Asymmetric algorithms (also sometimes called public-key algorithms) are designed in such a way that the key used for encryption is different from the key used for decryption, as shown in Figure 24-3. The decryption key cannot (at least in any reasonable amount of time) be calculated from the encryption key and vice versa.
Figure 24-3. Asymmetric (Public Key) Encryption
The main feature of asymmetric encryption algorithms is that the encryption key (often called the public key) does not have to be secret; it can be published freely and anyone can use this key to encrypt data. The corresponding decryption key (often called the private key) is known only to a single entity that can decrypt data encrypted with the encryption key. Therefore, when you need to send an encrypted message to someone else, you first obtain the public (encryption) key of the other person and transform the message with it. Only the recipient knows the private (decryption) key and can, therefore, decrypt the message.
Asymmetric algorithms are relatively slow (up to 1000 times slower than symmetric algorithms). Their design is based on computational problems, such as factoring extremely large numbers or computing discrete logarithms of extremely large numbers.
The best-known asymmetric cryptographic algorithms are the Rivest, Shamir, and Adleman (RSA); ElGamal; and elliptic curve algorithms. RSA is recommended because it is widely trusted for its resistance against attacks and well-known internals. Because of their lack of speed, asymmetric encryption algorithms are usually used to protect small quantities of data (such as digital signatures or key exchange). Key exchange allows you to use the slower, more secure asymmetric algorithm to protect the exchange of a faster symmetric key algorithm over a public network, such as the Internet.
Key management tends to be simpler compared to symmetric (secret key) algorithms. As stated earlier, with asymmetric encryption, each device has a pair of keys (public and private). The public key of each device has to be publicly available (known by all other devices) to allow a full mesh of encrypted communication, whereas with symmetric encryption different symmetric keys have to be safely distributed for each combination of two peers. Asymmetric keys are usually used for a longer time (months to years).
Symmetric Encryption Example: RSA
Ronald L. Rivest, Adi Shamir, and Leonard M Adleman invented the RSA algorithm in 1977. It was a patented public-key algorithm, and its patent expired in September 2000, putting the algorithm in the public domain. Of all the public-key algorithms proposed over the years, RSA is still the most strongly preferred.
RSA has withstood years of extensive cryptoanalysis, and although analysis has neither proven nor disproven the security of the RSA algorithm, it does suggest a justifiable confidence. The security of RSA is based on the difficulty of factoring very large numbers, that is, breaking them into multiplicative factors. If an easy method of factoring these large numbers were discovered, the effectiveness of RSA would be destroyed (and, as a side effect, mathematics might take a huge leap). RSA keys are usually 1024 to 2048 bits long.
RSA, like all asymmetric encryption algorithms, can be used in two different ways:
RSA is used for device authentication (IP phone to Cisco CallManager and vice versa) in Cisco IP telephony.
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions