XML security doubt: Public key cryptography
Asit Baran
Greenhorn
Posts: 25
posted 7 years ago
I read it somewhere...
"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XMLencryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."
But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?
Any pointer would be appreciated.
Thanks,
Asit
"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XMLencryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."
But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?
Any pointer would be appreciated.
Thanks,
Asit
peter cooke
Ranch Hand
Posts: 317
posted 7 years ago
nonsymeteric encryption is much more expensive than symetric encryption, and nearly impossible to break with brute force.
The point of having a symetric key is to speed up subsequent encryption. If both parties aggree on an encryption key is XXXX then both parties can cache that value and use it for the duration of the session.
Asit Baran wrote:I read it somewhere...
"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XMLencryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."
But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?
Any pointer would be appreciated.
Thanks,
Asit
nonsymeteric encryption is much more expensive than symetric encryption, and nearly impossible to break with brute force.
The point of having a symetric key is to speed up subsequent encryption. If both parties aggree on an encryption key is XXXX then both parties can cache that value and use it for the duration of the session.
CIAO Peter M. Cooke
Ivan Krizsan
Ranch Hand
Posts: 2198
1
posted 7 years ago
Hi!
Apart from the use case described by Peter, I want to add the following:
As far as I understand it, the point with the scheme described in your quote (Asit) will be useful if the amount of data to be encrypted is large, for instance an attachement to a SOAP message. This way you can use symmetric key cryptography to encrypt the bulk of the data and then use public key cryptography to encrypt the symmetric key, which probably is considerably smaller than the data.
Also, the symmetric key can be changed with each message, since it will be enclosed in the message.
Best wishes!
Apart from the use case described by Peter, I want to add the following:
As far as I understand it, the point with the scheme described in your quote (Asit) will be useful if the amount of data to be encrypted is large, for instance an attachement to a SOAP message. This way you can use symmetric key cryptography to encrypt the bulk of the data and then use public key cryptography to encrypt the symmetric key, which probably is considerably smaller than the data.
Also, the symmetric key can be changed with each message, since it will be enclosed in the message.
Best wishes!
my overalls have superpowers  they repel people who think fashion is important. Tiny ad:
the new thread boost feature brings a LOT of attention to your favorite threads
https://coderanch.com/t/674455/ThreadBoostfeature
