Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers hybrid cryptography which is a mix of symmetric and asymmetric cryptography an offers the best aspects of each: the speed of symmetric along with the strong security of asymmetric. Hybrid cryptography results in the opening of a secure channel once a symmetric session has been shared between client and server.

Video Transcription

00:04
So we have this problem. So we have symmetric cryptography, which is very desirable. Um, it is very, very fast.
00:14
But then it has the problems of needing out. Banky exchange.
00:18
It has ah ah, problem with scale. Ability doesn't grow very well, and it only gives us privacy Service's. But again, we want to use it because it's very fast. Well, then we've got asymmetric cryptography that solves have all those problems. But asymmetric cryptography is very slow.
00:37
So what we want to do is we want to find a way to use the best of both worlds and combined them so that we can get the speed of symmetric and then the other security service's of asymmetric.
00:49
One of the ways that we see this I think probably the easiest way to see this is by looking at SSL. Which course t l s. They both worked this way. So what we want to do and here's a phrase I want you to have. I want youto have
01:03
asymmetric key exchange symmetric
01:07
data exchange,
01:08
asymmetric key exchange, symmetric dad exchange.
01:14
So remember we would prefer to use symmetric cryptography because of the speed, but I gotta figure out a way to get you the symmetric key.
01:23
Okay, so the way this would look in SSL is the client's gonna connect to the server for secure transaction and they're gonna use https, a CZ, their protocol, and that s stands for secure. And basically what it says is server some of your public heat.
01:42
So the client connects to the server with https, the server, then response and sends the client. It's public key. The servers happy to give away its public key. Remember, there's nothing public. I'm so far. There's nothing private on a public key. So if I were to connect a Bank of America with https,
02:00
Bank of America would happily send back its public key, right? Even if it's never heard from a I'm not a client. Never connected. Doesn't matter. Public key is public.
02:09
All right, Great. So I've connected to a server
02:13
I've asked for the servers. Public key.
02:15
The server's given me its public key.
02:19
Now, the third step is where this gets interesting.
02:22
So the client's rouser generates a symmetric key symmetric session keep so just randomly comes up with the number of random key.
02:35
The problem. And that's what the server. That's what the client's gonna use to encrypt its information. And remember, we want to use the metric cryptography
02:42
so the client's generated this key. But how does it get that key to the server?
02:46
Well, what it does is it encrypts the key. It's just generated with the servers. Public Key.
02:53
You've got a key encrypted with a key
02:57
so that symmetric session key is encrypted with the servers public. If it's encrypted with servers. Public key. What's the only thing that can decrypt the servers? Private key, Which on Lee that server should have. So we found a way to securely distribute a symmetric session. Keep
03:16
so the client in Crips Symmetric Key, the service public, sends it to the server. The server uses its private key to decrypt it. Now it has been able to decrypt the symmetric session Can be the client generated. It's a client knows the symmetric key. Both parties have that symmetric session key,
03:35
and now all batter that is exchanged is encrypted with that symmetric key,
03:39
and that gives the illusion of us having a channel a secure channel to communicate. It's almost like we're using CB radios and only you and I know the frequency across which we're gonna communicate and nobody else can get to that channel that secure channel. So that's the way. S s l N T l s work. Now there's an additional layer here
03:59
that we'll talk about once we get into certificates. But that's just a quick overview
04:03
of hybrid cryptography. Usually it revolves around asymmetric key exchange Symmetric Dad Exchange. Now, with that being said, I expect some questions about S S L T l s. Ah, for instance, they may ask you what type of cryptography does t. L s use?
04:23
Okay, Well, the best answer is it uses hybrid protection, right? That's the correct answer. Uses hybrid. The problem with that, though, um is they're probably not going to give you that as an option. You're gonna force you to call it either symmetric or asymmetric. So the best answers hybrid, if that's their choose it.
04:43
But if they force you to choose between symmetrical asymmetric, you really have to call it a symmetric
04:47
photography. Anytime the word public key comes out of your mouth, you're automatically in an asymmetric environment. And the reason that's important is because, um,
05:00
an asymmetric environment is going to require a public key infrastructure.
05:04
S S L N T L s are dependent upon a p k I, and we'll get into the details about that later. But long story short,
05:14
um,
05:15
how does the server get a public and private key? How does that get bound to their identity? How is that key revoked? If there's a compromise, what sort of applications are necessary in order to use public private keys? You know, they're all sorts of issues and questions about that
05:32
and those questions there. And problems were solved with a public key infrastructure. So if you have to label it either symmetric asymmetric,
05:40
you have to call it a symmetric because it needs a P K. I.
05:44
Now, the second question, this might be 15 questions later they might say what type of cryptography just e. L s use for dab it exchange
05:53
well for data exchange. That's very different. For data exchange, it uses symmetric cryptography
05:58
for key exchange. It uses a senate.
06:00
Okay, So watch for questions like that. They could be a little bit tricky, But I do think as this lt l s, they're really the best ways to see it's it's really the best approach to understanding how hybrid cryptography works. Asymmetric key exchange symmetric Dabiq stick.

Up Next

ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor