symmetric encryption session keys in SSL/TLS

  • This question concerns the session send and receive keys used in SSL/TLS protocol. my understanding is that this key uses symmetric encryption (DES, AES, BlowFish, etc.) I'm wondering, if public-private key pairs are superior to symmetric keys regarding key exchange security, why don't use asymmetric encryption for the session keys too?

    this is an extension of an existing question: security of PKI, Certificates, certificate authorities, forward secrecy

  • AviD

    AviD Correct answer

    10 years ago

    3 reasons (now):

    1. Asymmetric encryption is slower, much slower, than symmetric encryption. Orders of magnitude slower.
    2. Given the same keylength, asymmetric is much weaker than symmetric, bit-for-bit. Therefore, you need a much larger key to provide equivalent protection. This also contributes to the slowness mentioned in 1.
    3. (As per @ThomasPornin's comment:) Asymmetric encryption carries with it an increase in size of output. For instance, if you use RSA, encrypted data is at least 10% larger than the cleartext. Symmetric encryption, on the other hand, has a fixed size overhead even when encrypting gigabytes of data.

    Another important point is that asymmetric encryption implies an increase in data length. For instance, if you use RSA, encrypted data is at least 10% larger than the cleartext. Symmetric encryption, on the other hand, has a fixed size overhead even when encrypting gigabytes of data.

    asymetric encryption is about 1000 times slower, according to B.Schneier. http://math.uchicago.edu/~mann/encryption.pdf

    @ThomasPornin, Isn't that also part of point number 1?

    @AviD, So are your three points basically saying 1) it's slow, 2) it's slow, and 3) it's slow

    @Pacerier heh, no, I would say more 1) overhead, 2) not as strong, and 3) overhead :-)

    If TLS used asymmetric encryption, would that mean it would necessarily have non-repuditiation (ie you could mathematically prove that some packet came from some specific server or a client)? https://security.stackexchange.com/questions/103645/does-ssl-tls-provides-non-repudiation-service?

    @boris no, those points are not connected. See the accepted answer on your linked question.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM