Most VPN users don’t need to know anything about encryption, only that it exists. But for those who want to delve deeper, the subject is endlessly complex. One of the more understandable basic topics is the distinction between symmetric and asymmetric encryption. Just read my explanation in this article!
Table of contents
What is encryption?
First of all, encryption is the way of transforming your normal data that is easy to parse and understand into ciphertext, which is gibberish to anyone who can’t decipher it without a cipher (see what we did there?).
The most basic ROT13 encryption would encrypt this text by shifting every letter by 13 positions on the alphabet. Anyone who knows that would be able to decrypt the message by doing the same thing in reverse. This is probably the oldest example of symmetric key encryption, dating back to the days of Caesar.
The real big difference in symmetric vs. asymmetric encryption is the distribution of ciphers between the parties involved in the communication.
What is symmetric encryption?
Symmetric encryption relies on both parties having the same key for both encrypting and decrypting. We already mentioned ROT13 – it’s an example of symmetric encryption as both parties rely on shifting letters by 13 spaces.
However, no sane company would use something that simple today. Modern symmetric encryption algorithms will transform a single bit of data multiple times before passing it along.
Examples of symmetric encryption
You use symmetric encryption in your daily life without noticing:
- AES – Advanced Encryption Standard is the gold standard for symmetric encryption these days, and it’s built around the Rijndael block cipher. Surfshark uses AES-256 GCM encryption.
- TLS/SSL – Transport Layer Security and its deprecated predecessor, Secure Sockets Layer, is the cryptographic protocol that underlies most online communication. HTTPS is famously reliant on TLS.
- DES – Data Encryption Standard was adopted by the US government in 1977, which shows that it’s ancient.
- Triple DES – it applies the DES algorithm three times to every data block. Used since 1981, its vulnerability was exposed by supercomputers in 2016, and thus the US plans to abandon all use by 2023.
- IDEA – International Data Encryption Algorithm was supposed to replace DES, but its most famous use was probably in the PGP 2.0 (Pretty Good Privacy) encryption program.
The advantages and disadvantages of symmetric encryption
There are numerous advantages to symmetric encryption, the first of them being security: with current technology, it’s unfeasible to crack AES-encrypted data within a human lifetime. At the same time, the symmetric encryption process is fast: it uses shorter and simpler keys than asymmetric encryption and thus works faster.
Lastly, AES and TLS are everywhere these days, and this adoption means that a lot of software and software professionals can work with them.
As for the disadvantages… they lie in the symmetry itself. Both parties use the same secret key. This would be fine if you had a secure way to share that key, like sending a secret agent on a submarine. But what if you don’t? What if your symmetrically-encrypted communications are random, impromptu, ad-hoc? Then you need to find a way to exchange the key without making it easy to intercept.
But wait, what’s this? Bah Gawd, it’s Asymmetric Encryption music!
What is asymmetric encryption?
Asymmetric encryption relies on making your head hurt when you explain it. But to put it shortly, it’s based on public key cryptography, which uses advanced nerd-level math to create two encryption keys: a public key and a private key. If, say, your VPN app is establishing an encrypted tunnel to the VPN server, the app sends the public key to the server. The server uses the public key to encrypt a message for the app. Once the app receives the message, it uses the private key to decrypt it – you can’t do that with the public key. The same thing happens the other way around.
Examples of asymmetric encryption
- RSA – Rivest–Shamir–Adleman cryptosystem can be used to secure your entire communication, and there are no known ways of cracking it, which is pretty good for something made in 1977. However, it’s very slow; thus, RSA is mainly used to securely exchange keys for symmetric cryptography.
- Diffie–Hellman key exchange – actually may have inspired RSA. Diffie-Hellman is used to exchange keys. For a more fancy version, Elliptic-curve Diffie-Hellman is more secure.
- TLS/SSL – TLS wouldn’t be so popular online if it didn’t have a way of exchanging symmetric encryption keys with random people online. Of course, it uses an asymmetric encryption algorithm for that.
The advantages and disadvantages of asymmetric encryption
One of the most significant advantages of asymmetric encryption is that there is no single key. The public key has no value to any third parties, as it only encrypts data. That’s why you can easily send it over unsecured channels online. Only the private key decrypts the stuff encrypted with your public key. And that’s how you can transfer things without exposing your data to risks.
Another benefit of this public-private key duality is in digital signatures. I’ll cry if you ask me to explain it, but digital signatures help authenticate the message. They are created by sending a message and a version encrypted by the private key, and the recipient with the public key can then verify that it was indeed encrypted with the original private key.
So while the benefits in security are great, there’s a reason why asymmetric encryption is used sparingly, usually as a tool to establish symmetric encryption. That reason is speed.
The private key has to be very hard to crack, and the easiest way to achieve that is by increasing the length. So while symmetric encryption can get away with using 256-bit keys, RSA, for example, uses a 2048-bit chonker. And no matter how fast computers work (which is pretty fast these days), a four-fold increase in processing times adds up.
There’s also the issue of public keys being potentially crackable, but the aforementioned super-long keys nullify this risk.
What is the difference between asymmetric and symmetric encryption?
Here’s a table to explain the differences between asymmetric and symmetric encryption:
Symmetric | Asymmetric | |
---|---|---|
Key use | Both communicating parties use the same key | Each party has its public and private keys |
Key length | 256-bit is the longest commonly used key | Can be as large as 2048 bit |
Process complexity | You use the key to encrypt the message - the other party uses the key to decrypt it. | The other party sends you their public key, you encrypt the message with it, send it back, and the other party uses their private key to decrypt it. |
Process speed | Fast | Slow |
Security | You need to compromise a single key to compromise the whole communication | While you can theoretically crack a public key, that won’t give you the full picture, so it’s much safer. |
Which one is better?
The answer is “it depends:”
- If speed is an issue, you want to use symmetric encryption;
- If security is an issue, you want to use asymmetric encryption.
As you’ll learn later, most encryption you encounter daily uses both. Asymmetric encryption is used to establish the connection and to exchange the single key used in symmetric encryption. Symmetric encryption is then used for data encryption for the rest of it.
Is HTTPS or AES symmetric or asymmetric encryption?
This is a trick question, as HTTPS utilizes both symmetric and asymmetric encryption. How? Well, HTTPS gets that “S” for “Security” by using TLS/SSL to secure its communication.
TLS utilizes Diffie-Helman to use asymmetric encryption to establish secure channels in order to exchange cipher keys for symmetric encryption via ciphers like world-renowned AES (Surfshark uses protocols that employ the AES-256-GCM version).
In case the previous paragraph didn’t answer your question, I’ll lay it out plainly: AES is a symmetric encryption protocol.
Does VPN use symmetric or asymmetric encryption?
VPN uses both symmetric and asymmetric encryption in its operations. I’ll use the VPN protocols available on Surfshark as an example:
Wireguard: It employs asymmetric encryption in the shape of Curve22519 for the Diffie-Helman exchange and symmetric encryption for the actual transfer of data.
IKEv2/IPsec: Internet Key Exchange version 2 is what actually provides a key exchange for the IPsec protocol. Asymmetric encryption is done via Diffie-Helman, and symmetric encryption is carried out by IPsec-supported AES.
OpenVPN: It uses the OpenSSL library for security, and guess what often-mentioned names in key exchanges and encryption algorithms that one supports? Hint: they rhyme with Fiddly Dollman and BTS!
In conclusion: encryption works for you
But you know what the real beauty of a VPN like Surfshark is? It’s that you don’t need to know anything about symmetric or asymmetric encryption – or anything about encryption – to use it. All those complicated processes I described in the most layperson’s terms possible (our office goal is descriptions so easy to understand even a cat would get it) happen in the background, and you just reap the benefits.
FAQ
What is a common use of asymmetric encryption algorithms?
A common use of asymmetric encryption algorithms is transferring a shared secret (symmetric key) via asymmetric key exchange when connecting to a VPN server.
Why is asymmetric encryption slower?
Since asymmetric encryption shares the public key, well, publicly, it has to be a lot harder to crack than the symmetric key. That’s why it uses keys that are, say, four times larger, which takes a lot more time to process.