62

I am currently taking a Principles of Information Security class. While talking about different encryption methods, a large number of my classmates seem to believe that Asymmetric Encryption is better (more secure) than Symmetric Encryption. A typical statement is something like this:

Generally asymmetric encryption schemes are more secure because they require both a public and a private key.

Certainly, with symmetric encryption, you have to worry about secure key exchange, but as far as I can tell there's no inherent reason why one must be more secure than the other.

Especially given that the asymmetric part is often just used for the key exchange and then the actual data is encrypted with a symmetric algorithm.

So, am I missing something or can a general statement like this really be made about which is more secure?

If I have a message encrypted with AES and another copy encrypted with RSA, and all other things being equal, which is more likely to be cracked? Can this comparison even be made?

schroeder
  • 125,553
  • 55
  • 289
  • 326
matthew
  • 1,080
  • 1
  • 7
  • 10
  • 1
    There is no way to directly compare them. I would point out the only thing we can say is secure is one time truly random pad based XOR stream cipher (which is symmetric), however key exchange is a major problem. We can also say that we can, in theory, break RSA and El Gammel (the two main asymmetric) algorithms) with quantum computing, we just haven't built the device to actually do it.. – ewanm89 Sep 16 '11 at 23:39
  • 2
    *For the same key size* typically the asymmetric encryption (especially RSA) is *less* secure. Of course in practice you offset this by using larger keys. – starblue Sep 17 '11 at 07:54
  • 4
    More secure is generally a unmeasurable quantity. Resistance of message M to attack X by threat Y is much more meaningful. – this.josh Sep 18 '11 at 04:15
  • 2
    [ECRYPT](http://www.ecrypt.eu.org/) does a periodic assessment of the relative strengths of a variety of algorithms, including both symmetric and asymmetric encryption. The [2012 report is here](http://www.ecrypt.eu.org/documents/D.SPA.20.pdf) – Anti-weakpasswords Apr 04 '14 at 03:30
  • I can't find a report more recent than 2012 – does ECRYPT no longer produce it? – Adrian Günter Apr 28 '16 at 05:20

7 Answers7

31

Symmetric and asymmetric encryption are distinct operations which operate in distinct contexts, for distinct usages and distinct attack models. There is little sense in claiming that either is "more secure" than the other (it would first require some kind of quantified measure of security, which is not easy to define).

Asymmetric encryption is more demanding: it is about realizing encryption and being able to publish the ways to encrypt (the public key) without revealing the ways to decrypt (the private key). A practical implementation needs mathematics, whereas symmetric encryption is mostly scrambling things around (mind you, it is difficult to do a good job of scrambling; but still, less mathematics are involved).

Commonly deployed systems (e.g. SSL/TLS) combine asymmetric encryption and symmetric encryption (and a few other things as well) into protocols which do some intended job (e.g. "bidirectional tunnel with confidentiality, integrity and authentication").

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
26

There is a sense in which you can define the strength of a particular encryption algorithm¹: roughly speaking, the strength is the number of attempts that need to be made in order to break the encryption. More precisely, the strength is the amount of computation that needs to be done to find the secret. Ideally, the strength of an algorithm is the number of brute-force attempts that need to be made (weighed by the complexity of each attempt, or reduced if some kind of parallelization allows for multiple attempts to share some of the work); as attacks on the algorithm improve, the actual strength goes down.

It's important to realize that “particular encryption algorithm” includes considering a specific key size. That is, you're not pitching RSA against AES, but 1024-bit RSA (with a specific padding mode) with AES-256 (with a specific chaining mode, IV, etc.). In that sense, you can ask: if I have a copy of my data encrypted with algorithm A with given values of parameters P and Q (in particular the key size), and a copy encrypted with algorithm B with parameters P and R, then which of (A,Pval₁,Qval₁) and (B,Pval₂,Rval₂) is likely to be cracked first?

In practice, many protocols involve the use of multiple cryptographic primitives. Different primitives have different possible uses, and even when several primitives can serve a given function, there can be one that's better suited than others. When choosing a cryptographic primitive for a given purpose, the decision process goes somewhat like this:

  1. What algorithms can do the job? → I can use A or B or C.
  2. What strength to I need? → I want 2N operations, so I need key size LA for primitive A, LB for primitive B, LC for primitive C.
  3. Given my constraints (brute speed, latency, memory efficiency, …), which of these (LA-bit A or LB-bit B or LC-bit C) is best?

For example, let's say your requirement is a protocol for exchanging data with a party you don't trust. Then symmetric cryptography cannot do the job on its own: you need some way to share the key. Asymmetric cryptography such as RSA can do the job, if you let the parties exchange public keys in advance. (This is not the only possibility but I won't go into details here.) So you can decide on whatever RSA key length has the right strength for your application. However RSA is slow and cumbersome (for example there aren't standard protocols to apply RSA encryption to a stream — mainly because no one has bothered because they'd be so slow). Many common protocols involving public-key cryptography use it only to exchange a limited-duration secret: a session key for some symmetric cryptography algorithm. This is known as hybrid encryption. Again, you choose the length of the session key according to the desired strength. In this scenario, the two primitives involved tend to have the same strength.

¹ The same notion applies to other uses of cryptography, such as signing or hashing.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
24

Choosing between symmetric and asymmetric encryption depends on the use case.

Symmetric encryption is used when a *small group of users need access to the information. Furthermore symmetric encryption is nice because it is easier to understand (less likely to mess it up) and the algorithms tend to be faster.

Asymmetric encryption is used when a large group of users need access to the information. Furthermore, asymmetric cryptography can be used in reverse to sign documents. This is especially interesting because it allows people to certify that a public key belongs to a certain person.

A group of 10 users requires 45 unique keys (9+8+7+6+5+4+3+2+1), to allow every pair of users to communicate securely. Now consider the Internet instead of the small group of 10 people. It's obvious that this cannot be handled with symmetric keys.

In the real world, both types are often combined. An asymmetric approach is used to confirm the identity of a communication partner and to transmit something that will result in a symmetric key. This symmetric key is then used for performant encryption of the actual data.

Rob Bednark
  • 1,435
  • 3
  • 10
  • 9
Hendrik Brummermann
  • 27,158
  • 6
  • 80
  • 121
  • Those are all valid reasons to use one or the other, but it doesn't quite speak to the "strength". Perhaps a better way to ask is "which is easier to break?" – matthew Sep 16 '11 at 21:27
  • 2
    As they have different purposes and work differently, this general question is too unspecific. If you take performance or required key length as indicator, symmetric encryption will win. If you take easiness of providing information on a need to know basis to specific individuals from a larger group of people as measurement (to reduce the number of people that may compromise the secret), asymmetric encryption will win. Really, comparing these approaches only makes sense in concrete contexts. – Hendrik Brummermann Sep 16 '11 at 21:36
  • @matthew There are differences in optional context and in consequence for possible use cases. A profound risk analysis includes the probability of each context which scales specific measure. E.g Giles above has chosen a context, where you have two classes of algorithms and measure their vulnerability, which for itself is great. This context though is a precondition of derived measure and the probability of getting there is different for the protocols of considered algorithm classes. – Sam Ginrich Jan 07 '22 at 11:03
16

Generally asymmetric encryption schemes are more secure because they require both a public and a private key.

No. You can't say that. That's baloney. It's just not true.

Strength is independent of symmetric vs asymmetric. Symmetric cryptography and asymmetric cryptography are two different kinds of cryptographic tool. Each one can be either weak or strong, depending. There's no reason whatsoever why asymmetric cryptography is necessarily stronger than symmetric cryptography.

For example:

  • AES is more secure against cryptanalytic attacks than 512-bit RSA, even though RSA is asymmetric and AES is symmetric.

  • 4096-bit RSA is more secure against cryptanalytic attacks than 40-bit RC4, even though RC4 is symmetric and RSA is asymmetric.

D.W.
  • 98,860
  • 33
  • 271
  • 588
5

I agree with what Thomas stated above. Both symmetric and asymmetric encryption are distinct operations.

Symmetric encryption is less expensive than asymmetric encryption. Expensive as in it requires less processing. To be exact, I am referring to the decryption process.

And this is why SSL/TLS uses a combination of both symmetric and asymmetric encryption. The asymmetric encryption/decryption between two peers during a SSL/TLS transaction is only happen during initial handshake. Once both peers agreed upon a shared private key then the rest of the communication would be using symmetric encryption. By doing so, the only expensive operation will taken place during the initial handshake and rest of the communication will be using symmetric encryption which is require less resource.

-2

I'm not yet there, where we simply compare disjoint classes of algorithms and conclude "one is good one is bad".

Public Key Cryptography allows establishing private conversations without preexisting secret and dependency on trust in a third party like CAs. In that private context any suite of encryption algorithms or parameterizations for subsequent communication may be bargained. Now, considering the commonly agreed security measure "how much effort to crack THE private key", it's not comparing one symmetric system vs. one asymmetric system, 'cause the counterpart of the symmetric system is systematically unknown in the phase of sensitive data exchange.

Quantifying: The effort for the MITM to solve a combinatoric problem without any knowledge of the used method based on a stream, that is arbitrarily close to white noise goes towards infinity.

Conclusion: The property "Symmetry" has essential impact on the result.

Sam Ginrich
  • 105
  • 3
  • So, your whole schtick here is "because it can't be known what processes were used, symmetric encryption is harder to crack?" That's a big assumption to make without consideration. I refer you to the Kerckhoffs Principle, and in many practical applications, like TLS, the type of process used is advertised, and in many others, like apps used for data encryption, the process is easily knowable (you can look it up in the documentation). – schroeder Jan 07 '22 at 09:49
  • 1
    No one said anything about "good" or "bad". That's a value judgement on the conversation that you are laying on top. Public key crypto can require trust in a third party like a CA, so that sentence is either incorrect or uses imprecise language. – schroeder Jan 07 '22 at 09:54
  • 1
    As a Q&A site, all answers need to address the Question directly. Atomically. Answer posts that merely comment on other Answers are not accepted. You can post a comment directly under other answers if you wish to address specific concerns. – schroeder Jan 07 '22 at 10:16
-4

In asymmetric encryption with public key cryptography, there is an exchange of public keys which could be intercepted by a man-in-the-middle. That is a major weakness, which symmetric encryption doesn't have. Since the US government is doing mass-surveillance, there's a real possibility that MIM is commonplace. Using predetermined keys with symmetric algorithms and using truly randomly generated numbers would seem to be less vulnerable than relying on public key exchange.

vrtjason
  • 47
  • 2
  • 5
    If you have a secure channel to share symmetric keys, you can also use that to share public keys. Public/private key crypto adds the **additional possibility** to attach information about the owner to a public key and let trusted party sign this information. – Hendrik Brummermann Dec 15 '14 at 21:09
  • 1
    If a certificate authority is used in order to create the so-called "secure channel," there's no way to determine whether the CA was compromised because of a warrant and a secret court. – vrtjason Dec 15 '14 at 21:21
  • 2
    vrtjason - what Hendrik is talking about is that you need to share the keys whether you use symmetric or asymmetric crypto. – Rory Alsop Dec 16 '14 at 00:15
  • @Alsop Hendrik was talking about public key exchange using a secure channel enabled by a trusted party. If the trusted party is compromised, then the trust in that party is misplaced, and therefore the secure channel is not truly secure. Symmetric crypto simply does not depend on exchange of public keys, or trusted parties. Whether or not symmetric crypto is utilized following the exchange of public keys is irrelevant if indeed the exchange of keys was compromised. You should know this if you're posting on this thread. – vrtjason Dec 16 '14 at 20:03
  • 3
    Symmetric crypto does depend on the secure exchange of keys. My point is this: Assuming you have such a secure channel, you can use it to exchange public keys as well. Asymmetric crypto does add additional possibilities by involving trusted third parties, but you do not need to use third parties. Other advantages still apply: e.g., You can sign messages to protect them against modifications. You can just pick your private key to decrypt any message sent to you without having to look for the right key. Disclosing public keys is not an issue... – Hendrik Brummermann Dec 17 '14 at 14:53