0

Being fairly new to the cryptography and data security space, I have sampled a few "Introduction to cryptography" sites/textbooks and they all seem to start in the same general way:

I understand the educational value of explaining older ciphers and ciphers but in reality, if I need secure digital communication over an insecure channel, why would I ever use anything other than RSA?

Community
  • 1
Ephemera
  • 173
  • 5
  • 1
    Incidentally, the linked post for "RSA is unbreakable" is about key lengths for _symmetric_ crypto. 256-bit RSA is absurdly weak and utterly unsuited for any actual use; best guess is you need *at least* 3072-bit RSA to get the security of a 128-bit symmetric key, and over a 15,000-bit RSA key to get the security equivalent to a 256-bit symmetric key. – cpast Feb 12 '15 at 08:16
  • Related question: [Is symmetric encryption no longer necessary?](https://crypto.stackexchange.com/questions/13107/is-symmetric-encryption-no-longer-necessary) – CodesInChaos Feb 12 '15 at 08:17

2 Answers2

2

RSA (and other public key cryptosystems) is extremely computationally expensive, making it impractical to use it to encrypt an entire transaction. So public-key encryption is generally used only to agree on a symmetric encryption key, which is then used to encrypt the rest of the transaction using a symmetric algorithm such as AES or 3DES.

See the accepted answer to this question for more details.

Community
  • 1
Mike Scott
  • 10,118
  • 1
  • 27
  • 35
2

In addition to Mike's point about symmetric encryption, RSA isn't even the only asymmetric scheme used, and it seems like usage of it is actually declining some, because you can't use it with elliptic curves like you can many other schemes. When people say "asymmetric cryptography is slow," a major reason for that is key sizes. Your question links to a discussion of the security of 256-bit keys, but that discussion is symmetric 256-bit keys; a 256-bit RSA key is extremely weak, and to get the equivalent of 128-bit symmetric keys you need 3072-bit RSA keys; the equivalent of 256-bit symmetric keys is around 15,200 bits of RSA key (these are estimates, but they're fairly standard ones).

With other asymmetric schemes (like Diffie-Hellman and DSA), there's an alternative to working in the integers modulo n: you can use an elliptic curve, which is believed to give 128-bit security with a 256-bit curve. That means DH and DSA are often used where performance is more important, because ECDH and ECDSA are faster than RSA at the same security level. Furthermore, you often want forward secrecy in communications, which means that if I steal your private key in the future I can't use that to read the messages Mike sent to you. Achieving this involves creating a new keypair for each communication and signing it with your real private key. Creating a strong RSA keypair is time-consuming; creating an EC keypair is cheaper. DH is also more traditional for this sort of key agreement. So, DH or ECDH is typically used for forward secrecy, and in fact that's all TLS offers for that.

cpast
  • 7,223
  • 1
  • 29
  • 35