# XML security doubt: Public key cryptography

Asit Baran

Greenhorn

Posts: 25

posted 7 years ago

I read it somewhere...

"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XML-encryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."

But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?

Any pointer would be appreciated.

Thanks,

Asit

"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XML-encryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."

But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?

Any pointer would be appreciated.

Thanks,

Asit

peter cooke

Ranch Hand

Posts: 317

posted 7 years ago

non-symeteric encryption is much more expensive than symetric encryption, and nearly impossible to break with brute force.

The point of having a symetric key is to speed up subsequent encryption. If both parties aggree on an encryption key is XXXX then both parties can cache that value and use it for the duration of the session.

Asit Baran wrote:I read it somewhere...

"Because public key cryptography is less efficient than symmetric cryptography in term of the “speed”, the XML-encryption process uses an ingenious combination of both algorithms to secure communications between the services. The symmetric key is used to encrypt the content, and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key are then sent to the recipient."

But isn't it a performance overhead? I mean if i can break the private key of the receiver, I'll have the the symmetric key and using the symmetric key I can see the actual content. And if i use ONLY public key cryptography without any symmetric key I can also achieve the same level of security(that time also i need only the private key of the receiver to see the content). So, what's the point of having "Symmetric Key"?

Any pointer would be appreciated.

Thanks,

Asit

non-symeteric encryption is much more expensive than symetric encryption, and nearly impossible to break with brute force.

The point of having a symetric key is to speed up subsequent encryption. If both parties aggree on an encryption key is XXXX then both parties can cache that value and use it for the duration of the session.

CIAO Peter M. Cooke

Ivan Krizsan

Ranch Hand

Posts: 2198

1

posted 7 years ago

Hi!

Apart from the use case described by Peter, I want to add the following:

As far as I understand it, the point with the scheme described in your quote (Asit) will be useful if the amount of data to be encrypted is large, for instance an attachement to a SOAP message. This way you can use symmetric key cryptography to encrypt the bulk of the data and then use public key cryptography to encrypt the symmetric key, which probably is considerably smaller than the data.

Also, the symmetric key can be changed with each message, since it will be enclosed in the message.

Best wishes!

Apart from the use case described by Peter, I want to add the following:

As far as I understand it, the point with the scheme described in your quote (Asit) will be useful if the amount of data to be encrypted is large, for instance an attachement to a SOAP message. This way you can use symmetric key cryptography to encrypt the bulk of the data and then use public key cryptography to encrypt the symmetric key, which probably is considerably smaller than the data.

Also, the symmetric key can be changed with each message, since it will be enclosed in the message.

Best wishes!