Overview of Cryptographic Techniques: Symmetric, Asymmetric, Hash Functions, and Key Exchange

1. Overview

In the security field, using key encryption algorithms to encrypt communication is a common method that ensures three objectives: data confidentiality, data integrity, and mutual authentication of the communicating parties.

1. Confidentiality – preventing data theft or leakage. 2. Integrity – preventing data tampering. 3. Authentication – confirming the identity of the data source.

Key encryption algorithms can be divided into three categories: symmetric encryption, asymmetric encryption, and one‑way (hash) encryption. The following sections explain their principles and common algorithms.

2. Symmetric Encryption

Initially, symmetric key methods were used for encrypted transmission, where the same key is used for both encryption and decryption.

Symmetric Encryption Process

1. The sender divides the original data into fixed‑size blocks, encrypts each block with the key and algorithm, and sends the ciphertext to the receiver.

2. The receiver uses the same key and decryption algorithm to recover the original data.

Diagram:

Advantages

High efficiency, simple algorithm, low system overhead, suitable for encrypting large amounts of data.

Disadvantages

Weak security Since the encryption/decryption algorithm is public, the secure transmission of the key becomes critical. Keys are usually exchanged through physical means or third‑party platforms; if a key is leaked, an attacker can decrypt the traffic. Poor scalability Each pair of users must negotiate a unique key, leading to n·(n‑1)/2 keys for n users, which is hard to manage; using a single key for many users increases the risk of key leakage.

Common Symmetric Algorithms

DES – block cipher with 64‑bit blocks, using the same algorithm for encryption and decryption.

3DES – applies the DES algorithm three times to each data block.

AES – Advanced Encryption Standard, a block cipher adopted by the U.S. government to replace DES.

Blowfish – 64‑bit block cipher with variable key length, suitable for encrypting 64‑bit strings.

3. Asymmetric Encryption

Asymmetric encryption uses a pair of keys: a public key and a private key. The public key is derived from the private key and is publicly available; data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. N users require 2N keys.

Uses

Asymmetric encryption is suitable for encrypting sensitive information such as keys or identity data, meeting security requirements.

Asymmetric Encryption Process

1. Party A encrypts plaintext with Party B’s public key and sends the ciphertext to B. 2. Party B decrypts the ciphertext with its private key to obtain the original plaintext.

Diagram:

Advantages

Higher security than symmetric encryption because different keys are used for encryption and decryption, and the public key cannot be used to derive the private key; only the holder of the private key can decrypt data encrypted with the public key.

Disadvantages

1. The algorithm is complex and computationally intensive, making it unsuitable for encrypting large volumes of data; ciphertext is longer due to added metadata, which can hinder network transmission. 2. It is difficult to verify the legitimacy of the public key source.

Common Asymmetric Algorithms

RSA – based on the difficulty of factoring the product of two large prime numbers.

DSA – Digital Signature Algorithm, used only for signatures.

DSS – Digital Signature Standard, can be used for signatures and encryption.

ElGamal – uses discrete logarithm problem for encryption or signatures; it is the slowest among them.

4. One‑Way (Hash) Encryption

One‑way encryption algorithms can only produce a fixed‑length digest of data; they cannot be reversed. They exhibit the avalanche effect, where a small change in input leads to a large change in output.

Uses

Hash functions are used to generate data fingerprints, verify data integrity, create digital digests, and support digital signatures.

One‑Way Encryption Process

1. The sender hashes the plaintext to produce a fixed‑length ciphertext string and sends it to the receiver.

2. The receiver hashes the same plaintext and compares the two digests; if they match, the transmission is intact.

Diagram:

Common Hash Algorithms

MD5, SHA‑1, SHA‑224, etc.

5. Key Exchange

Key Exchange (IKE – Internet Key Exchange) allows two parties to establish a shared secret for encrypting and decrypting data.

Two common methods:

1. Public‑Key Encryption

Encrypt the public key and transmit it; however, this method is vulnerable to interception and is rarely used.

2. Diffie‑Hellman

Diffie‑Hellman is a key‑exchange algorithm that does not perform encryption or generate digital signatures. Both parties agree on public parameters p and g, each generates a private exponent (x for A, y for B), computes values value_A = p^x mod g and value_B = p^y mod g, exchanges these values, and then each raises the received value to its own private exponent to obtain the shared secret p^{xy} mod g.

A has parameters p and g, and a private exponent x. B has the same p and g, and a private exponent y. A computes value_A = p^{x} mod g, B computes value_B = p^{y} mod g. After exchanging value_A and value_B, A computes (value_B)^{x} = p^{xy} mod g, B computes (value_A)^{y} = p^{xy} mod g, arriving at the same shared secret.

Security: An eavesdropper can only see p and g; the exchanged values are computed results, making the method secure.

How to Verify the Legitimacy of a Public Key?

Answer: Use a public‑key certificate.

Public Key Infrastructure (PKI)

PKI is a collection of hardware, software, personnel, policies, and procedures.

Purpose

To generate, manage, store, distribute, and revoke keys and certificates based on public‑key cryptography.

Components

Certificate Authority (CA), Registration Authority (RA), Certificate Revocation List (CRL), and Certificate Repository (CB).

Public‑Key Certificate

A digitally signed document that binds a public key to the identity of a person, device, or service. It follows the X.509 standard and includes fields such as name, version, serial number, algorithm identifier, issuer, validity period, public key, and signature.

CA Certificate Verification Process

Client A prepares the plaintext message.

Client A computes a hash of the message.

Client A encrypts the hash with the CA’s private key to create a digital signature and attaches it to the message.

Client A generates a symmetric key (e.g., DES) and encrypts the message with it, producing ciphertext.

Client A encrypts the symmetric key with the recipient’s public key and sends both ciphertext and encrypted key to B.

Recipient B decrypts the symmetric key with its private key.

Recipient B decrypts the ciphertext with the symmetric key to recover the plaintext.

Recipient B decrypts the digital signature with the CA’s public key to obtain the original hash, then hashes the received plaintext again.

Recipient B compares the two hashes; if they match, the message has not been altered.

How to Ensure the CA’s Public Key Is Not Tampered?

There is no absolute guarantee. Operating systems and browsers ship with a set of trusted CA certificates; users should obtain certificates from reputable CAs. However, if a malicious CA certificate is installed, it can be used to forge signatures, so the system must not contain unauthorized CA certificates.

References

https://www.jianshu.com/p/ce3893a7be09

https://www.cnblogs.com/devdeng/p/5334038.html

https://blog.csdn.net/lycb_gz/article/details/78047417

https://blog.csdn.net/tanyjin/article/details/61913987

https://www.jianshu.com/p/3d8de6ae87d6

END