Modes of encryption for beginners: asymmetric and symmetric key encryption
Okay, since today is Friday, Suyash, Jay, and I decided we’d do something a little different. Jay and I have been working on an app that deals with sensitive user data, so went out and learned about different methods of encryption that are used in industry-grade software. In this brief introduction to cybersecurity and encryption, we just wanted to go over three modes of encryption: asymmetric key encryption (RSA), symmetric key encryption (AES), and a combination of the two. Usually, to implement these features into apps, you’ll be using libraries or packages like Bouncy Castle or Pointy Castle. For the sake of convenience, we thought it would be best to illustrate the mechanics of basic cryptography with the use of the Dart programming language to build a simple Flutter app that encrypts and decrypts data using two out of the three methods. I’ll just give you a brief overview of each method in this article.
AES symmetric key encryption: Simply put, AES encryption uses one key to both encrypt and decrypt a piece of data. Here’s a quick visual I thought would help:
This type of mailbox requires that you open it before inserting any mail. Let’s just say that to open the mailbox, you need to have a compatible key. Okay, now let’s draw a quick parallel:
Unencrypted data → Mail outside of mailbox
Symmetric key → Key
Encrypted data → Mail in mailbox
The terms on the left refer to encryption-related ideas, while the terms on the right relate to real-life concepts.
English explanation: if you and your friend are trying to send a message to one another without anyone else finding out, you can open the mailbox, place the mail in the mailbox, and close the mailbox. You then give your friend that same key you used to put the mail into the mailbox. Your friend opens the mailbox with that key and retrieves the message. Mission accomplished.
Technical explanation: if you and your friend are trying to send a message to one another without anyone else finding out, you can encrypt the data with a symmetric key (a very large key, minimum of 128 bits, that can both encrypt and decrypt a message). Your friend can simply use that same symmetric key to decrypt the message that you sent. Mission accomplished.
This method of encryption is very vulnerable to a “man-in-the-middle” attack. Using the real-life analogy I presented, this is what one of these attacks could look like: you unlock the mailbox and place your mail in the mailbox. You lay the key on the ground so that your friend can use it to open the mailbox. However, while the key is on the ground, a sly fox comes in and quickly gets an imprint of the key, allowing him to duplicate it. From this point on, whenever you or your friend puts a message into the mailbox, the sly fox can simply use the same key that he has discovered to decrypt the data in the box.
RSA asymmetric key encryption: This form of encryption is known to be more secure than AES encryption because it is more immune from what are known as “man-in-the-middle” attacks because it does not use a common key to both encrypt and decrypt the data.
Here are some more parallels that we implicitly drew while performing AES symmetric key encryption:
Encrypting the data → Putting mail into the mailbox
Decrypting the data → Taking mail out of the mailbox
With that in mind, here’s another mailbox that better resembles RSA asymmetric key encryption.
With this mailbox, we can see a couple things. Anyone can put mail into the mailbox, but you need a special key to get the mail out of the mailbox. This situation resembles that present in RSA asymmetric key encryption. Each user present in a data transaction has both a public and private key. The public key is used to encrypt data, while the private key is used to decrypt data. Once again, let’s describe some parallels and then dive into both the English and technical explanations. Here are all the parallels we will draw for RSA encryption:
Unencrypted data → Mail outside of mailbox
Encrypted data → Mail in mailbox
Public key → Opening in the mailbox
Private key → Key used to open mailbox contents
Encrypting the data → Putting mail into the mailbox
Decrypting the data → Taking mail out of the mailbox
Once again, the terms on the left refer to cryptographic elements, while the terms on the right refer to their real-life counterparts.
English explanation: if you and your friend are trying to send a message to one another without anyone else finding out, you place your mail into their mailbox. They will use their key to open the mailbox to find your message.
Technical explanation: if you and your friend are trying to send a message to one another without anyone else finding out, you will encrypt your message using your friend’s public key. When your friend wants to read the message, they can decrypt this data using their private key. I won’t be getting into the math of deriving these “key pairs” in this article because I don’t want it to be too long, but I hope to get to that in the future. If your friend wanted to send a message back to you, they would encrypt their data using YOUR public key. You can then decrypt their message with your private key.
This form of encryption is less-susceptible to “man-in-the-middle” attacks. Let’s play out the same scenario that we did earlier with AES encryption to see what would have happened if you had used RSA encryption instead. You place your message in the mailbox. All the sly fox can do is see the opening through which you placed the message. It doesn’t know how to open the mailbox; for that matter, neither do you!
A combination of the two forms of encryption: let’s look at a way that that many group messaging apps handle encryption. You, Alice, and Bob are having a conversation. You send a message to the group chat. Alice and Bob respond. What’s happening in the background?
Personally, I think the English explanation for a common form of encryption in this case is more complicated than the technical explanation, so I will provide a brief technical explanation instead.
Technical explanation: You, Alice, and Bob all have your own unique public-private key pairs. The person that created the group chat, let’s say it was you, gets your hands on another key (that is symmetric) that we can call the group-shared key (GSK). The GSK is what is used to encrypt all messages so that all members can easily encrypt and decrypt the messages. However, we don’t want the GSK floating around in the backend without it being encrypted, so we have to do a little bit more work. You, Alice, and Bob encrypt the GSK with your guys’ public keys. Whenever you need to send a message, you decrypt your version of the encrypted GSK and encrypt the message. The recipients simply decrypt their versions of the GSK and decrypt the message.
Conclusion: This was a long article, so I want the conclusion to be short. So that’s it. See you guys tomorrow!
