Symmetric vs Asymmetric Encryption: MACs, Signatures & Certificates Explained

Symmetric and Asymmetric Encryption

According to key usage, encryption algorithms are divided into symmetric encryption (same key for encryption and decryption) and asymmetric encryption (public key for encryption, private key for decryption).

Symmetric encryption requires solving the key distribution problem because the same key is used for both operations.

Asymmetric encryption is slower than symmetric encryption.

Key: In an encryption algorithm, the key is a large number (e.g., 238435639047397537493753453945379346236) used together with plaintext to produce ciphertext.

Key Distribution Problem in Symmetric Encryption

Sender A wants to send an email to receiver B without anyone reading it, using symmetric encryption. Since both encryption and decryption need the same key, A must deliver the key securely to B. Sending the ciphertext and the key together is insecure because an eavesdropper C could decrypt.

Hybrid Cryptosystem

A hybrid cryptosystem combines the advantages of symmetric and asymmetric encryption, solving the key distribution problem of symmetric encryption and the speed issue of asymmetric encryption.

First, a fast symmetric algorithm encrypts the message, producing ciphertext. Then the symmetric key (which is short) is encrypted with asymmetric encryption. This resolves the key distribution problem.

One‑Way Hash Functions

A one‑way hash function (also called a message digest or hash function) is used to verify message integrity.

It takes an input (message) and produces a fixed‑length hash value. Changing the message results in a different hash, allowing integrity checks.

The hash value, also known as a message digest or fingerprint, is produced by “chopping” a long message and mixing it into a fixed‑length value.

Limitations

Hash functions can verify integrity but cannot detect forgery when an attacker disguises themselves as the sender.

Authentication requires techniques such as Message Authentication Codes (MAC) and digital signatures. MACs ensure data has not been altered, while digital signatures also provide proof to third parties.

Message Authentication Code (MAC)

A MAC is a key‑related one‑way hash function.

Steps

(1) Sender A and receiver B share a secret key in advance.

(2) A computes the MAC value of the request using the shared key.

(3) A sends the request and MAC to B.

(4) B computes the MAC of the received request.

(5) B compares the computed MAC with the received MAC.

(6) If they match, B can confirm the request came from A.

Remaining Key Distribution Issue

In MAC, the shared key must remain secret; if an attacker obtains it, they can compute valid MACs and perform spoofing attacks. Therefore, MAC still suffers from the key distribution problem, requiring solutions such as public‑key cryptography, key distribution centers, or other secure methods.

MAC vs Symmetric Encryption Authentication

MAC requires both parties to use the same key, and ciphertext can only be decrypted with the same key. Using symmetric encryption for authentication is not feasible because the receiver cannot determine the origin of random‑looking plaintext.

Problems MAC Cannot Solve

Third‑Party Proof

Receiver B cannot provide a third‑party verifier D with proof that the message originated from A, because D could also compute the MAC using the shared key.

Non‑Repudiation

A could deny sending a message, claiming the MAC was generated by B, since both share the key.

Digital Signature

A digital signature is a string that only the sender can generate and serves as proof of authenticity.

It combines asymmetric encryption with hash functions.

Signature Generation and Verification

Signature generation is performed by the sender using their private key; verification is performed by the receiver (or any verifier) using the sender’s public key.

Private signing key is kept only by the signer, while the verification key can be distributed to anyone who needs to verify.

In public‑key cryptography, the encryption key and decryption key are distinct; the encryption key can be public, while the decryption key remains private. Digital signatures essentially reverse this usage.

Signature Process

1. A encrypts the message (or its hash) with its private key, producing the signature.

2. A sends the message and signature to B.

3. B decrypts the signature with A’s public key; if decryption succeeds, the signature is valid.

4. B compares the decrypted content with the received message; a match means verification succeeds.

Instead of encrypting the whole message, we can encrypt its hash, making signing fast even for long messages.

Advantages Over MAC

Prevents non‑repudiation because only the private key holder can create the signature.

Provides third‑party proof since anyone can verify the signature with the public key.

Certificate

A public‑key certificate (PKC) is issued by a Certificate Authority (CA) to confirm that a public key belongs to a specific entity.

The CA is an organization that can generate digital signatures to attest to the ownership of a public key.

Certificate Usage Scenario

1. B generates a key pair.

2. B registers its public key with CA D.

3. D signs B’s public key with its private key, creating a certificate.

4. A obtains B’s public key together with D’s signature.

5. A verifies D’s signature using D’s public key, confirming B’s public key is legitimate.

6. A encrypts a message with B’s public key and sends it.

7. B decrypts the ciphertext with its private key to retrieve A’s message.

Comparison of Cryptographic Techniques

Symmetric vs Asymmetric Encryption

Sender: symmetric uses shared key; asymmetric uses public key.

Receiver: symmetric uses shared key; asymmetric uses private key.

Key distribution problem: exists for symmetric, not for asymmetric.

Confidentiality: both can guarantee.

MAC vs Digital Signature

Sender: MAC uses shared key; digital signature uses private key.

Receiver: MAC uses shared key; digital signature uses public key.

Key distribution problem: MAC has it; digital signature does not (but public key must be verified).

Integrity: both guarantee.

Authentication: MAC limited to communicating parties; digital signature works with third parties.

Non‑repudiation: MAC cannot guarantee; digital signature can.

References

Illustrated Cryptography (《图解密码学》) by Qiu Zhengyuan.