Key exchange and management 

Keys are at the heart of cryptography systems.

Keys are pieces of information that determine the output from an encryption/decryption process. An almost limitless number of different outputs with different key values can be produced by a single cipher.

Because the algorithms are normally public, it’s the keys that make the cryptography system strong, so the way they’re generated, distributed, and managed are important.

In this step, you’ll focus on some of the basic principles of key exchange and management.

Symmetric keys  

Distribution of a symmetric key starts when a user generates a secret key and provides a copy of it to the entity they want to communicate with.

Keys are like a password. While they work on a small scale, if every communicating pair of users need to have their own unique secret key, the number of keys rises dramatically with the number of users.

For example, if there are 10 users it means 45 separate keys are required. However, 100 users will need 4,950 separate keys, and 1,000 users require 499,500 keys. This approach doesn’t scale well and is known as the key distribution problem.

This impacted anyone wishing to use encryption until the 1970s when the Diffie-Hellman key exchange method of distributing keys without actually sending the keys themselves was developed.  

Asymmetric keys

A more common approach is using an asymmetric cipher to encrypt the symmetric key. For example, if Alice needs to give Bob her secret key, she obtains Bob’s public key and uses that to encrypt the symmetric secret key. When Bob receives the encrypted secret key, he uses his own private key to decrypt it.

This is how TLS (Transport Layer Security) and S/MIME (Secure/Multipurpose Internet Mail Extensions) protocols exchange keys between two communicating endpoints. In the case of the TLS, asymmetric keys secure the data that travels between a web browser and website via HTTPS. While S/MIME uses a set of asymmetric keys to encrypt and decrypt an email.

Public keys can also be distributed using a public key infrastructure. This is popular because there does not have to be any initial secure exchange of secret keys for an encrypted message to be sent.

LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication.

LDAP provides the communication language that applications use to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.

When you connect to a secure website like your bank, the little padlock icon in the search bar means your computer has used public key cryptography to verify the server, key exchange to establish a secret temporary key, and symmetric encryption to protect all the back-and-forth communication.

Keys compared (summary)

You can compare symmetric key and asymmetric key systems by looking at the following facets:

• Symmetric key systems: The same key is used for encryption and decryption.
• Asymmetric key systems: One key is used for encryption and a different but mathematically related key is used for decryption.

• Symmetric key systems: Relies on the sender and the receiver sharing a secret key.
• Asymmetric key systems: Shared secret key exchange is not needed.

• Symmetric key systems: The key must be kept secret.
• Asymmetric key systems: One key (the private key) must be kept secret, but the other key (the public key) is published.

• Symmetric key systems: It should be computationally infeasible to derive the key or the plaintext given the algorithm and a sample of ciphertext.
• Asymmetric key systems: It should be computationally infeasible to derive the decryption key given the algorithm, the encryption key, and a sample of ciphertext.

• Symmetric key systems: Faster and computationally less demanding than public key encryption.
• Asymmetric key systems: Slower and computationally more demanding than symmetric key encryption.

Pretty Good Privacy (PGP)

PGP is a data encryption and decryption technology used for signing, encrypting, and decrypting emails, files, directories, and entire disks. Currently, it is the closest to military-grade encryption available to the public. So, how does it work?

It makes use of both symmetric and asymmetric ciphers but doesn’t use a public key infrastructure.

Rather than relying on certificate authorities, PGP relies on a web of trust. Each user in the web of trust acts as a certificate authority for other users they trust. If someone trusts a user, they also inherit the trust of the others in that web of trust.

What’s next?

You’ve gained some much-needed knowledge on how keys are generated, distributed, and managed. Now let’s hear again from our expert Mark, to see exactly how common asymmetric key exchanges work in practice.