4.6 Hybrid systems
As you have seen from earlier sections, a major advantage of asymmetric key systems over symmetric key systems is that no exchange of a secret key is required between communicating entities. However, in practice public key cryptography is rarely used for encrypting messages for the following reasons:
Security: it is vulnerable to chosen plaintext attacks.
Speed: encrypting data with public key algorithms generally takes about 1000 times longer than with symmetric key algorithms.
Instead, a combination of symmetric and asymmetric key systems is often used. This system is based on the use of a session key – a temporary key used only for a single transaction or for a limited number of transactions before being discarded. The following sequence between Alice and Bob demonstrates the use of a session key.
- Alice chooses a secret symmetric key that will be used as a session key.
- Alice uses the session key to encrypt her message to Bob.
- Alice uses Bob's public key to encrypt the session key.
- Alice sends the encrypted message and the encrypted session key to Bob.
- On receipt, Bob decrypts the session key using his own private key.
- Bob uses the session key to decrypt Alice's message.
Why might a session key be preferable to the use of a recipient's public key?
I can think of a couple of reasons:
- The more often a key is used and the more ciphertext produced by that key, the more likely it is to come under attack. A session key can simply be discarded after use.
- Encryption and decryption can be performed much faster using symmetric keys than asymmetric keys.