Encryption is the cornerstone of modern computer security. Understanding its fundamental principles is essential for any cybersecurity professional.

Symmetric vs Asymmetric Encryption

Symmetric Encryption

Symmetric encryption uses a single key to both encrypt and decrypt data. It’s fast and efficient for large amounts of data.

Advantages:

  • Very fast (ideal for stream encryption)
  • Low resource consumption
  • Simple to implement

Disadvantages:

  • Key sharing is problematic
  • Each pair of correspondents requires a unique key

Asymmetric Encryption

Asymmetric encryption uses a key pair: a public key (for encryption) and a private key (for decryption).

Advantages:

  • No need to share the private key
  • Enables digital signatures
  • Simplified key management

Disadvantages:

  • Much slower than symmetric encryption
  • Requires longer keys

AES — Advanced Encryption Standard

AES is the most widely used symmetric encryption algorithm in the world. Adopted by NIST in 2001, it replaced DES.

Characteristics

  • Type: Block cipher
  • Key sizes: 128, 192, or 256 bits
  • Block size: 128 bits
  • Number of rounds: 10 (AES-128), 12 (AES-192), 14 (AES-256)

Example with OpenSSL

# Encrypt a file with AES-256-CBC
openssl enc -aes-256-cbc -salt -pbkdf2 \
  -in secret.txt \
  -out secret.enc

# Decrypt
openssl enc -d -aes-256-cbc -pbkdf2 \
  -in secret.enc \
  -out secret_decrypted.txt

Python Example

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
import base64

def encrypt_aes(plaintext: str, key: bytes) -> str:
    """Encrypt a message with AES-256-CBC."""
    iv = get_random_bytes(16)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    padded = pad(plaintext.encode(), AES.block_size)
    encrypted = cipher.encrypt(padded)
    return base64.b64encode(iv + encrypted).decode()

def decrypt_aes(ciphertext: str, key: bytes) -> str:
    """Decrypt an AES-256-CBC message."""
    raw = base64.b64decode(ciphertext)
    iv = raw[:16]
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted = unpad(cipher.decrypt(raw[16:]), AES.block_size)
    return decrypted.decode()

# Usage
key = get_random_bytes(32)  # 256 bits
message = "Top secret message!"
encrypted = encrypt_aes(message, key)
print(f"Encrypted: {encrypted}")
print(f"Decrypted: {decrypt_aes(encrypted, key)}")

RSA — Rivest-Shamir-Adleman

RSA is the most well-known asymmetric encryption algorithm. It relies on the difficulty of factoring the product of two large prime numbers.

Simplified Mathematical Principle

  1. Choose two large prime numbers p and q
  2. Compute n = p × q (the modulus)
  3. Compute φ(n) = (p-1)(q-1) (Euler’s totient)
  4. Choose e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1
  5. Compute d such that d × e ≡ 1 (mod φ(n))
  6. Public key: (n, e)Private key: (n, d)

Key Generation with OpenSSL

# Generate a 4096-bit RSA private key
openssl genrsa -out private.pem 4096

# Extract the public key
openssl rsa -in private.pem -pubout -out public.pem

# Encrypt with the public key
openssl rsautl -encrypt -pubin -inkey public.pem \
  -in message.txt -out message.enc

# Decrypt with the private key
openssl rsautl -decrypt -inkey private.pem \
  -in message.enc -out message_dec.txt

Digital Signatures

RSA also enables signing data to guarantee its authenticity:

# Sign a file
openssl dgst -sha256 -sign private.pem \
  -out signature.bin document.pdf

# Verify the signature
openssl dgst -sha256 -verify public.pem \
  -signature signature.bin document.pdf

TLS: RSA + AES Together

In practice, RSA and AES are used together in TLS (HTTPS):

  1. The client and server use RSA (or ECDHE) to securely exchange a session key
  2. This session key is used with AES to encrypt the communication
  3. This provides the speed of AES and the security of RSA key exchange
Client                          Server
  |                                |
  |-- ClientHello ---------------→|
  |←- ServerHello + Certificate --|
  |                                |
  |   [RSA/ECDHE Key Exchange]     |
  |                                |
  |== AES-256-GCM Communication ==|
  |================================|

Current Recommendations

AlgorithmMinimum SizeRecommended Use
AES256 bitsData encryption
RSA4096 bitsKey exchange, signatures
ECDSA256 bits (P-256)Signatures (RSA alternative)
ChaCha20256 bitsAES alternative (mobile)

Conclusion

Understanding RSA and AES is fundamental in cybersecurity. These algorithms, while mathematically complex, are built on elegant principles. Their combination in TLS demonstrates how modern cryptography leverages the strengths of each approach to ensure confidentiality, integrity, and authenticity of communications.