the California Shine the Light Law, California Invasion Privacy Act, California Online Privacy Protection Act, California Anti-Phishing Act of 2005, Privacy Rights for California Minors in the Digital World, and the California Electronic Communications Privacy Act. However, the California Consumer Privacy Act is harsher than any of the previous laws enacted by the state of California rivaling the most recent General Data Protection Regulation of the EU. The CCPA does not cover all that is required by the GDPR, but creates the strictest privacy laws the United States has ever seen.

Personal information of individuals is at an all-time high risk. The misuse of personal data and privacy rights is now a primary concern worldwide. The California Consumer Privacy Act introduces never before seen consumer privacy regulations in America. The legislation aims to protect personal information by creating a broad definition: Personal Information (PI) is “information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” stated by the California Consumer Privacy Act. The legislation addresses organizations using, compiling, and distributing personal information. By doing so, the act aims to protect California consumers by enforcing the protection of personal information and forcing organizations to respect the privacy of citizens. The organizations will have to comply with the CCPA for those operating in California or do business within California if they fall under one of the three categories:

1. Annual gross revenue is greater than $25 million, 2. Buy, receive, or sell PI of 50,000 or more consumers, households or devices, or 3. 50 percent or more of annual revenue by selling California-based consumers’ PI. If these regulations are not followed, fines will be made by the Attorneys General up to $7,500 per international violation and lawsuits can result in $100-750 per consumer per incident.

The California Consumer Privacy act aims for the consumer to retain ownership, power, and security of your personal information if you are a citizen of the state of California by establishing the significant rights to consumers such as:

• The right to know what and where personal information is being collected, sold and disclosed about them
• The ability to deny the sale of personal information.
• The right to have equal service and price, if one decides to exercise their privacy rights.
• The right to be able to have personal information deleted

While the CCPA and the GDPR are similar, they have a fair amount differences in regulations. In the table below, it will go into comparison on showing both similarities and differences within both policies. For organizations that comply with GDPR, you will be forced to make further provisions to comply with the CCPA as well.

Fines√√ (Will be Higher)

Major Requirements California Consumer Privacy Act General Protection Data Regulation
Encrypted/Redacted Personal Data
Privacy by Design X
Compliance by all businesses collecting/personal data X
Limit sale of Personal Data X
Reporting of Data Breaches X
Options for Minors
Policies for Cookiess X
Processing Bans X
Equal service and price, if exercising their privacy rights. X

About the author:

Fazel Ahsan is a cybersecurity expert specializing in the Encryption space. He is currently working as an Encryption Consultant at Encryption Consulting LLC.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Cyber security experts conference 2022

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk