Chapter 11 Β· Concepts

PKI: Visual Maps

Symmetric vs. asymmetric comparison, the Alice/Bob flow, and hybrid encryption.

Symmetric vs. Asymmetric Encryption

PropertySymmetricAsymmetric
Keys usedOne shared keyTwo keys (public + private)
Also calledSecret key, shared secretPublic key cryptography
SpeedFast β€” low overheadSlow β€” mathematically complex
Key distributionProblem β€” must share key securelySolved β€” public key freely shareable
ScalabilityPoor β€” N(N-1)/2 keys for N usersGood β€” one key pair per user
Best used forBulk data encryptionKey exchange, authentication, signatures
ExamplesAES, DES, 3DESRSA, ECC, Diffie-Hellman

The Alice/Bob Encryption Flow

Alice generates her key pair
Creates public key (shared freely) and private key (kept secret, password-protected). Both generated simultaneously β€” mathematically related but one cannot be derived from the other.
↓
Alice publishes her public key
Posts on website, email signature, key server. Anyone can have it β€” it's designed to be public.
↓
Bob encrypts a message with Alice's public key
Takes Alice's public key + plaintext β†’ ciphertext. Once encrypted, even Bob cannot decrypt it. Only the private key can.
↓
Bob sends ciphertext to Alice
Can be sent over the internet. If intercepted, attacker has ciphertext + public key but still CANNOT decrypt β€” private key required.
↓
Alice decrypts with her private key
Only Alice has the private key. Decryption produces the original plaintext. Message received securely.

Hybrid Encryption: The Real-World Model

Pure asymmetric encryption is too slow for bulk data. Real systems use a hybrid approach:

Phase 1: Key Exchange (Asymmetric)
Client generates a random symmetric session key. Encrypts it with the server's public key. Sends to server. Server decrypts with private key. Now both have the same session key β€” without sending it in plaintext.
↓
Phase 2: Data Transfer (Symmetric)
All actual data is encrypted/decrypted using the shared symmetric session key. Fast. Efficient. No asymmetric overhead for bulk data.
Used in: TLS/HTTPS (every secure web connection), VPNs, SSH, S/MIME email. The asymmetric part is just the "handshake" β€” symmetric does the heavy lifting.

Key Escrow Use Cases

🏒

Employee Departure

Employee encrypted work files with their private key. When they leave, organization needs the key escrow copy to decrypt those files β€” otherwise the data is permanently inaccessible.

πŸ›οΈ

Government/Legal

Government agencies working with partner organizations may require that encrypted data can be accessed for investigations. Key escrow provides this capability.

⚠️

Key Loss

If an employee forgets their private key passphrase or a device is destroyed, the escrow copy is the last resort for data recovery.

πŸ”

Multi-Person Authorization

Accessing escrowed keys typically requires multiple authorized personnel (dual control) to prevent single-point abuse. The escrow system must itself be highly secured.