Asymmetric encryption is an encryption technique in which two different yet mathematically linked keys are used to encrypt and decrypt data exchanged between two communicating systems. The two keys are a public key and a private key. The public key is openly available to everyone. The corresponding private key, on the other hand, can only be accessed by the authorized recipient or system.
The major difference between symmetric and asymmetric encryption is that the symmetric technique uses the same key to encrypt and decrypt data, whereas the asymmetric technique uses two unique keys to encrypt and decrypt data.
In the example of a browser-server communication, when a browser hits the web server requesting for the website, the server responds to the request by presenting its SSL/TLS certificate embedded with its public key. The browser checks the certificate to verify if the website is legitimate. If there are no issues, generates a pre-master key, encrypts it using the public key of the server and sends it back. On receiving the pre-master key, the server uses the private key linked to the public key to decrypt it. Since the private key is known only to the server and no other unrelated key can decrypt the pre-master key, it is safely transmitted without any unauthorized parties accessing it. Once the client and server, both have the pre-master keys, they individually generate a shared secret called the session key. To verify that both of them have generated the same session key, they send each other messages encrypting with the session key. If they are able to decrypt the messages, then the connection is established and the communication switches to symmetric encryption.
When a user visits a website/web page, the browser initiates an SSL/TLS handshake with the web server that hosts the website. The server sends its SSL/TLS certificate to the client on receiving its request to connect. The client verifies its authenticity. If there are no issues, the client generates a unique “session key,” encrypts it using the server’s public key (that’s found on the certificate), and sends it back to the server. The server decrypts this session key with its private key (known only to it). Once the server and the client both have the session key, the handshake switches to symmetric encryption, where the session key is used to encrypt and decrypt all messages exchanged in that particular session.
The most commonly used and popular algorithms for asymmetric encryption are:
The Diffie-Hellman algorithm is a key exchange mechanism that enables two parties who have never met each other to communicate securely over the internet by agreeing upon a shared secret key without actually transmitting it. As the shared secret is derived from complex modular arithmetic calculations performed separately on both ends, a potential hacker will never be able to decode the shared secret, making it a highly secure encryption technique for internet communication.
RSA encryption uses a product of two large prime numbers to generate a public key and a private key. These prime numbers are discarded after the encryption-decryption process. Factoring out such incredibly large prime numbers and their products to derive the private key pair requires immense processing power, making RSA encryption extremely challenging to break.
Digital Signature Algorithm (DSA) is used in digital signatures that serve as proof of the sender’s authenticity and message integrity. A sender digitally signs a message using the private key, and the recipient verifies the identity of the sender and the origin of the document using the sender’s corresponding public key.
Apart from these, the other asymmetric algorithms used are Elliptical Curve Cryptography (ECC) and EI Gamal.
The biggest advantage of asymmetric encryption over its symmetric counterpart is that it uses two different keys for encryption and decryption. Using two different keys eliminates the need for key sharing between communicating parties. While the public key is available for everyone, the private key is accessed only by a single authorized recipient (or system) and is never transmitted or revealed, which greatly reduces the chances of data compromise due to key theft and also guarantees that the message cannot be altered during transit. As key sharing or distribution is not necessary, asymmetric encryption proves highly effective when a large number of endpoints are involved.
Also, asymmetric encryption uses keys with longer key lengths (up to 4096 bits). Longer key lengths amount to stronger encryption and better data security.
One of the challenges with asymmetric encryption is its slow speed and resource consumption. As there are two separate keys with longer key lengths involved, the computing power required to process encryption and decryption is much higher when compared to the symmetric technique. Complex computing increases server overhead and eventually results in slow connections. This is why asymmetric encryption is not applied when a large quantity of data is involved. For example, in the case of the SSL/TLS handshake, asymmetric encryption is only used initially during server authentication. Once the connection is established between the web server and the user’s browser (or client), the handshake immediately switches to symmetric encryption for bulk data transmission.