How to keep symmetric and asymmetric cryptography straight

[00:00:00] CS: Whether you're studying for the CEH, the CISSP, the PenTest+, or even the Security+, there's always one question about cryptography on there, and it can be really easy to miss. Want to hear a cool trick to keep symmetric and asymmetric cryptography straight in your head? Keatron Evans has one, and he told it to me.

[00:00:23] CS: So you've previously told me that many different certifications have a small handful of questions or maybe even just one question about cryptography on them. What are the certs that contain one or more cryptography questions, and why is it a subject that requires at least passing knowledge across platforms?

[00:00:39] KE: Well, I mean, CISSP, Security+, Certified Ethical Hacker, even some of the forensics certifications, pretty much most of the cybersecurity certifications across the board, if they're mid to low level or higher, they'll have some type of cryptography question.

[00:00:59] CS: Yeah, but not a lot of them. It sounds like it's all just kind of like they want you to have some sense of cryptography.

[00:01:06] KE: Exactly, yeah. Basic understanding.

[00:01:08] CS: Okay. So I understand that the question or questions on cryptography won't be identical on each of the different cert exams. But what is the overarching concept you need to understand about cryptography to answer it correctly, and why is this concept important to cybersecurity professionals of all specialties?

[00:01:25] KE: Yeah. Well, the overarching concept is just understanding the difference between what we call asymmetric and symmetric cryptography.

[00:01:32] CS: Got it.

[00:01:33] KE: With asymmetric, it really just means that there's two keys, two secret pieces that we have. One we share with the world, one we keep to ourselves. That’s so that we can give the world a way to encrypt something and give it to us, and we have the associated private key, which will be the only way to decrypt that something. Understanding that and then understanding on the symmetric side, it's where we generally share a key, right?

The main thing that people don't understand is the fact that, in most cases, we use asymmetric cryptography to set up a symmetric tunnel so that we can communicate with the same key. Because if I'm telling you that we're going to communicate using a secret word, then I have to have a way to get you that secret word that we can use without everybody else hearing it. The secret word that we use is what we use to do symmetric cryptography. But I will get that word to you using asymmetric cryptography.

[00:02:29] CS: Oh, interesting. Okay. So that's the one sort of one quick trick that you said because you pitch this to me as something that comes up in your classes, and your students are always excited when they hear it.

[00:02:42] KE: Yeah. That's because nobody ever bothers to explain that, generally, we use asymmetric and symmetric together. When you visit a website and you communicate securely to that website, you're using a combination of symmetric and asymmetric, and we just call it hybrid, where you have the two combined.

If you set up your communication channel with that website, the SSL channel, you set it up asymmetrically with a temporary key, and then you use that temporary connection to send that secret across. Now, you and the website share in that secret, and that's your session key for that session. So that's – We do this every single day all day long, and it's amazing.

Like most of the writings out there, when they're teaching people cryptography, they don't bother to mention that fact. If you’re going through with that understanding that, okay, we normally use these two together, we use asymmetric to set up symmetric, mostly, a lot of other things just start to make a lot more sense at that point.

[00:03:37] CS: I love it. I mean, that's going to be awesome for our listeners, and I think they're going to be really excited to have that insight. If they enjoyed learning this one weird trick about cryptography and getting just enough to sort of get through the exam, can you talk about how we're going deeper into the subject of cryptography might enhance their learning and understanding of all facets of cybersecurity and if it’s not the main –

[00:04:01] KE: Sure, absolutely. So if you take what I just said, and you want to go a little deeper with it, in modern times, if we're talking about asymmetric cryptography, 9 times out of 10 on any certification exam, they're talking about RSA. The way you remember that is asymmetric begins with the letter A. RSA ends with the letter A. So there's an association there that you can always remember, right?

If we're talking about symmetric cryptography, 9 times out of 10, we're talking about something called AES, right? The same thing, symmetric begins with the letter S. AES ends with the letter S. So you can associate that. If you just remember those two things, you'll never really get confused between if AES and RSA are symmetric and asymmetric because those are the two that we mostly use for modern cryptography.

[00:04:50] CS: Nice. I love that. So for our listeners who are ready to apply their newfound concepts, tell them about where they can find you on the InfoSec platform. What are some of the boot camps, class ware, and skills test that they can learn more from Keatron Evans?

[00:05:02] KE: I teach ethical hacking a good bit, of course, advanced ethical hacking, which is mostly exploit writing and exploit development. I also do cyber threat hunting. In the skills platform, I have several paths. There's the incident response path. That's mine. So if you go and do incident response learning path, that's me. I also have the ethical hacking, the CEH. I also have the cybersecurity foundations. Of course, that's really popular.

[00:05:33] CS: That's awesome. Keatron Evans, thank you so much for your time and insights today. This was so much fun.

[00:05:37] KE: Thank you.

[00:05:38] CS: And thank you all for watching this episode. This is the first in a series of short videos that we'll be releasing weekly, so check back soon for more. Until then, we'll see you next time.

[00:05:47] CS: Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I ask experts working in the field how to get hired and how to do the work of these security roles, so you can choose your study with confidence. I'll see you there.