Encryption - Symmetric, Asymmetric or Both?

I wish the choice be as simple as ordering Frys at your favorite fast-food restaurant, small, medium or large. Well in a way, it is. I should say although encryption terminology seems confusing at a glance, but actually the underlying concepts are not that difficult to understand. As the name implies, symmetric encryption requires same keys for encryption and decryption, whereas asymmetric needs different ones. Of course, hybrid encryption means a combination of both.

Asymmetric encryption is often referred to as PKI (Public Key Infrastructure), where both parties have two paired-keys, public and private. Private key is retained with the owner, whereas public key is available for public to use. The premise here is that any clear-text encrypted with one type of key can only be decrypted with the other type of key. In simple words, if something is encrypted with public key it can only be decrypted with its equivalent private key, and vice versa. So, if I need to send an encrypted message, I would pick up your public key (as it is readily available, or alternatively you might have given me earlier), then encrypt with this public key and send across to you. Since you are the only one in this world with the corresponding private key, you are the only person who can decrypt the message. That makes it secure. This infrastructure usually meets the "confidentiality" part of security ecosystem.

One should know that majority of the encryption algorithms are released in public, which puts a lot of pressure on safe storage of keys. No matter how hard your encryption algorithm is, the keys to the kingdom literally are the encryption keys here. So always store it securely.

Due to the complexity of the PKI algorithm (it is actually based on prime-number based mathematical formula), the entire encryption and decryption process becomes very slow as compared to the symmetric process, where only one key serves both the purposes. The disadvantage of symmetric encryption though is that key management becomes very difficult. If one can get to the key at any end, one can decrypt very easily. In fact the transportation of keys is a know risk, and needs due care is needed for its distribution. In today’s world, there are not too many inexpensive ways to send information but to send electronically via email, http, ftp or IM, which are all very insecure as far as a medium to key-exchange is concerned.

So, what is the solution, asymmetric is slower, symmetric is risky? Good guess, a hybrid one. That’s right, establish a session using asymmetric encryption, and then do bulk of encryption using symmetric key. For example, if server 1 and server 2 need to communicate securely, server 1 will create a dynamic symmetric key, encrypt with 2's public key and send over to 2. This encrypted symmetric key can only be decrypted by 2's private key, which is available with server 2 only. Once server 2 decrypts the message and extracts the symmetric key, both the servers have the same symmetric keys, they can now both communicate securely using symmetric encryption which is much faster than the asymmetric one.