Encryption Basics - Symmetric vs Asymmetric Keys: What Developers Need to Know
If you don't know how AES, RSA, and HTTPS work, read this. Core encryption concepts explained with practical examples.
Toolypet Team
Development Team
Encryption Basics: Symmetric vs Asymmetric Keys
"Please encrypt this data and send it."
When you hear this, do you know exactly what to do and how?
There are two main types of encryption. If you don't know when to use each, your security design could be flawed.
Encryption vs Hashing
First, let's clarify these commonly confused concepts.
| Encryption | Hashing | |
|---|---|---|
| Direction | Bidirectional (decryptable) | One-way (irreversible) |
| Purpose | Data protection | Integrity verification, password storage |
| Key required | Yes | No |
| Examples | AES, RSA | SHA-256, bcrypt |
Encryption: Original data can be recovered Hashing: Original data cannot be recovered
Use hashing for password storage, encryption for data transmission.
Symmetric Key Encryption
Concept
Encrypt with one key, decrypt with the same key.
Plaintext + Key → Encrypt → Ciphertext
Ciphertext + Key → Decrypt → Plaintext
Example: A Lock
Think of a house key. You lock and unlock with the same key.
Common Algorithms
| Algorithm | Key Length | Status |
|---|---|---|
| AES-256 | 256bit | Current standard |
| AES-128 | 128bit | Secure |
| 3DES | 168bit | Legacy |
| DES | 56bit | Vulnerable |
Code Example (Node.js)
const crypto = require('crypto');
// Generate key (store securely in production)
const key = crypto.randomBytes(32); // AES-256
const iv = crypto.randomBytes(16); // Initialization vector
// Encrypt
function encrypt(text) {
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return encrypted;
}
// Decrypt
function decrypt(encrypted) {
const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
let decrypted = decipher.update(encrypted, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
const secret = "sensitive data";
const encrypted = encrypt(secret);
const decrypted = decrypt(encrypted);
console.log(encrypted); // "a3f8b2c1..."
console.log(decrypted); // "sensitive data"
Pros and Cons
| Pros | Cons |
|---|---|
| Fast | Key sharing problem |
| Suitable for large data | If key is exposed, game over |
| Simple implementation | Complex key management |
The Key Sharing Problem
If A wants to send an encrypted message to B, A must deliver the key to B first.
But how do you securely deliver that key?
Asymmetric key encryption solves this problem.
Asymmetric Key Encryption
Concept
Uses two keys:
- Public Key: Anyone can know it
- Private Key: Must never be shared
Encrypt with public key → Only private key can decrypt
Sign with private key → Verify with public key
Example: A Mailbox
- Public key = Mailbox (anyone can drop a letter)
- Private key = Mailbox key (only owner can retrieve letters)
Common Algorithms
| Algorithm | Use Case | Key Length |
|---|---|---|
| RSA | Encryption, signing | 2048+ bit |
| ECDSA | Signing | 256+ bit |
| Ed25519 | Signing | 256bit |
Code Example (Node.js RSA)
const crypto = require('crypto');
// Generate key pair
const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
});
// Encrypt with public key
function encryptWithPublic(text) {
return crypto.publicEncrypt(publicKey, Buffer.from(text)).toString('base64');
}
// Decrypt with private key
function decryptWithPrivate(encrypted) {
return crypto.privateDecrypt(privateKey, Buffer.from(encrypted, 'base64')).toString();
}
const secret = "sensitive data";
const encrypted = encryptWithPublic(secret);
const decrypted = decryptWithPrivate(encrypted);
console.log(decrypted); // "sensitive data"
Digital Signatures
When you sign with a private key, anyone can verify who signed using the public key.
// Sign with private key
const sign = crypto.createSign('SHA256');
sign.update('message');
const signature = sign.sign(privateKey, 'base64');
// Verify with public key
const verify = crypto.createVerify('SHA256');
verify.update('message');
const isValid = verify.verify(publicKey, signature, 'base64');
console.log(isValid); // true
Pros and Cons
| Pros | Cons |
|---|---|
| Solves key sharing problem | Slow (1000x slower than symmetric) |
| Enables digital signatures | Not suitable for large data |
| Public key can be freely distributed | Longer key lengths |
In Practice: Using Both Together (Hybrid Encryption)
This is how HTTPS works.
Process
1. Server: Generate RSA public/private key pair
2. Client: Receive server's public key
3. Client: Generate AES session key
4. Client: Encrypt session key with RSA public key → Send to server
5. Server: Decrypt session key with RSA private key
6. Both: Communicate using AES session key
Why Do It This Way
- RSA: Used only for key exchange (slow but secure)
- AES: Used for actual data encryption (fast)
Using the best of both worlds.
Practical Checklist
When Using Symmetric Keys (AES)
- Use AES-256 or AES-128
- Generate new IV (initialization vector) for each encryption
- Store keys in environment variables or KMS
- Never use ECB mode (use CBC, GCM instead)
When Using Asymmetric Keys (RSA)
- Use minimum 2048bit keys
- Never expose private keys
- Use OAEP padding (avoid PKCS#1 v1.5)
- Establish key rotation policy
FAQ
Q: Should I encrypt API keys for storage?
A: Use environment variables or secret management tools (AWS Secrets Manager, HashiCorp Vault) instead of encryption. Even with encryption, you still have the decryption key management problem.
Q: Is encrypting on the client-side secure?
A: No. Client-side code is visible to everyone, exposing the key. Sensitive encryption should be done server-side.
Q: Is SHA-256 encryption?
A: No. SHA-256 is hashing. It cannot be decrypted. If you need to recover data, use encryption like AES.
Summary
| Scenario | Algorithm |
|---|---|
| Large data encryption | AES-256 |
| Key exchange | RSA, ECDH |
| Digital signatures | RSA, ECDSA, Ed25519 |
| Password storage | bcrypt, Argon2 (hashing) |
| HTTPS communication | Hybrid (RSA + AES) |
Related Tools
| Tool | Purpose |
|---|---|
| Encryption/Decryption | AES encryption |
| RSA Key Generator | RSA key pair generation |
| Hash Generator | SHA, MD5 hashing |
About the Author
Toolypet Team
Development Team
The Toolypet Team creates free, privacy-focused web tools for developers and designers. All tools run entirely in your browser with no data sent to servers.