Introduction to Information Security

Upon completion of this course IFT302, you should be able to: •

Define information security • Recount the history of computer security and explain how it evolved
into information security • Define key terms and critical concepts of information security

Computer security in the early days of computers, this term specified the need to secure the physical
location of computer technology from outside threats. This term later came to represent all actions
taken to preserve computer systems from losses. It has evolved into the current concept of
information security as the scope of protecting information in an organization has expanded.

The need for computer security arose during World War II when the first mainframe computers were
developed and used to aid computations for communication code breaking messages from enemy
cryptographic devices like the Enigma. Multiple levels of security were implemented to protect these
devices and the missions they served. This required new processes as well as tried-and-true methods
needed to maintain data confidentiality. Access to sensitive military locations, for example, was
controlled by means of badges, keys, and the facial recognition of authorized personnel by security
guards. The growing need to maintain national security eventually led to more complex and
technologically sophisticated computer security safeguards.

During these early years, information security was a straightforward process composed
predominantly of physical security and simple document classification schemes. The primary threats
to security were physical theft of equipment, espionage against products of the systems, and
sabotage.

Illustration of computer network vulnerabilities FIG 1

What Is Security?
Security is protection. Protection from adversaries—those who would do harm, intentionally or
otherwise—is the ultimate objective of security. National security, for example, is a multilayered
system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the
appropriate level of security for an organization also requires a multifaceted system. A successful
organization should have multiple layers of security in place to protect its operations, physical
infrastructure, people, functions, communications, and information.

Key Terms C.I.A. triad the industry standard for computer security since the development of the
mainframe. The standard is based on three characteristics that describe the utility of information:
confidentiality, integrity, and availability.

communications security the protection of all communications media, technology, and content.
information security Protection of the confidentiality, integrity, and availability of information assets,
whether in storage, processing, or transmission, via the application of policy, education, training and
awareness, and technology.

network security A subset of communications security; the protection of voice and data networking
components, connections, and content.

security A state of being secure and free from danger or harm. Also, the actions taken to make
someone or something secure.

Components of information security FIG 2

A Committee on National Security Systems (CNSS) defines information security as the protection of
information and its critical elements, including the systems and hardware that use, store, and
transmit the information.

The CNSS model of information security evolved from a concept developed by the computer security
industry called the C.I.A. triad.
 The C.I.A. triad

Confidentiality, integrity, and availability (often referred as CIA) are the three critical tenets of
information security. While there are many factors that help determine the security posture of a
system, confidentiality, integrity, and availability are most prominent among them. From an
information security perspective, any given asset can be classified based on the confidentiality,
integrity, and availability values it carries. This section conceptually highlights the importance of CIA
along with practical examples and common attacks against each of the factors.

Confidentiality The dictionary meaning of the word confidentiality states: the state of keeping
or being kept secret or private. Confidentiality, in the context of information security, implies keeping
the information secret or private from any unauthorized access, which is one of the primary needs of
information security. The following are some examples of information that we often wish to keep
confidential:
 Passwords
 PIN numbers
 Credit card number, expiry date, and CVV
 Business plans and blueprints
 Financial information
 Social security numbers
 Health records

Common attacks on confidentiality include.

 Packet sniffing: This involves interception of network packets in order to gain unauthorized
access to information flowing in the network.
 Password attacks: This includes password guessing, cracking using brute force or dictionary
attack, and so on
 Port scanning and ping sweeps: Port scans and ping sweeps are used to identify live hosts in
a given network and then perform some basic fingerprinting on the live hosts
 Dumpster driving: This involves searching and mining the dustbins of the target organization
in an attempt to possibly get sensitive information
 Shoulder surfing: This is a simple act wherein any person standing behind you may peek in to
see what password you are typing
 Social engineering: Social engineering is an act of manipulating human behavior in order to
extract sensitive information
 Phishing and pharming: This involves sending false and deceptive emails to a victim, spoofing
the identity, and tricking the victim to give out sensitive information
 Wiretapping: This is similar to packet sniffing though more related to monitoring of
telephonic conversations:
 Keylogging: This involves installing a secret program onto the victim's system which would
record and send back all the keys the victim types in the system.
Integrity in the context of information security refers to the quality of the information, meaning
the information, once generated, should not be tampered with by any unauthorized entities. For
example, if a person sends X amount of money to his friend using online banking, and his friend
receives exactly X amount in his account, then the integrity of the transaction is said to be intact. If
the transaction gets tampered at all in between, and the friend either receives X + (n) or X - (n)
amount, then the integrity is assumed to have been tampered with during the transaction. Common
attacks on integrity include:

 Salami attacks: When a single attack is divided or broken into multiple small attacks in order
to avoid detection, it is known as a salami attack
 Data diddling attacks: This involves unauthorized modification of data before or during its
input into the system
 Trust relationship attacks: The attacker takes benefit of the trust relationship between the
entities to gain unauthorized access
 Man-in-the-middle attacks: The attacker hooks himself to the communication channel,
intercepts the traffic, and tampers with the data
 Session hijacking: Using the man-in-the-middle attack, the attacker can hijack a legitimate
active session which is already established between the entities

Availability The availability principle states that if an authorized individual makes a request
for a resource or information, it should be available without any disruption. For example, a
person wants to download his bank account statement using an online banking facility. For some
reason, the bank's website is down and the person is unable to access it. In this case, the
availability is affected as the person is unable to make a transaction on the bank's website. From
an information security perspective, availability is as important as confidentiality and integrity.
For any reason, if the requested data isn't available within time, it could cause severe tangible or
intangible impact. Common attacks on availability include the following:

Common attacks on availability include the following:

 Denial of service attacks: In a denial-of-service attack, the attacker sends a large number
of requests to the target system. The requests are so large in number that the target
system does not have the capacity to respond to them. This causes the failure of the
target system and requests coming from all other legitimate users get denied.
 SYN flood attacks: This is a type of denial-of-service attack wherein the attacker sends a
large number of SYN requests to the target with the intention of making it unresponsive.
 Distributed denial of service attacks: This is quite similar to the denial-of-service attack,
the difference being the number of systems used to attack. In this type of attack,
hundreds and thousands of systems are used by the attacker in order to flood the target
system.
 Electrical power attacks: This type of attack involves deliberate modification in the
electrical power unit with an intention to cause a power outage and thereby bring down
the target systems.
 Server room environment attacks: Server rooms are temperature controlled. Any
intentional act to disturb the server room environment can bring down the critical server
systems.
 Natural calamities and accidents: These involve earthquakes, volcano eruptions, floods,
and so on, or any unintentional human errors.
Key Information Security Concepts
Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Authorized users have legal access to a system, whereas hackers must gain illegal access to a system.
Access controls regulate this ability.

• Asset: The organizational resource that is being protected. An asset can be logical, suchas a
Web site, software information, or data; or an asset can be physical, such as a person,
computer system, hardware, or other tangible object. Assets, particularly information assets,
are the focus of what security efforts are attempting to protect.
• Attack: An intentional or unintentional act that can damage or otherwise compromise
information and the systems that support it. Attacks can be active or passive, intentional or
unintentional, and direct or indirect. Someone who casually reads sensitive information not
intended for his or her use is committing a passive attack. A hacker attempting to break into
an information system is an intentional attack. A lightning strike that causes a building fire is
an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a
system. An indirect attack is a hacker compromising a system and using it to attack other
systems—for example, as part of a botnet (slang for robot network). This group of
compromised computers, running software of the attacker’s choosing, can operate
autonomously or under the attacker’s direct control to attack systems and steal user
information or conduct distributed denial-of-service attacks. Direct attacks originate from the
threat itself. Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.
• Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat
agents may attempt to exploit a system or other information asset by using it illegally for
their personal gain. Or, an exploit can be a documented process to take advantage of a
vulnerability or exposure, usually in software, that is either inherent in the software or
created by the attacker. Exploits make use of existing software tools or custom-made
software components.
• Exposure: A condition or state of being exposed; in information security, exposure exists
when a vulnerability is known to an attacker
• Loss: A single instance of an information asset suffering damage or destruction, unintended
or unauthorized modification or disclosure, or denial of use. When an organization’s
information is stolen, it has suffered a loss.
• Protection profile or security posture: The entire set of controls and safeguards, including
policy, education, training and awareness, and technology, that the organization implements
to protect the asset. The terms are sometimes used interchangeably with the term security
program, although a security program often comprises managerial aspects of security,
including planning, personnel, and subordinate programs
• Risk: The probability of an unwanted occurrence, such as an adverse event or loss.
Organizations must minimize risk to match their risk appetite—the quantity and nature of
risk they are willing to accept.
• Subjects and objects of attack: A computer can be either the subject of an attack—an agent
entity used to conduct the attack—or the object of an attack and the target entity. A
computer can also be both the subject and object of an attack. For example, it can be
compromised by an attack (object) and then used to attack other systems (subject).
• Threat: Any event or circumstance that has the potential to adversely affect operations and
assets. The term threat source is commonly used interchangeably with the more generic
 term threat. While the two terms are technically distinct, in order to simplify discussion, the
text will continue to use the term threat to describe threat sources
• Threat agent: The specific instance or a component of a threat. For example, the threat
source of “trespass or espionage” is a category of potential danger to information assets,
while “external professional hacker” (like Kevin Mitnick, who was convicted of hacking into
phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat
agent that is part of the threat source known as “acts of God/acts of nature.
• Threat event: An occurrence of an event caused by a threat agent. An example of a threat
event might be damage caused by a storm. This term is commonly used interchangeably with
the term attack.
• Threat source: A category of objects, people, or other entities that represents the origin of
danger to an asset—in other words, a category of threat agents. Threat sources are always
present and can be purposeful or undirected. For example, threat agent “hackers,” as part of
the threat source “acts of trespass or espionage,” purposely threaten unprotected
information systems, while threat agent “severe storms,” as part of the threat source “acts of
God/acts of nature,” incidentally threaten buildings and their contents.
• Vulnerability: A potential weakness in an asset or its defensive control system(s). Some
examples of vulnerabilities are a flaw in a software package, an unprotected system port, and
an unlocked door. Some well-known vulnerabilities have been examined, documented, and
published; others remain latent (or undiscovered).

Critical Characteristics of Information

 Accuracy An attribute of information that describes how data is free of errors and has the
value that the user expects.
 authenticity An attribute of information that describes how data is genuine or original rather
than reproduced or fabricated.
 availability An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction.
 confidentiality An attribute of information that describes how data is protected from
disclosure or exposure to unauthorized individuals or systems.
 integrity An attribute of information that describes how data is whole, complete, and
uncorrupted.
 personally identifiable information (PII) A set of information that could uniquely identify an
individual. possession An attribute of information that describes how the data’s ownership or
control is legitimate or authorized.
 utility An attribute of information that describes how data has value or usefulness for an end
purpose.
Cryptography
Cryptography is the science of securing communication and data from
unauthorized access, tampering, or eavesdropping. There are several
fundamental principles that underpin the design and implementation of
cryptographic systems.

Cryptography is being increasingly used to fight off this massive invasion of individual privacy and
security, to guarantee data integrity and confidentiality, and to bring trust in global e-commerce.
Cryptography has become the main tool for providing the needed digital security in the modern
digital communication medium that far exceeds the kind of security that was offered by any medium
before it. It guarantees authorization, authentication, integrity, confidentiality, and nonrepudiation in
all communications and data exchanges in the new information society.

Modern cryptographic security services fig 2.0

Fig 2.0 shows how cryptography guarantees these security services through five basic mechanisms
that include symmetric and public key encryption, hashing, digital signatures, and certificates.

A cryptographic system consists of four essential components.

 Plaintext—the original message to be sent.

 Cryptographic system (cryptosystem) or a cipher—consisting of mathematical encryption and
decryption algorithms.
 Ciphertext—the result of applying an encryption algorithm to the original message before it
is sent to the recipient •
 Key—a string of bits used by the two mathematical algorithms in encrypting and decrypting
processes.

Goals of Cryptography
Cryptography aims to achieve several goals to ensure secure communication and
protect data from unauthorized access, tampering, or eavesdropping. The
primary goals of cryptography are:

1. Confidentiality: Confidentiality ensures that only authorized parties can access and
read the data. Encryption techniques, such as symmetric-key and asymmetric-key
encryption, are used to protect the data from unauthorized access by converting
plaintext into ciphertext.
2. Integrity: Integrity ensures that the data has not been tampered with or altered during
transmission or storage. Cryptographic mechanisms, such as cryptographic hash
functions and message authentication codes (MACs), are used to verify the integrity
of the data. Any changes to the data will result in a different hash or MAC, alerting
the recipient that the data has been altered.
3. Authentication: Authentication verifies the identity of the parties involved in the
communication. Digital signatures, which are based on asymmetric-key encryption,
are used to authenticate the sender of a message. By signing a message with their
private key, the sender can prove their identity to the recipient, who can verify the
signature using the sender's public key.
4. Non-repudiation: it ensures that a sender cannot deny having sent a message or
performed an action. Digital signatures provide non-repudiation, as the sender's
private key is required to sign the message, and the signature can be verified by
anyone with access to the sender's public key.
5. Access control: Cryptography can be used to implement access control mechanisms,
ensuring that only authorized users can access specific resources or perform certain
actions. This can be achieved using encryption, digital signatures, and secure
authentication protocols.
6. Secure key management: Secure key management is crucial for the effective
implementation of cryptographic systems. Keys must be generated, distributed,
stored, and revoked securely to prevent unauthorized access and maintain the security
of the system. Key management protocols, such as the Diffie-Hellman key exchange,
are used to securely establish shared secret keys between parties.
By achieving these goals, cryptography provides a foundation for secure communication and
data protection, ensuring the privacy and trustworthiness of the information being exchanged.

Principles of Cryptography
Cryptography is the science of securing communication and data from
unauthorized access, tampering, or eavesdropping. The principles and concepts
underlying cryptography are essential for ensuring the confidentiality, integrity,
and authenticity of data.
 Encryption: Encryption is the process of converting plaintext
(readable data) into ciphertext (unreadable data) using an
encryption algorithm and a key. The purpose of encryption is to
ensure that only authorized parties with the correct key can access
and read the data.
 Decryption: Decryption is the process of converting ciphertext (unreadable
data) back into plaintext (readable data) using a decryption algorithm and
a key. Decryption allows authorized parties to access and read the
encrypted data
  Symmetric-key encryption: In symmetric-key encryption, the same
key is used for both encryption and decryption. This means that
both the sender and receiver must have access to the same key in
order to communicate securely.
 Asymmetric-key encryption: Also known as public-key encryption,
asymmetric-key encryption involves using two different keys for
encryption and decryption. One key, the public key, is used for
encryption, while the other key, the private key, is used for
decryption. This allows secure communication without the need to
exchange a shared secret key.
 Cryptographic hash functions: Hash functions are one-way functions
that transform data into a fixed-length string of characters, known
as a hash. The hash is unique to the input data, and any changes to
the input data will result in a different hash. Hashing is commonly
used for password storage, data integrity checks, and digital
signatures.
 Digital signatures: Digital signatures are used to authenticate the
sender of a message and ensure non-repudiation. Digital signatures
are based on asymmetric-key encryption, where the sender signs
the message with their private key, and the recipient verifies the
signature using the sender's public key.
 Key management: Secure key management is crucial for the
effective implementation of cryptographic systems. Keys must be
generated, distributed, stored, and revoked securely to prevent
unauthorized access and maintain the security of the system.
 Perfect forward secrecy (PFS): PFS is a property of cryptographic
systems that ensures that the compromise of a long-term key (e.g.,
a private key) does not compromise the security of past
communication sessions.
 Defense in depth: Cryptographic systems should be designed with
multiple layers of security to protect against potential vulnerabilities
and attacks.
Process of transforming plaintext into ciphertext using an encryption
algorithm and a secret key

If Plaintext is the original message that you want to encrypt, while ciphertext is the encrypted message
that results from applying an encryption algorithm to the plaintext.
First, let's define some terms. Plaintext is the original message that you want to encrypt, while
ciphertext is the encrypted message that results from applying an encryption algorithm to the
plaintext. An encryption algorithm is a mathematical function that transforms plaintext into
ciphertext, and a secret key is a piece of information that is used by the encryption algorithm to
perform the transformation. An encryption algorithm is a mathematical function that transforms
plaintext into ciphertext, and a secret key is a piece of information that is used by the encryption
algorithm to perform the transformation.

Let's say we have the plain text message "HELLO WORLD". To transform this into cipher
text, we would use a cryptographic algorithm to encrypt the message. One common algorithm
is the Caesar cipher, which involves shifting each letter in the message a certain number of
places down the alphabet.
For example, if we shift each letter in "HELLO WORLD" three places down the alphabet, we
would get the cipher text "KHOOR ZRUOG".
It's important to note that the security of a cipher depends on the strength of the algorithm and the key
used to encrypt the message. In the case of the Caesar cipher, it is a relatively weak algorithm and can
be easily cracked with modern computing power. More advanced algorithms, such as AES or RSA,
are used for secure communication.

ENCRYPTION IN CRYPTOGRAGHY is sub divided in symmetric and asymmetric encryption.

Symmetric encryption
Symmetric encryption or secret key encryption, as it is usually called, uses a common key
and the same cryptographic algorithm to scramble and unscramble the message as shown
below

Symmetric encryption
Encryption and decryption with symmetric cryptography

The transmitted final ciphertext stream is usually a chained combination of blocks of the plaintext,
the secret key, and the ciphertext. The security of the transmitted data depends on the assumption
that eavesdroppers and cryptanalysts with no knowledge of the key are unable to read the message.
However, for a symmetric encryption scheme to work, the key must be shared between the sender
and the receiver. The sharing is usually done through passing the key from the sender to the receiver.
This presents a problem in many different ways
ASSIGNMENT how to keep the key secure while being transported from the sender to the receiver.
Symmetric encryption algorithms are a class of cryptographic algorithms that use the same
key for both the encryption and decryption processes. These algorithms are designed to be
fast, efficient, and suitable for encrypting large amounts of data. Here are some commonly
used symmetric encryption algorithms:
1. Data Encryption Standard (DES): DES is one of the earliest and widely known
symmetric encryption algorithms. It operates on 64-bit blocks of data and uses a 56-
bit key. However, due to advances in computing power, DES is considered relatively
weak for secure applications.
2. Triple Data Encryption Algorithm (3DES): 3DES is an enhanced version of DES that
applies the DES algorithm three times in a sequence. It provides improved security by
increasing the key length to 168 bits. 3DES is backward-compatible with DES,
making it a popular choice for legacy systems.
3. Advanced Encryption Standard (AES): AES is currently the most widely used
symmetric encryption algorithm. It supports key sizes of 128, 192, and 256 bits and
operates on 128-bit blocks of data. AES is known for its strong security, high
performance, and widespread adoption in various applications.
4. Blowfish: Blowfish is a symmetric encryption algorithm designed by Bruce Schneier.
It operates on 64-bit blocks of data and supports key sizes from 32 bits to 448 bits.
Blowfish is known for its flexibility, simplicity, and fast encryption and decryption
speeds.
5. Twofish: Twofish is a symmetric encryption algorithm based on the Blowfish
algorithm. It operates on 128-bit blocks of data and supports key sizes up to 256 bits.
Twofish is known for its strong security and its suitability for both software and
hardware implementations.
 6. RC4: RC4 is a stream cipher symmetric encryption algorithm that is widely used in
various applications, including wireless protocols (e.g., WEP, WPA), secure socket
layers (SSL), and virtual private networks (VPNs). However, due to security
vulnerabilities discovered in RC4, it is no longer recommended for use.

Applications
Symmetric encryption algorithms have numerous applications in various fields where secure
communication and data protection are essential. Here are some common applications of
symmetric encryption:
1. Secure Communication: Symmetric encryption is widely used for securing
communication channels, such as email, instant messaging, voice over IP (VoIP), and
virtual private networks (VPNs). It ensures that the data transmitted between the
sender and receiver remains confidential and protected from unauthorized access.
2. Data Storage and Backup: Symmetric encryption is employed to secure data stored on
local devices, external drives, or cloud storage platforms. By encrypting the data with
a symmetric key, even if the storage medium is compromised, the encrypted data
remains unintelligible without the key.
3. File and Disk Encryption: Symmetric encryption is used to encrypt individual files or
entire disks to protect sensitive data from unauthorized access. It is commonly used
for encrypting files stored on portable storage devices or securing disk partitions.
4. Database Encryption: Symmetric encryption is employed to encrypt sensitive data
stored in databases. It ensures that even if the database is compromised, the encrypted
data remains secure and unusable without the encryption key.
5. Secure Socket Layer (SSL)/Transport Layer Security (TLS): Symmetric encryption is
used in SSL/TLS protocols to secure web communications. It enables the encryption
of data transmitted between web servers and clients, ensuring the confidentiality and
integrity of sensitive information, such as passwords, credit card details, and personal
data.
6. Wireless Network Security: Symmetric encryption algorithms, such as WEP (Wired
Equivalent Privacy) and WPA (Wi-Fi Protected Access), are used to secure wireless
networks. They encrypt data transmitted over the network, preventing unauthorized
users from intercepting and deciphering the information.
7. Secure Messaging and Collaboration Platforms: Many messaging and collaboration
platforms use symmetric encryption to secure communication and data sharing
between users. It ensures that the messages, files, and other shared content remain
confidential and protected.
8. Financial Transactions: Symmetric encryption is employed in secure online banking,
e-commerce, and payment gateways to protect sensitive financial transactions. It
ensures that the transaction data is encrypted during transmission, safeguarding it
from unauthorized interception.
9. Access Control Systems: Symmetric encryption algorithms are used in access control
systems, such as keycards or smart cards, to secure authentication data during
transmission. It ensures that the authentication information remains confidential and
cannot be tampered with.

In symmetric encryption, block ciphers and stream ciphers are the two main types of
ciphers used. The choice between these two types depends on the specific requirements and
characteristics of the encryption scenario.
1. Block Ciphers:
  Block ciphers encrypt fixed-size blocks of plaintext into ciphertext using a
symmetric key.
 They divide the input data into blocks, typically 64 or 128 bits in length, and
process each block independently.
 Examples of widely used block ciphers include Data Encryption Standard
(DES), Triple DES (3DES), Advanced Encryption Standard (AES), and
Blowfish.
2. Stream Ciphers:
 Stream ciphers encrypt data in a continuous stream, typically one bit or byte at
a time.
 They generate a keystream, a pseudorandom sequence of bits or bytes, which
is combined with the plaintext using a bitwise exclusive OR (XOR) operation
to produce the ciphertext.
 Stream ciphers are often more efficient for encrypting large amounts of data in
real-time.
 Examples of stream ciphers include RC4, Salsa20, and ChaCha20.
Both block ciphers and stream ciphers have their strengths and weaknesses. Block ciphers are
commonly used for secure communication channels or when data is divided into fixed-size
blocks, such as in disk encryption or file encryption. Stream ciphers are often used in
scenarios where real-time encryption or random access to data is required, such as in wireless
communication protocols or certain hardware encryption applications.
Advantages
Faster than asymmetric , few calculation for good performance metrics , bulk amount of data
are well optimized , with its simple algorithm structure symmetric and more easier to set up
and implement. Easy to maintain.
Assignment state the merit and demerit of symmetric

Public Key Encryption

Asymmetric encryption, also known as public-key encryption, is a cryptographic method that
uses a pair of mathematically related keys to encrypt and decrypt data. Unlike symmetric
encryption, where the same key is used for both encryption and decryption, asymmetric
encryption uses two distinct keys: a public key and a private key.

.Here's an overview of how asymmetric encryption works:

1. Key Generation:
 The receiver generates a key pair consisting of a public key and a private key.
 The public key is made available to anyone who wants to send encrypted
messages to the receiver.
 The private key is kept secret and known only to the receiver.
2. Encryption:
 When a sender wants to encrypt a message for the receiver, they obtain the
receiver's public key.
 The sender uses the public key to encrypt the message, transforming it into
ciphertext.
 The ciphertext can only be decrypted using the receiver's corresponding
private key.
3. Decryption:
  The receiver receives the encrypted ciphertext and uses their private key to
decrypt it.
 Since the private key is known only to the receiver, they are the only one who
can decrypt the ciphertext and recover the original message.
 Once decrypted, the receiver can read the plaintext message.
Key Features and Advantages of Asymmetric Encryption:
1. Secure Key Exchange: Asymmetric encryption provides a secure method for key
exchange. The sender can encrypt a symmetric key using the recipient's public key
and send it along with the encrypted message. The recipient can then decrypt the
symmetric key using their private key and use it for efficient symmetric
encryption/decryption of the actual message. This approach combines the efficiency
of symmetric encryption with the security of asymmetric encryption.
2. Authentication and Digital Signatures: Asymmetric encryption allows for
authentication and the creation of digital signatures. A sender can use their private key
to encrypt a message, creating a digital signature. The recipient can then verify the
signature using the sender's public key, ensuring the message's integrity and
authenticity.
3. Key Distribution: Asymmetric encryption eliminates the need for a secure channel to
distribute keys. The public key can be freely shared, while the private key remains
confidential. This simplifies the key distribution process in secure communication.
4. Security Strength: Asymmetric encryption relies on complex mathematical
algorithms, making it computationally difficult to derive the private key from the
public key. This provides a higher level of security compared to symmetric encryption
algorithms, which require keeping the shared key secret.
However, asymmetric encryption also has some drawbacks:
1. Computational Complexity: Asymmetric encryption algorithms are generally slower
and computationally more intensive than symmetric encryption algorithms. This
makes them less suitable for encrypting large amounts of data in real-time.
2. Key Management: Asymmetric encryption requires proper key management,
including secure generation, storage, and distribution of the key pairs. It also requires
mechanisms for key revocation and updating.
3. Key Size: Asymmetric encryption typically requires larger key sizes compared to
symmetric encryption to achieve the same level of security. This can result in longer
encryption and decryption times and increased storage requirements.
Due to these factors, a common practice is to combine the strengths of both symmetric and
asymmetric encryption. Asymmetric encryption is often used for secure key exchange,
authentication, and digital signatures, while symmetric encryption is employed for efficient
bulk data encryption once the secure channel and shared key have been established