Question

You are the CIO for a mid-sized financial company, 5000 employees. You are reviewing your options to determine whether to select Symmetric Key or Asymmetric Key cryptography. Either approach will satisfy the company’s security requirements. Identify the (5) advantages and (5) disadvantages for each, and the planning considerations. (This question is worth 15 points)

Answer 1

Cryptosystems can be of two types:

• Asymmetric Cryptosystems
• Symmetric Cryptosystems

ASYMMETRIC CRYPTOSYSTEMS

In an asymmetric cryptosystem (or public key cryptosystem), there are two different keys used for the encryption and decryption of data. The key used for encryption is kept public and so as called public key, and the decryption key is kept secret and called private key. The keys are generated in such a way that it is impossible to derive the private key from the public key.

ADVANTAGES

1. It is convenient. Asymmetric encryption solves the problem of distributing keys for encryption, with everyone publishing their public keys, while private keys being kept secret.
2. It detects tampering. With digital signatures in public key encryption, message recipients can detect if a message was altered in transit.
3. The primary advantage of public-key cryptography is increased security: the private keys do not ever need to be transmitted or revealed to anyone.
4. It allows for non-repudiation. Digitally signed messages are like physically signed documents. Basically, it is like acknowledging a message, and therefore, the sender will not be able to deny it.
5. Maintenance of the keys becomes easy being the keys (public key/private key) remain constant through out the communication depending on the connection.
6. As the number of keys to be kept secret become less.

DISADVANTAGES

1. A disadvantage of this type of encryption is speed, there are popular secret-key encryption methods which are significantly faster than any currently available public-key encryption method.
2. This is not suitable for encryption of large messages as the encryption/decryption throughput is inversely related to the key length.
3. Its public keys are not authenticated. Basically, no one absolutely knows that a public key belongs to the individual it specifies, which means that users will have to verify that their public keys truly belong to them.
4. It risks loss of private key, which may be irreparable. When you lose your private key, your received messages will not be decrypted.
5. It risks widespread security compromise. If your private key is identified by an attacker, all of your messages can be read by him/her.

SYMMETRIC CRYPTOSYSTEMS

A symmetric cryptosystem (or private key cryptosystem) uses only one key for both encryption and decryption of the data. The key used for encryption and decryption is called the private key and only people who are authorized for the ecryption/decryption would know it. In a symmetric cryptosystem, the encrypted message is sent over without any public keys attached to it.

ADVANTAGES

1. Symmetric key encryption is much faster than asymmetric key encryption.
2. Encrypt and decrypt your own files: If you use encryption for messages or files which you alone intend to access, there is no need to create different keys. Single-key encryption is best for this.
3. Single-key encryption does not require a lot of computer resources when compared to public key encryption.
4. A symmetric cryptosystem uses password authentication to prove the receiver’s identity.
5. Prevents widespread message security compromise. A different secret key is used for communication with every different party. If a key is compromised, only the messages between a particular pair of sender and receiver are affected. Communications with other people are still secure.
6. This type of encryption is easy to carry out. All users have to do is specify and share the secret key and then begin to encrypt and decrypt messages.

DISADVANTAGES

1. Symmetric cryptosystems have a problem of key transportation. The secret key is to be transmitted to the receiving system before the actual message is to be transmitted. Every means of electronic communication is insecure as it is impossible to guarantee that no one will be able to tap communication channels. So the only secure way of exchanging keys would be exchanging them personally.
2. Origin and authenticity of message cannot be guaranteed by this method. Since both sender and receiver use the same key, messages cannot be verified to have come from a particular user. This may be a problem if there is a dispute.
3. When someone gets their hands on a symmetric key, they can decrypt everything encrypted with that key thus causing more damage. When you're using symmetric encryption for two-way communications, this means that both sides of the conversation get compromised. With asymmetrical public-key encryption, someone that gets your private key can decrypt messages sent to you, but can't decrypt what you send to the other party, since that is encrypted with a different key pair.
4. Cannot provide digital signatures that cannot be repudiated.
5. There is a need for secure channel for secret key exchange. Sharing the secret key in the beginning is a problem in symmetric key encryption. It has to be exchanged in a way that ensures it remains secret.
6. A new shared key has to be generated for communication with every different party. This creates a problem with managing and ensuring the security of all these keys.

Planning Considerations -

Since an organisation may reasonably want to encrypt and decrypt the same data for years one may consider certain factors like:

• "amount of information protected by a given key"
• "amount of exposure if a single key is compromised"
• "time available for attempts to penetrate physical, procedural, and logical access"
• "period within which information may be compromised by inadvertent disclosure"
• "time available for computationally intensive cryptanalytic attacks"

So we should make decisions according to our requirements and also considering their advantages and disadvantages. Ideally, both of them are employed together to take advantage of their benefits