Asymmetric encryption, also known as public key encryption, uses two keys that are mathematically related. Both keys together are called the key pair.
- The public key is made available to anyone; the private key is kept secret.
- Use one key to encrypt and the other to decrypt. For example, if data is encrypted with the public key, use the private key to decrypt the data.
- The strength of an asymmetric encryption system lies in the secrecy and security of its private keys. If the private key is ever discovered, a new key pair must be generated.
- Both private and public keys are created on a local machine by a local security authority (the security kernel) and a cryptographic service provider (CSP).
- Asymmetric encryption of large amounts of data is slow and requires high CPU usage. Processing speeds are much slower (about 1,000 times slower) than symmetric key encryption.
- Asymmetric encryption requires fewer keys than symmetric key encryption, because only two keys per user are required (not a key for every communicating partner). For example, 1,000 users would require a total of 2,000 keys.
Asymmetric key encryption can provide confidentiality (encryption), strong authentication, and non-repudiation. Asymmetric encryption is used for:
- Data encryption to secure data.
- Digital signing to confirm the integrity of the message and the authenticity of the sender.
- Key exchange to ensure keys are secure during transit. Asymmetric encryption is often used to securely exchange symmetric keys.
Asymmetric encryption protocols include:
- Diffie-Hellman is a key exchange protocol used for generating and securely exchanging symmetric encryption keys.
- ElGamal is a protocol used for encryption and is based on Diffie-Hellman. ElGamal is used in the free GNU Privacy Guard software and recent versions of PGP. A variation of ElGamal, the Digital Signature Algorithm, is used for digital signatures, but is very slow.
- Elliptic curve cryptography(ECC) is an approach to cryptography that uses a finite set of values within an elliptic curve (an algebraic set of numbers). Elliptic curve cryptography is a more efficient algorithm than other asymmetric algorithms (for example, a key size of 60 bits is equivalent to a 1024-bit key used with RSA). Elliptic curve methods have been deployed for encryption, digital signatures, and key exchange.
- RSA is a protocol used for both encryption and digital signatures. It was developed by Rivest, Shamir, and Adleman and uses the multiplication of large prime numbers for encryption.
Asymmetric encryption is used with the following protocols:
- VPNs (PPTP, L2TP, SSTP)
- S/MIME and PGP for e-mail security
- SSH tunnels