1442  Encryption Review: Symmetric vs Asymmetric Fundamentals

1442.1 Learning Objectives

By the end of this chapter, you will be able to:

  • Compare Encryption Approaches: Understand the fundamental differences between symmetric and asymmetric encryption
  • Select Appropriate Algorithms: Choose the right encryption type based on IoT system requirements
  • Apply Hybrid Encryption: Combine symmetric and asymmetric methods for optimal security and performance
  • Evaluate Performance Trade-offs: Balance encryption strength against computational and power constraints

1442.2 Prerequisites

Required Chapters: - Encryption Fundamentals - Core cryptographic concepts - Security Overview - Security landscape

Concepts You Should Know:

Concept Why It Matters
Symmetric encryption Foundation of AES, DES
Asymmetric encryption RSA, key exchange
Hash functions Integrity verification

Estimated Time: 20 minutes

1442.3 Encryption Approaches Compared

Understanding the fundamental difference between symmetric and asymmetric encryption is critical for IoT security design.

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
flowchart LR
    subgraph Symmetric["Symmetric Encryption (AES)"]
        direction TB
        A1[Alice & Bob<br/>Share Secret Key] --> A2[Alice Encrypts<br/>with Key]
        A2 --> A3[Bob Decrypts<br/>with Same Key]
        A4[Fast: 500 MB/s<br/>Problem: Key Distribution]
    end

    subgraph Asymmetric["Asymmetric Encryption (RSA)"]
        direction TB
        B1[Bob has Public Key<br/>& Private Key] --> B2[Alice Encrypts<br/>with Bob's Public Key]
        B2 --> B3[Bob Decrypts<br/>with Private Key]
        B4[Slow: 50 KB/s<br/>Solution: No Shared Secret]
    end

    subgraph Hybrid["IoT Hybrid Approach"]
        direction TB
        C1[RSA exchanges<br/>AES session key] --> C2[AES encrypts<br/>bulk data]
        C3[Best of Both Worlds]
    end

    style Symmetric fill:#16A085,stroke:#2C3E50,color:#fff
    style Asymmetric fill:#E67E22,stroke:#2C3E50,color:#fff
    style Hybrid fill:#2C3E50,stroke:#16A085,color:#fff

Figure 1442.1: Symmetric encryption uses one shared key for both encryption and decryption, offering high speed but requiring secure key distribution. Asymmetric encryption uses a public-private key pair, solving key distribution but at significantly slower performance. IoT systems typically use hybrid approaches: asymmetric encryption for key exchange, symmetric encryption for bulk data.

1442.3.1 Key Characteristics Comparison

Feature Symmetric (AES) Asymmetric (RSA/ECC)
Keys Single shared key Public + Private key pair
Speed 100-500 MB/s 10-100 KB/s
Key Size 128-256 bits 2048-4096 bits (RSA)
Primary Use Bulk data encryption Key exchange, signatures
Challenge Key distribution Computational cost

1442.3.2 When to Use Each Approach

Use Symmetric Encryption (AES) when: - Encrypting large amounts of data - Processing real-time sensor streams - Working with constrained devices - Both parties already share a key

Use Asymmetric Encryption (RSA/ECC) when: - Establishing new connections - Exchanging session keys - Creating digital signatures - Authenticating device identity

1442.4 IoT Encryption Selection Decision Tree

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
flowchart TD
    Start[IoT Encryption<br/>Decision] --> Q1{Establishing<br/>New Connection?}

    Q1 -->|Yes| Asym[Use Asymmetric<br/>RSA/ECDH]
    Q1 -->|No, Existing Session| Sym[Use Symmetric<br/>AES-128/256]

    Asym --> Q2{Device<br/>Constraints?}
    Q2 -->|Low Power/Memory| ECC[ECC-256<br/>10x smaller keys]
    Q2 -->|Full Resources| RSA[RSA-2048<br/>Widely supported]

    ECC --> Exchange[Key Exchange<br/>50-100 KB/s]
    RSA --> Exchange

    Exchange --> Session[Session Key<br/>Established]

    Session --> Sym

    Sym --> Q3{Authentication<br/>Needed?}
    Q3 -->|Yes| GCM[AES-GCM<br/>Encrypt + Auth]
    Q3 -->|No| CBC[AES-CBC<br/>Encrypt only]

    GCM --> Data[Bulk Data<br/>100-500 MB/s]
    CBC --> Data

    style Asym fill:#E67E22,stroke:#2C3E50,color:#fff
    style Sym fill:#16A085,stroke:#2C3E50,color:#fff
    style ECC fill:#E67E22,stroke:#2C3E50,color:#fff
    style RSA fill:#E67E22,stroke:#2C3E50,color:#fff
    style GCM fill:#16A085,stroke:#2C3E50,color:#fff
    style CBC fill:#16A085,stroke:#2C3E50,color:#fff

Figure 1442.2: Decision tree for selecting encryption algorithms in IoT systems. Asymmetric encryption (RSA, ECC) handles key establishment while symmetric encryption (AES) provides fast bulk data encryption. Most IoT implementations use a hybrid approach.

1442.5 Hybrid Encryption in Practice

Modern IoT systems combine both approaches for optimal security and performance:

1. Key Exchange Phase (Asymmetric - RSA/ECDH):
   Device β†’ Cloud: "Here's my public key"
   Cloud β†’ Device: AES session key encrypted with device's public key

2. Data Transfer Phase (Symmetric - AES):
   Device β†’ Cloud: Sensor data encrypted with AES session key
   Cloud β†’ Device: Commands encrypted with AES session key

Why not always use Asymmetric (RSA)? - Too slow! RSA can only encrypt about 50 KB per second - A temperature sensor sending data every second would overwhelm the processor - Battery would drain quickly on constrained devices

Why not always use Symmetric (AES)? - The β€œkey distribution problem” - how do you share the secret key securely? - If you send the key over the network, anyone watching can steal it! - This is like trying to send a house key through the mail

The Hybrid Solution: - Use RSA once to securely exchange the AES key - Use AES for all actual data (10,000x faster) - Like using a secure courier once to deliver a house key, then using the key forever

1442.6 Performance Considerations for IoT

1442.6.1 AES Key Length Trade-offs

AES Version Key Size Rounds Speed (ESP32) Power Draw
AES-128 128 bits 10 1.2 MB/s 18 mA
AES-192 192 bits 12 1.0 MB/s 20 mA
AES-256 256 bits 14 0.9 MB/s 24 mA

Key Insight: AES-128 remains secure for most IoT deployments (battery-powered sensors). Use AES-256 for long-lived critical infrastructure (30+ year deployments) or regulatory requirements.

1442.6.2 ECC vs RSA for Constrained Devices

Algorithm Key Size Security Equivalent Handshake Time (Cortex-M4)
ECC-256 256 bits RSA-3072 180 ms
RSA-2048 2048 bits ECC-224 350 ms
RSA-4096 4096 bits ECC-384 2,800 ms

Recommendation: Use ECC (Elliptic Curve Cryptography) for IoT devices. It provides equivalent security with 10x smaller keys and faster operations.

1442.7 Block Cipher Modes

AES is a block cipher that encrypts 128-bit blocks. The mode determines how multiple blocks are processed:

Mode Security Parallelizable Authentication IoT Use Case
ECB Weak Yes No NEVER use
CBC Good Decrypt only No Legacy systems
CTR Good Yes No Stream data
GCM Best Yes Yes Recommended
WarningNever Use ECB Mode

ECB (Electronic Codebook) mode encrypts each block independently. Identical plaintext blocks produce identical ciphertext blocks, revealing patterns in your data. This is a critical security flaw.

Example: Temperature readings of β€œ22.5C” will always encrypt to the same ciphertext, allowing attackers to identify when temperatures match without decrypting.

1442.8 Visual Reference Gallery

Modern visualization of symmetric encryption showing plaintext blocks transformed through SubBytes substitution, ShiftRows permutation, MixColumns diffusion, and AddRoundKey XOR operations across multiple rounds with the same shared secret key for encryption and decryption

AES symmetric encryption block cipher operations

Symmetric encryption provides efficient bulk data protection through shared secret keys, with AES achieving hardware-accelerated performance on constrained IoT devices.

Artistic rendering of asymmetric encryption showing mathematically related public and private key pairs, where data encrypted with public key can only be decrypted with corresponding private key, enabling secure key exchange without prior shared secrets

RSA public-private key pair cryptography

Asymmetric cryptography solves the key distribution problem, enabling secure communication between parties who have never exchanged secrets, fundamental to PKI and certificate-based IoT authentication.

1442.9 Summary

Symmetric vs Asymmetric: - Symmetric (AES): Fast, efficient, single shared key - use for bulk data - Asymmetric (RSA/ECC): Slower, key pairs - use for key exchange and signatures - Hybrid: Combine both for optimal security and performance

Selection Guidelines: - New connection β†’ Asymmetric key exchange - Constrained device β†’ ECC over RSA - Bulk data β†’ Symmetric AES - Need authentication β†’ Use GCM mode

Performance Rules: - AES-128 sufficient for most IoT (10+ year security) - ECC-256 equivalent to RSA-3072 with 10x smaller keys - Never use ECB mode - reveals data patterns

NoteKey Concepts
  • Hybrid Encryption: Combining asymmetric key exchange with symmetric data encryption
  • ECC (Elliptic Curve Cryptography): Smaller keys with equivalent security to RSA
  • AES-GCM: Authenticated encryption providing confidentiality and integrity
  • Block Cipher Modes: Different approaches to encrypting multiple blocks (ECB, CBC, CTR, GCM)

1442.10 What’s Next

Now that you understand the fundamental encryption approaches, continue to Multi-Layer Encryption Architecture where you’ll learn about the five-layer E1-E5 encryption model, implementing defense-in-depth security from device to cloud, and hands-on lab exercises for building complete encryption stacks.

Continue to Multi-Layer Encryption Architecture β†’

1442.11 See Also