Cryptography doesn't rely on
security through obscurity.
With cryptography, you
know practically everything
about the cryptographic process.
The entire algorithm is usually
public and known to everyone.
The one piece of information
that isn't known is the key.
And that's why the cryptographic
key is so important.
It's going to determine
what type of encrypted data
you're going to create,
it will determine
the hash value that's created.
And that key will determine
what type of digital signature
is created.
That's why we constantly say
that your key must always
be private because that's
the only thing protecting
your data.
The size of the key is also
important for security.
The larger keys tend to be
more secure, because the larger
keys means there are more
possible key combinations
if somebody had to go
through and brute force
every single one of those.
Of course, as our
computing power grows
and it becomes much more easy to
perform many more calculations,
we have to keep making these
kids larger and larger.
For symmetric encryption, it's
common to see 128-bit keys.
But we're going to see larger
and larger symmetric keys
as it becomes easier to
do brute force attacks.
Asymmetric encryption, though,
uses very complex calculations
of very large prime numbers.
And that means that
the keys involved
with asymmetric encryption are
going to be quite a bit larger.
It's common to see asymmetric
keys that are 3,072 bits
or even larger to be able
to prevent any brute force
attacks.
So now that we understand
how important this key is,
how do we get a key
exchanged with someone
else over an insecure
medium like the internet,
but still maintain the
confidentiality of that key?
One way to do this would
be to send the key out
of band or without
using the internet.
We might telephone someone.
We could provide a
courier to send that key
from one person to the other.
Or we could visit them and
hand the key over in person.
And out-of-band
key exchange isn't
practical for most people.
Instead, most of us use
an in-band key exchange,
where we're transferring
keys across the network.
We would generally protect
a symmetric key, then,
by adding additional encryption.
And it's common to use
asymmetric encryption,
in order to protect
our symmetric key.
Unfortunately,
asymmetric encryption
requires so much
overhead that it's not
practical to use for real time
encryption and decryption.
For that reason, we commonly
use symmetric encryption.
But how would I
get a symmetric key
to use for encryption
from a web server,
if our only way of communicating
is across the internet?
Well one way to do that is
to share the symmetric key
by using asymmetric encryption.
I would have the server
send me its public key.
And then I would encrypt a
random key with that public key
and send it to the server.
The server receives
that encrypted message.
It decrypts it with its
private asymmetric key
and then ultimately
has the symmetric key
that will be used for
this conversation.
An important best practice
when you're using session keys
is to change these keys often--
once a day or
multiple times a day.
We call these temporary
keys, ephemeral keys.
And they also need to
be unpredictable values.
We don't want our session
keys to simply increment
by one each time it's
changed, because there
needs to be randomization to
prevent any type of brute force
attack.
