Published: 8 August 2024
Contributors: Annie Badman, Matt Kosinski
Asymmetric encryption is an encryption method that uses two different keys—a public key and a private key—to encrypt and decrypt data. It’s generally regarded as more secure, though less efficient, than symmetric encryption.
Almost everything people do on their computers, phones and, increasingly, IoT devices relies on encryption to protect data and ensure secure communications.
Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users. According to the IBM Cost of a Data Breach report, organizations that use encryption can reduce the financial impact of a data breach by over USD 240,000.
Asymmetric encryption, also known as public key cryptography or asymmetric cryptography, is one of two main methods of encryption alongside symmetric encryption.
Asymmetric encryption works by creating a pair of keys, one public and one private. Anyone can use a public key to encrypt data. However, only the holders of the corresponding private key can decrypt that data.
The main advantage of asymmetric encryption is that it eliminates the need for a secure key exchange, which most experts regard as the main point of insecurity for symmetric encryption.
However, asymmetric encryption is notably slower and more resource intensive than symmetric encryption. For this reason, organizations and messaging apps increasingly rely on a hybrid encryption method that uses asymmetric encryption for secure key distribution and symmetric encryption for subsequent data exchanges.
Symmetric encryption differs from asymmetric encryption because it uses a single key to encrypt and decrypt data, whereas asymmetric encryption uses two keys: a public key and a private key.
Using a shared key means symmetric encryption is generally faster and more efficient but also more vulnerable to threat actors. Symmetric encryption requires a key exchange, in which the communicating parties agree on a shared secret key. Hackers can intercept the key during this exchange, allowing them to decrypt subsequent messages.
Typically, organizations choose symmetric encryption when speed and efficiency are crucial or when dealing with large volumes of data over a closed system, such as in a private network. They choose asymmetric encryption when security is paramount, such as encrypting sensitive data or securing communication within an open system, such as the internet.
Asymmetric encryption also enables the use of digital signatures, which verify the authenticity and integrity of a message to ensure it hasn't been tampered with during transmission.
Advanced Encryption Standard (AES) is a symmetric encryption algorithm often hailed as the gold standard for data encryption. Offering robust security with key lengths of 128, 192 or 256 bits, AES is widely adopted by organizations and governments worldwide, including the US government and the US National Institute of Standards and Technology (NIST).
Learn the common causes and effects of breaches, how breaches are identified and how organizations can prevent and mitigate the cyberthreats responsible.
Asymmetric encryption keeps data secure by using cryptographic algorithms to generate a pair of keys: a public key and a private key. Anyone can use the public key to encrypt data, but only those with the right private key can decrypt that data to read it.
Keys function like complex codes needed to unlock a safe. Without the correct cryptographic key, users cannot decode the encrypted data. Generally, the longer the key size, the higher the security. Asymmetric encryption is known for having much longer key lengths than symmetric encryption, which contributes to its higher security.
In asymmetric encryption, the two keys serve different purposes:
- The public key encrypts data or verifies digital signatures and can be freely distributed and shared.
- The private key decrypts data and creates digital signatures but must stay secret to ensure security.
The security of public-key cryptography relies on keeping the private key confidential while freely sharing the public key. The public key can only encrypt data, so it isn’t of much value to threat actors. And because users never need to share their private keys, it greatly reduces the risk of hackers intercepting those much more valuable keys.
Once the private and public keys are in place, individuals can exchange sensitive information. The sender encrypts a message using the recipient's public key, and the recipient uses their private key to decrypt the information.
Think of the process as similar to a locked mailbox: anyone can drop a letter into a mailbox, but only the owner can unlock it and read the mail.
Asymmetric encryption can also help ensure authentication. For instance, a sender can encrypt a message using their private key and send it to a recipient. The recipient can then use the sender's public key to decrypt the message, thereby confirming it was the original sender who sent it.
Asymmetric encryption schemes are typically implemented through a public key infrastructure (PKI). A PKI is a framework for creating, distributing and validating pairs of public and private key pairs.
To understand how asymmetric encryption works, consider the following example of Bob and Alice.
- Alice wants to email Bob and ensure only he can read the message. She uses Bob's public key to encrypt her message.
- Bob receives the encrypted message and uses his private key to decrypt and read it.
- Because Bob is the only one with both corresponding keys, he can read the message, guaranteeing confidentiality.
Now, let's consider a scenario where Alice needs to prove her identity to Bob. She can use asymmetric encryption as a form of authentication.
- Alice uses her private key, a key that only she can access, to encrypt a message.
- Alice sends the encrypted message to Bob, who uses Alice's public key to decrypt it.
- Bob knows that only Alice could have sent the message, because only Alice possesses the private key that was used to encrypt the message.
Organizations are increasingly combining symmetric and asymmetric encryption for security and efficiency. This hybrid process begins with a secure key exchange, where asymmetric encryption is used to securely exchange a symmetric key.
For example:
- Alice generates a pair of public and private keys. She shares the public key with Bob.
- Bob generates a symmetric key.
- Bob uses Alice’s public key to encrypt the symmetric key, and then he sends the encrypted key to Alice. If a threat actor intercepts the key in transit, they won’t be able to use it because they can’t decrypt it.
- Alice receives the encrypted key and uses her private key to decrypt it. Now, Alice and Bob have a shared symmetric key.
Once shared, the symmetric key can efficiently handle all data encryption and decryption. For instance, a live video streaming service might use asymmetric encryption to secure the initial key exchange with a viewer. Then, the site can use a symmetric stream cipher for real-time data encryption.
Asymmetric encryption algorithms are the backbone of modern cryptosystems, providing the basis for secure communications and protecting sensitive data from unauthorized access.
Some of the most significant asymmetric encryption algorithms include:
Rivest-Shamir-Adleman (RSA)
Elliptic Curve Cryptography (ECC)
Digital Signature Algorithm (DSA)
RSA is an asymmetric encryption algorithm named after its inventors. It relies on the mathematical complexity of prime numbers to generate key pairs. It uses a public-private key pair for encryption and decryption, making it suitable for secure data transmission and digital signatures.
The RSA algorithm frequently helps secure communication protocols such as HTTPS, SSH and TLS. Despite being developed in the 1970s, RSA remains widely used due to its robustness and security. Various applications rely on RSA, including secure email, VPNs and software updates.
ECC is an asymmetric encryption method based on the mathematical properties of elliptic curves over finite fields. It offers robust security with shorter key lengths than other algorithms, which results in faster computations and lower power consumption.
ECC's efficiency makes it ideal for applications with limited processing power and battery life, such as mobile applications, secure messaging apps and IoT devices.
The Digital Signature Algorithm (DSA) allows organizations and individuals to create digital signatures that ensure the authenticity and integrity of messages or documents.
Standardized by NIST, DSA relies on the mathematical problem of the discrete logarithm and appears in various security protocols. DSA is often used in applications that require secure document signing and verification, including software distribution, financial transactions and electronic voting systems.
Encryption key management is the process of generating, exchanging and managing cryptographic keys to ensure the security of encrypted data.
Think of encryption like a safe: if you forget the code or it falls into the wrong hands, you risk losing access to your valuables or having them stolen. Similarly, if organizations don't properly manage their cryptographic keys, they can lose access to encrypted data or expose themselves to data breaches.
For example, Microsoft recently disclosed that a China-backed hacking group had stolen a critical cryptographic key from its systems.1 This key allowed hackers to generate legitimate authentication tokens and access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies.
To protect against attacks like these, organizations often invest in key management systems. These services are critical given that organizations frequently manage a complex network of cryptographic keys, and many threat actors know where to look for them.
Encryption key management solutions often include features like:
A centralized management console for encryption and encryption key policies and configurations
Encryption at the file, database and application levels for on-premises and cloud data
Role- and group-based access controls and audit logging to help address compliance
Automated key lifecycle processes
Integration with the latest technologies, such as AI, to improve key management by using analytics and automation
The Diffie-Hellman key exchange is a core component of key management. It is a method that allows two parties to securely exchange cryptographic keys over public channels and generate a shared secret key for subsequent secure communications.
The algorithm's security relies on the difficulty of solving the discrete logarithm problem. It appears in protocols like SSL/TLS.
WhatsApp uses Diffie-Hellman as part of the Signal Protocol to provide users with end-to-end encryption. This protocol encrypts data before transferring it to another endpoint to prevent third-party tampering. Diffie-Hellman is also widely used in VPNs and secure email systems.
When security is paramount, organizations lean on asymmetric encryption. Common asymmetric encryption use cases include:
- Web browsing
- Secure communications
- Digital signatures
- Authentication
- Key exchange
- Blockchain technology
Most major browsers secure web sessions through protocols that rely significantly on asymmetric encryption, including Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), which enable HTTPS.
The browser obtains the website's public key from its TLS/SSL certificate while the website keeps its private key secret. The initial handshake between browser and site then uses asymmetric encryption to exchange information and establish a secure session key.
With the secure session key established, the connection transitions to symmetric encryption for more efficient data transmission.
Asymmetric encryption helps ensure that only intended recipients read emails and text messages.
Protocols like Pretty Good Privacy (PGP) use public-key cryptography to secure email communications. The sender encrypts the email with the recipient's public key, ensuring only the recipient can decrypt it with their private key.
End-to-end encryption—a secure communication process that encrypts data before transferring it to another endpoint—also uses elements of asymmetric encryption.
For instance, messaging apps like Signal and WhatsApp leverage asymmetric encryption for key exchange and symmetric encryption for message content. This process prevents intermediaries—and even service providers themselves—from accessing plaintext data. Only the sender and the intended recipient can read the messages.
Digital signatures are one of the most common and practical applications of asymmetric key cryptography. They're critical for ensuring both authenticity and integrity.
Digital signatures guarantee authenticity by confirming the document genuinely comes from the signer, much like a physical signature would. They guarantee integrity by ensuring no one tampered with the document in transit.
Digital signatures use asymmetric encryption to encrypt a file's hash with a private key. A hash is a string of characters that represents the document's data. If anyone alters the file, its hash changes, alerting users to the tampering.
Encrypting the hash creates a signature that anyone can verify with the corresponding public key to ensure the document's origin and integrity.
Software developers also use digital signatures to verify that their code hasn't been tampered with and to confirm its origin, helping to prevent the distribution of malicious software.
Asymmetric encryption can help systems authenticate users and websites.
For example, the Secure Shell Protocol (SSH) uses public-key cryptography to verify users trying to access remote servers. It also supports certificate authorities, which are third parties that issue digital certificates to verify the authenticity of websites and other entities.
Asymmetric protocols like Diffie-Hellman and RSA can help users securely exchange cryptographic keys over an insecure channel. This process allows parties to establish a shared secret key for symmetric encryption.
Asymmetric encryption can also establish secure connections between remote users and virtual private networks (VPNs) to ensure data privacy and security.
Asymmetric encryption is a cornerstone of blockchain technology and contributes significantly to the security and integrity of cryptocurrency transactions. It helps ensure that only intended recipients can access assets by managing identities through public and private keys and verifying transaction authenticity with digital signatures.
Asymmetric encryption can also secure smart contracts, which are self-executing contracts with terms directly written into code. Public and private keys encrypt and authenticate interactions within these contracts, ensuring that only the intended recipients can execute the contract and enforce the terms.
The rise of quantum computing threatens traditional encryption methods. Quantum computers could break some asymmetric encryption algorithms, such as RSA and ECC, by running powerful quantum algorithms like Shor's algorithm.
Developed by mathematician Peter Shor in 1994, Shor's algorithm is the first quantum algorithm to efficiently factor large integers and solve the discrete logarithm problem—critical components of many encryption schemes. A sufficiently powerful quantum computer running Shor's algorithm could easily break these encryption systems, potentially rendering all major public-key encryption systems currently in use obsolete.
While quantum computers are still relatively experimental, many organizations are preparing for the future by turning to quantum-safe cryptography, also known as post-quantum cryptography (PQC). A recent study found that more than half of organizations have started to replace their current encryption with PQC.2
In 2016, NIST launched an open competition to evaluate and standardize PQC algorithms. Its goal was to identify and endorse a suite of quantum-resistant algorithms to replace vulnerable cryptosystems.
In July 2022, NIST announced the top algorithms for PQC standardization, with IBM playing a role in developing three of the four selected algorithms: CRYSTALS-Kyber, Falcon and CRYSTALS-Dilithium.3 NIST expects to finalize its selection sometime in 2024.
Alongside the looming threat of quantum computing, the rise of artificial intelligence (AI) has also dramatically changed the encryption landscape.
AI presents significant challenges to traditional encryption algorithms, mainly through its ability to improve pattern recognition and accelerate brute-force attacks, which involve hackers systematically trying encryption keys until they discover the correct one.
Strong encryption algorithms historically take far too long to break with brute-force methods. However, advanced AI models can now analyze encrypted data to find vulnerabilities faster than ever, making specific encryption algorithms less secure.
At the same time, however, advancement in AI holds the potential to vastly improve asymmetric encryption.
Some of these potential benefits include:
- Real-time cryptosystem threat detection: AI and machine learning can help predict and identify potential security breaches in real-time, allowing for proactive measures to protect cryptosystems.
- Enhanced encryption algorithms: AI can analyze large datasets to help identify and rectify weaknesses in existing encryption methods.
- Improved key management: AI-driven systems can optimize key management by automating the process of generating, distributing and rotating encryption keys.
- Leveraging homomorphic encryption: Homomorphic encryption allows organizations to perform computations on encrypted data without requiring decryption. This approach means that organizations can use sensitive data for AI model training and analysis without compromising confidentiality or privacy.
Protect data, augment privacy and support regulatory compliance through cryptography solutions.
Protect your most crucial data and workloads within the ever-changing threat landscape.
Secure key storage and cryptographic operations within a FIPS 140-2 Level 3, tamper-resistant hardware device.
Empower yourself and your business by learning from the challenges and successes experienced by security teams around the world.
Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users.
A data leader’s guide to building a data-driven organization and driving business advantage.
Footnotes
All links reside outside ibm.com
1 The Comedy of Errors That Let China-Backed Hackers Steal Microsoft’s Signing Key, Wired, 6 September 2023.
2 Research Report: Operationalizing Encryption and Key Management, Enterprise Strategy Group by TechTarget, 5 April 2024.
3 NIST Announces First Four Quantum-Resistant Cryptographic Algorithms, NIST, 5 July 2022.