The maths is more complex and the cpu process to use asymmetric encryption is significant higher than symmetric encryption, hence the asymmetric encryption is usually use for key exchange protocol i.e encrypt a symmetric encrypted key with an asymmetric public or private key, it can also be used to encrypt short messages, it is not recommended to be used for bulk encryption if you do this you will have a potential network outage because the process will kill your router.
Example of asymmetric encryption:
1. Rivest-Shamir-Aldeman (RSA) between 360-bit and 2048-bit, for cisco router the default is 512-bit key.
2. Diffie-Hellman (DH)
<There are other encryption formula which I am not really familiar.. hence I will not write them here>
Asymmetric encryption will produce a public key and a private key, both keys can encrypt and decrypt data. If public key is for encryption then private key is for decryption, if a public key is for decryption then private key is for encryption. There is no way to calculate the other half of the formula by getting one key i.e. If a public key (eg. for encryption) is intercepted by a hacker, the hacker will not be able to calculate the decryption formula based on the public encryption key.
The objective for an asymmetric encryption is to provide confidentiality and authentication.
To achieve confidentiality:
1. Only the key generator has the public (encryption) and private key (decryption).
2. The public key is sent to the requester.
3. the requester host encrypts the message with the public key and sends the message over to the key generator host.
4. the key generator host upon received the encrypted message will decrypt the message with its own private key and the message is revealed.
If the private key is compromised, a new pair of keys must be generated to replace the compromised keys.
A practical example for confidentiality is ssh session.
A router has generated a set of key using RSA algorithm, let say the key length is 1024-bit. The command will be:
crypto key generate rsa modulus 1024 <cr>
The higher the key length the longer it takes for the router to generate the pair.
SSH vty session in action:
1. a remote host is requesting a ssh tcp 22 session with the router.
2. after the tcp 3-way handshake is established, a public key to encrypt message is sent over to the remote host.
3. the remote host received the public key, WindowsXP will pop up a message to ask whether the user wants to save the public key or not, click on yes it will be stored in user’s computer.
4. the remote host encrypts the username and password with the public key and sent over to the router.
5. the router received the encrypted message and use its private key to decrypt the message, username and password verified to be correct the router allows the remote host to stay on the virtual terminal.
6. all messages i.e. commands are encrypted with the public key and send over, the router receives the message and decrypts it with the private key.
By book RSA is 100 times slower than DES in hardware and 1000 times slower in software…
Well…probably because the data for encryption is really small, I did not encounter any lag when I am using ssh to my router and my router process cpu is only 0.26% for ssh.
RSA is also used for digital signatures, or you can say it is for entity-authentication this is for repudiation prevention, because the key generated is unique the user cannot deny that his/her host has “signed” the data.
To achieve authentication:
1. The private key is used to encrypt the message, and this private key is unique for a user.
2. the public key is used to decrypt the message, since the purpose is to identify the sender no secrecy is needed.
3. a remote host got the message with the public key and decrypt the message to reveal the origin of the sender.
Private key (encrypt) + Public key (decrypt) = authentication