[Computer Systems Security]
First of all, it is important to have a clear view of what the use case requirements are before attempting to employ either a symmetrical or asymmetrical encryption method to handle sensitive data. Only after these requirements are reviewed and agreed upon by all the stakeholders, in solid compliance with existing security regulations, the right cryptography can be chosen.
Establishing supporting baselines can be very helpfull when considering the employment of cryptography. I personally focus on the following, before devising a cryptography solution:
- The importance and sensitivity of the data to be cryptographically processed
- The type of such data
- The amount of data that will be handled through cryptography
- The necessary security level and acceptable risk for handling the sensitive data
- The geographic location, transport, and distribution mediums, in which the sensitive data will exist
- Who and how many individuals will need to have access to the sensitive data
- The levels of permission needed by each individual in relation to the sensitive data
- Individual algorithms' vulnerabilities and known attacks (if any)
- Necessary features such as authentication, confidentiality, non-repudiation, and etc...
- The total acceptable time (speed) for cryptographically processing the sensitive data, which depends, among other things, on key size, key management methods, hashing algorithms, authentication and signing processes, and, of course, the encryption and decryption algorithms
- The available resources to support the use case requirements, such as qualified IT personnel, budget, and the devices that will handle the sensitive data (i.e. laptops, workstations, servers, cellphones, tablets, and etc...)
It is worth to note that “it is difficult to compare strength of encryption of different approaches unless the application for which encryption is required, the implementing hardware and its constraints as well as user procedures are closely controlled.” (KetuWare, 2003)
A cryptographic approach should not be chosen only by its speed and strength, but by its capacity to fulfill the desired use case requirements. In fact, most of the time a single approach is not enough, and a hybrid alternative using both symmetrical and asymmetrical encryption, should be considered. Thus, it is important to understand their individual characteristics and applicability to avoid wasting valuable and costly resources (i.e. time, processing power, and money).
The following summary, which is mostly based on FIPS-142 (NIST.gov, 1994), presents the details of both symmetric and asymmetric cryptograpy:
Symmetric cryptography
- Uses identical keys for both encryption and decryption processes
- It is very fast
- Normally uses simple but powerful encryption algorithms, where the sensitive data is broken on fixed-length blocks for processing
- Provides confidentiality
- Provides basic authentication
- May provide data integrity if combined with hashing functions
- Is very strong specially long and complex keys are employed and the keys are not often reused
- The secret key must be shared with all involved stakeholders, which makes the logistics of key management very complex
- It is ideal for bulk data encryption (large amounts of data)
Asymmetric cryptography
- It may be very slow depending on the complexity of its algorithm and key sizes
- Encryption algorithms vary, but they are generally more complex than their symmetric counterparts
- Based on key pairs (public and private keys)
- Allows for authentication, confidentiality, and non-repudiation
- May provide data integrity if combined with hashing functions
- Helps to solve the logistics problem in key management
- The private key is secret and only known by the individual it belongs to
- The public key may be distributed among many individuals and directly relates to the holder of the private key
- It is ideal for encrypting small amounts of sensitive data, such as keys and message digests (hashes)
Conclusion
Before employing cryptography, through either symmetrical or asymmetrical models, it is imperative to have a clear idea of the use case requirements, the approval of the stakeholders, and compliance with any necessary regulations. Supporting baselines may be established and used when considering the employment of cryptography to secure sensitive data. It is a common practice to combine symmetric and asymmetric encryption, as a hybrid alternative, to better fulfill the use case requirements. However, a good understanding of the individual characteristics and applicability of each cryptographic approach is also necessary to avoid wasting valuable and costly resources.
Works cited
KetuWare. (2004) Symmetric vs. Asymmetric Encryption. Retrieved on December 06, 2012, from: www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
NIST.gov. (1994) Security Requirements for Cryptographic Module. Federal Information Processing Standards (FIPS PUB 140-2). Retrieved on December 06, 2012, from: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
