Symmetric encryption key vs. Asymmetric keys - ssl
https://stackoverflow.com/questions/939687
-
06-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am developing a client server app that uses ssl (openssl) to establish a secure communication channel between the client and the server. I believe I have two options now for secure data transfer between the client and the server. One option is to continue with the data transfer on the established secure ssl channel between the client and the server even though the encryption/decryption process will be slow because of the use of asymmetric keys. The other option is to transfer a symmetric key on the ssl channel and close the ssl channel once the symmetric key is delivered to the client. Communication thereafter will happen on a regular TCP channel using the symmetric key which I believe will be much faster than using asymmetric keys. Are there any downsides to this approach? One thing that is obvious with the symmetric key approach is the process of key management which I am thinking of handling by not storing the keys on the client at all. Symmetric key will be delivered to the client on start up over an SSL channel. Key will NOT be stored in the client at all. Any thoughts?
Solution
You are mixing things up. Ssl uses an asymetric key (defined in the certificate) to pass a autogenerated symetric key between the client and the server. This symetric key is then used throughout the secure session (the channel).
So basically, you already have a fast symetric encryption when using ssl. The only asymetric encryption takes place at the very beginning of the communication.
Don't try to manage your symetric keys on your own. It will not work.
OTHER TIPS
Keep using the SSL connection because SSL uses a symmetric cypher after the initial phase.
One option is to continue with the data transfer on the established secure ssl channel between the client and the server even though the encryption/decryption process will be slow because of the use of asymmetric keys.
No it won't. SSL uses symmetric encryption.
The other option is to transfer a symmetric key on the ssl channel and close the ssl channel once the symmetric key is delivered to the client.
The client and server already have a symmetric encryption key, as soon as the session is estalbished. This would be merely redundant.
There is no problem here to solve.
