Symmetric vs. Asymmetric Cryptography [RESOLVED]

[wrack]

Hi,

I am writing a small 1 page abstract + case study of Symmetric vs. Asymmetric Cryptography.

I have got the differences and advantages and disadvantages of both covered but I am finiding it hard to write something about how can they be used in Online Banking System to secure things. Could someone please give some pointers to get me a head start?

Cheers :)

P.S. : This is not a school/uni assignment so please don't bash. I am doing this for exam preparations and this is the only case study I am stuck on and I have got all the rest figured out.

[wrack]

No one?

[+BudMan MVC]

So you understand how they different - but you don't understand how a bank could use Asymmetric encryption?

With symmetric the same key is used to encrypt as to decrypt -- with asymmetric each side has public and private keys.. If I encrypt something to your public, only way to decrypt is to use your private key.. So either everyone has the key already with symmetric, or you have to figure out a way to securely exchange keys to be used.

With asymmetric there is no need to secretly exchange --- I can freely give you the public key, since its useless for anything other than sending me a message. You can also use the private key to sign something -- use of the public key of this pair will verify that it was signed by the holder of the private..

So with asymmetric, it can be used to communicate securely with your bank, which you can sign with your key -- and the bank will be sure YOU signed it.. Auth for transactions for example. You will be sure your talking to the bank, since you can verify the signature of stuff they send you.

With symmetric it would be possible to listen in on the communication of the key, or gain access to the key and then impersonate either the bank or the customer, etc.

With asymmetric this is much harder since there is no need of a secret exchange of the key to be used. The bank can freely post its public, and you can freely post your public, etc.

Is that what you were looking for?

[boogerjones]

The other thing is that most asymmetric cryptosystems also use symmetric cryptography.

Typically, you generate (or derive from a passphrase/keyfile/etc) a random symmetric key, encrypt something with it, and then encrypt that symmetric key using the recipient's public key. You send the encrypted data and the encrypted symmetric key to the recipient. The recipient uses his private asymmetric key to decrypt the symmetric key and then uses the symmetric key to decrypt the data.

Note that the security/validity of both asymmetric and symmetric cryptosystems is quite weak without some kind of authentication mechanism. <-- This is widely overlooked.

[+BudMan MVC]

Quite true -- the key pair can be used to transfer any type of data, even a symmetric key ;)

And also true the use of the keys are normally tied to another method of auth, not just ownership of the key. How many factors do you want to go to would depend on the sensitivity of the data being exchanged. 2 factor, 3 factor, etc.

[wrack]

Thanks Budman & boogerjones.

Budman you explained it well and yes that is what I was after. I understood the difference between them and your explaination is correct. I also knew that an online banking site would use Asymmetric key and the exchanges between the client and server would be varified by each other.

What I was stuck on was to do with how does the web browser know the public key of the bank and how does the bank server knows the public key of me? I am not a genius on website designs?

[+BudMan MVC]

Well I did not go into the details of "how" you would do it, only the basic theory behind it.. Are you wanting the details of how the coding would be done?

[wrack]

No I don't want the details of coding behind it but I just want a quick idea on how would me logging in using my username (or internet banking id) and password would cause the authentication? Does me logging in causes the bank to varify those details and send me a puiblic key (kinda token) that would be stored in a session variable to be used for the varification purpose? But how does bank has my public key? Is my username and password my public key? I am assuming some sort of a hash of my password would be my private key!

Thanks again.

[+BudMan MVC]

I don't know what your back is doing, its "IN THEORY" of what can be done.. Does not mean every bank does it.

Again your question sounded like a in theory question to me -- did not seem like you were asking for practical examples of such, etc.

To be honest bank web access to accounts can be very lacking. Shoot mine does not even use 2 factor auth. And no adding a picture to your login is not 2 factor -- still something I know which is 1 factor, etc.

Have you never used PGP or GnUPG? MIT still runs a public key server.

http://pgp.mit.edu/

One example of how public keys can be shared with the public.. But this is different then how you would do it with online banking..

Here this banks gives a bit of detail, not much but some -- this might answer your question?

http://www.sovereignbank.com/personal/banking/online_banking/security_info.asp

--

Public/private key pairs are used specifically for authentication. The public key can be distributed using a certificate that verifies the identity of the owner. The private key is kept secret. A message encrypted with a public key can only be read after decryption with the private key.

To start a transaction, the customer uses his or her browser to send a secure message via SSL to the Bank. The Bank responds by sending a certificate, which contains the Bank's public key. The browser authenticates the certificate, then generates a session key that is used to encrypt data traveling between the customer's browser and the Bank server.

The session key is encrypted using the Bank's public key, and sent back to the Bank. The Bank decrypts this message using its private key, and then uses the session key for the remainder of the communication.

By exchanging messages using the public/private key pair, the customer can be assured they are actually communicating with Sovereign, and not a third party trying to intercept the transaction. When a session is encrypted, the key icon at the lower left corner of the browser's screen becomes solid, and a blue line appears at the top of the screen. If the key icon appears broken, encryption is not in use and the current session is not secure.

--

[wrack]

Yes I am after an "IN THEORY" answer. I am not implementing this. Just satisfying the needs of an examination question of "How Asymmetric Cryptography might be used to secure an online banking?"

And that last part was what I was after. Thank you again for the help BudMan. Rep for ya.