I recently wrote the CISA exam. That's #2 of my "big infosec certifications" (CISSP last year being the first) One thing I found in the exam prep classes for both certifications was that many people have trouble with the concepts behind the modern day encryptions that we all use every day.

I was browsing through other blog posts today and came across it again. Even in the infosec industry, some folks still just don't get every day encryption.

There are 2 basic types of encryption that we use every single day of our lives. Everyone uses them. Even my Grandma.

Type 1 is Symmetric, aka Single Key, aka Secret key, aka super-fast... Note how all the S words go together :)

Type 2 is Asymmetric, aka Public Key/Private Key (or just public key for short), aka Two Key, aka really-fricking-slow encryption. This is what people generally THINK they are using when they use PGP. (they are, but they are also using Symmetric encryption to do the bulk of the work)

When you use Asymmetric (public key) encryption to send an e-mail to someone you don't encrypt the whole message using public and private keys. That would be painfully slow and a waste of CPU time. Here is what really happens:

Bob wants to send a message to Sue.

Bob writes his message, addresses it to Sue and hits the encrypt button on his e-mail client.

Bob's email client (which already has Sue's public key that they exchanged off-line somehow at some time prior to this e-mail) runs the whole message through some hashing algorithm like MD5 or one of the SHA hashes. This gives a short hash that is representative of the whole message, but only 128-512 bits (depending on which hashing algorithm his software uses) 128 bits is small enough to not take long to encrypt with public key encryption, so it then takes that hash and encrypts it with Bob's private key (which only Bob has) thus creating a message digest that proves not only that the message didn't change (else the hash would be different) but also that it was Bob who sent it (else this hash will not decrypt when Sue tries to verify it later).

Bob's software then takes the whole message and encrypts it with a fast Symmetric (single key) encryption cipher. If Bob's message was long it would be slow to encrypt the whole thing with his Private key or Sue's Public key. Asymmetric encryption just takes too much calculation to do on a large scale.

Now Bob's software has an encrypted message (done with a Symmetric cipher, a shared key for that cipher and an asymmetricly encrypted message digest. We need to get the Symmetric key to Sue so that only she can use it to open the message, so we encrypt that key (only the key, not the whole message) with Sue's Public Key. Since the Symmetric key is also only about 128 bits long it is quick to encrypt with the Asymmetric cipher.

Now we have a Symmetricly encrypted message, an Asymmetricly encrypted message digest done with Bob's Private key, and an Asymmetricly encrypted shared key done with Sue's Public key.

Only Sue, with her Private key, can unwrap that shared key to unwrap the whole message. With Bob's Public key she can unwrap the hash from the message digest to prove Bob did send the message, and she can run the same hashing algorithm on the message and compare the hash she calculates to the hash Bob sent to verify that the message didn't change in transit.

If Bob wanted to CC: others on that message, his software would only have to wrap the little 128 bit key again with their Public key so that they too would be able to decrypt the message. This should only increase the total e-mail size by about 128 bits, not doubling it. :)

His program should do this with his own public key so that, when he goes to read his sent mail that he encrypted to Sue, he can.

This same process applies to PGP, S/MIME, SSL, SSH, SFTP.... we all use this process every day of our internet using lives, but it happens invisibly behind the scenes, so very few people seem to really understand the steps.

*Editors Note: For clarity and accuracy, the author requested the the following changes be made to the original text: All occurances of "Synchronous" were replaced with "Symmetric" and "Asynchronous" with "Asymmetric" - 12/17/10.*