symmetric key vs RSA key

I am using POCO libraries for encryption. While the class RSAKey has methods for saving the key, the class CipherKey representing a symmetric key does not have any straight forward methods to persist the key. All that the class offers is a getKey method which returns a vector<BYTE>. Also, I need to get the Initialization vector so I can recreate a CipherKey as needed. Why does it have to be so complex? Why this difference between RSA and symmetric keys? A symmetric key is not expected to be persisted? How do the other libraries work?
LVL 1
Who is Participating?

Commented:
In asymmetric encryption, the key consists of a (top secret) private key and a public key. So the very concetpt is based on publishing thepublic key and to this end stick to it for a length of time (up to years). As a consequence, the private key must be stored (and must be stored especially safely) for the same amount of time. And it should be *really* safe, as in not even exploitable by the program using the library.

With symmetric encryption, both sides have to agree on the key. This poses the problem of secretly agreeing on the key in the first place. And it also makes extended use o fthe same key dangerous (e.g. preventing your system from being compromised is not enough, you have to hope that your comuunication partner is not compromised either). This might be a reason why such a library does not give methods to permanently store a key that has origined from a source external to the library in the first place ...
0

Commented:
Symmetric vs. asymmetric algorithms
When using symmetric algorithms, both parties share the same key for en- and decryption. To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe any more. Symmetric algorithms have the advantage of not consuming too much computing power. A few well-known examples are: DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH.
Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for decryption. The decryption key is typically kept secretly, therefore called ``private key'' or ``secret key'', while the encryption key is spread to all who might want to send encrypted messages, therefore called ``public key''. Everybody having the public key is able to send encrypted messages to the owner of the secret key. The secret key can't be reconstructed from the public key. The idea of asymmetric algorithms was first published 1976 by Diffie and Hellmann.

Asymmetric algorithms seem to be ideally suited for real-world use: As the secret key does not have to be shared, the risk of getting known is much smaller. Every user only needs to keep one secret key in secrecy and a collection of public keys, that only need to be protected against being changed. With symmetric keys, every pair of users would need to have an own shared secret key. Well-known asymmetric algorithms are RSA, DSA, ELGAMAL.

However, asymmetric algorithms are much slower than symmetric ones. Therefore, in many applications, a combination of both is being used. The asymmetric keys are used for authentication and after this has been successfully done, one or more symmetric keys are generated and exchanged using the asymmetric encryption. This way the advantages of both algorithms can be used. Typical examples of this procedure are the RSA/IDEA combination of PGP2 or the DSA/BLOWFISH used by GnuPG.

0

Technology GeneralistAuthor Commented:
well, while the response talks about encryption in general it does not address the core of my question. Why would a libray offering both encryption algorithms make it more difficult to persist one key while providing methods to save the other one relatively easily?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.