Something I don't get about AES encryption

Question

I'm using RSA encryption in an application I was working on, and it felt pretty much secure... You got a public key that encrypts it and a private key that decrypts it.

Now I wish to use AES in a different application, and the idea of having the same key for client-side and server-side bothers me... Isn't the server-side key should be kept secret from the client? Since otherwise, if the encryption key ain't secret that why bother encrypting with it anyway?

Maybe I don't know enough about encryption, it just seem a bit strange and I hope someone here could clarify the confusion for me...

Much thanks!

Answer 1

One important factor is that RSA is very slow compared to AES. Something like 500 times slower (depending on key length and if you have hw support etc.).

This is why RSA is often used in combination with a fast symmetric algorithm like AES. This is refered to as hybrid encryption. With this methode you generate a symmetric key (e.g AES), that is used to encrypt the message payload. The key itself you then encrypt with the asymetric key (RSA) and pass it along with the encrypted message. This gives you the speed of the symetric encryption, and the convinience of the asymetric algorithm.

In cases where it's the same person encrypting and decrypting you would prefer the fast AES over the slow RSA

Answer 2

Isn't the server-side key should be kept secret from the client?

Depends if they trust each other, then no, it should not be secret. Moreover it can't be secret if you want to use symmetric cryptography because both parties need to share a secret key.

Since otherwise, if the encryption key ain't secret that why bother encrypting with it anyway?

It is secret, only the server and client are supposed to know it - nobody else.

Note often the usage is one party generates a session key such as key of AES, encrypts it using pubic key of another party - and sends encrypted key to another party, who can decrypt it. Then this AES key can be used for communication.

Answer 3

AES is a symmetric algorithm. Both ends must have the same key. You need a secure way to share that key between the two endpoints. That is the problem that public-key cryptography solves.