• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

XML security doubt: Public key cryptography

 
Asit Baran
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I read it somewhere...
"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XML-encryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."

But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?
Any pointer would be appreciated.

Thanks,
Asit
 
peter cooke
Ranch Hand
Posts: 317
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Asit Baran wrote:I read it somewhere...
"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XML-encryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."

But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?
Any pointer would be appreciated.

Thanks,
Asit


non-symeteric encryption is much more expensive than symetric encryption, and nearly impossible to break with brute force.

The point of having a symetric key is to speed up subsequent encryption. If both parties aggree on an encryption key is XXXX then both parties can cache that value and use it for the duration of the session.


 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!
Apart from the use case described by Peter, I want to add the following:
As far as I understand it, the point with the scheme described in your quote (Asit) will be useful if the amount of data to be encrypted is large, for instance an attachement to a SOAP message. This way you can use symmetric key cryptography to encrypt the bulk of the data and then use public key cryptography to encrypt the symmetric key, which probably is considerably smaller than the data.
Also, the symmetric key can be changed with each message, since it will be enclosed in the message.
Best wishes!
 
Asit Baran
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply. It's clear now
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic