A fundamental topic of IT security that often gives people
difficulty is understanding the difference between symmetric, asymmetric
encryption, and hashing. While each has specific uses, a robust
communications encryption solution will typically implement all three.
Symmetric Encryption
Symmetric encryption may also be referred to as shared key or shared secret encryption. In symmetric encryption, a single key is used both to encrypt and decrypt traffic.
Common symmetric encryption algorithms include DES, 3DES, AES, and RC4.
3DES and AES are commonly used in IPsec and other types of VPNs. RC4
has seen wide deployment on wireless networks as the base encryption
used by WEP and WPA version 1.
Symmetric encryption algorithms can be extremely fast, and their
relatively low complexity allows for easy implementation in hardware.
However, they require that all hosts participating in the encryption
have already been configured with the secret key through some external
means.
Asymmetric Encryption
Asymmetric encryption is also known as public-key cryptography.
Asymmetric encryption differs from symmetric encryption primarily in
that two keys are used: one for encryption and one for decryption. The
most common asymmetric encryption algorithm is RSA.
Compared to symmetric encryption, asymmetric encryption imposes a
high computational burden, and tends to be much slower. Thus, it isn't
typically employed to protect payload data. Instead, its major strength
is its ability to establish a secure channel over a nonsecure medium
(for example, the Internet). This is accomplished by the exchange of
public keys, which can only be used to encrypt data. The complementary
private key, which is never shared, is used to decrypt.
Robust encryption solutions such as IPsec implement the strengths of
both symmetric and asymmetric encryption. First, two endpoints exchange
public keys, which allows for the setup of a slow but secure channel.
Then the two hosts decide on and exchange shared symmetric encryption
keys to construct much faster symmetric encryption channels for data.
Hashing
Finally, hashing is a form of cryptographic security which differs
from encryption. Whereas encryption is a two step process used to first
encrypt and then decrypt a message, hashing condenses a message into an
irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1.
Hashing is used only to verify data; the original message cannot be
retrieved from a hash. When used to authenticate secure communications, a
hash is typically the result of the original message plus a secret key.
Hashing algorithms are also commonly used without a secret key simply
for error checking. You can use the md5sum and sha1sum utilities on a Linux or Unix machine to experiment with hashing.
$ echo -n This is a secret message. | md5sum
39de572a4d05b1ad6552dcfee90f4d20 -
$ echo -n This is a secret message. | sha1sum
e35c5046b5fe69488ce0ab14c5761d785995ee79 -
Another example of MD5 hashing can be seen in IOS' secret passwords, which implement a random salt to avoid duplicate hashes should two users by chance select the same password.
(Note: Thanks to Packetlife.net or Jeremy Stretch for such a useful post.)
