SSL is half symmetric and half asymmetric?

views:

answers:

+5 Q:

SSL is half symmetric and half asymmetric?

I am reading http://www.definityhealth.com/marketing/how_ssl_works.html

Looks like SSL is using asymmetric algorithm to exchange the symmetric key, after that it uses symmetric algorithm to encrypt the data.

One question, can I use asymmetric algorithm only? Like Alice and Bob both have certificate and, they are all using peer's public key to encrypt the data.

+2 A:

As a general rule, one can say that asymmetric algorithms are much more computing intensive than symmetric algorithms. Thus it is very common case to use an asymmetric algorithms to exchange a symmetric key that will be used to exchange the data. It is also considered as sufficiently safe security wise.

Can you use asymmetric algorithms for everything? Surely you can.
Can you do it within SSL? I don't know.

Didier Trosset 2010-09-06 07:23:36

+1 A:

Yes, you can, if you provide your own implementation for SSL - as this is not the original SSL design. (BTW, use TLS - it is very similiar but more secure).

rursw1 2010-09-06 07:27:21

+11 A:

No, you can't.

TLS (SSL) does not support encryption of application data with public key algorithms because it would make no sense: it would be much less efficient yet provide no improvement to security.

Public key encryption is not harder to break than symmetric algorithms. In fact, for all we know, there may a trick that makes breaking some asymmetric algorithms trivial, just waiting to be discovered.

Public key algorithm solve the key exchange problem, and that's how TLS and every other security protocol use them. Symmetric algorithms are used to keep data private and protect its integrity.

erickson 2010-09-06 07:43:57

+1 Asymmetric keys are clearly easier to break than symmetric keys. You only need to examine what are considered to be secure key lengths for both. A 1024 bit RSA key is quite a bit less secure than a 128 bit AES key.

JeremyP 2010-09-06 09:19:48

I'd add that it's why it's important to combine TLS/SSL with a good random number generator, to ensure that the symmetric keys are not easily guessable (a suitable choice of cipher suite helps too). As far as I'm aware, the conditions of (un)break-ability of symmetric keys have been proven mathematically, whereas for asymmetric keys, it's still based on the conjecture regarding prime numbers.

Bruno 2010-09-06 13:03:29

Consider also that with public key algorithms, the attacker can perform the encryption function too - which means that they can "guess-and-encrypt" if there is much structure to the plaintext. That doesn't matter if your plaintext is just a randomly generated symmetric key, but if it's arbitrary data (say, HTTP) then it does.

caf 2010-09-07 00:36:06

When proper padding is used, an attacker can't test guesses using the public key. But without it (a fairly common mistake in bad applications), it's definitely a problem.

erickson 2010-09-07 06:04:56

ansaurus

tags:

views:

answers:

SSL is half symmetric and half asymmetric?

related questions