Symmetric vs Asymmetric Encryption

Here's a fact that confuses every cryptography student exactly once: TLS uses two completely different kinds of encryption in every single connection. It uses one to set up the conversation and a different one to carry the actual data. This isn't accidental — neither type works without the other.

Symmetric Encryption — Fast But With A Problem

Symmetric encryption is the kind you learned about as a kid. Both sides share the same key. The sender locks the message with the key, the receiver unlocks it with the same key.

Modern symmetric encryption (like AES) is blazingly fast. Your laptop can encrypt and decrypt several gigabytes per second. It's used for everything that needs speed — disk encryption, video streaming, Wi-Fi.

But it has one fatal weakness. How do you get the key to the other person?

If Maria wants to send Daniel a secret message and they share a key, Daniel needs to already know the key. If they meet in person, easy. If they're strangers on opposite sides of the internet who have never talked before — well. Maria can't just send Daniel the key, because anyone in the middle would copy it. The same eavesdroppers who would read the message will also read the key delivery.

This is called the key distribution problem, and for thousands of years it was the bottleneck of all cryptography. Spies, governments, militaries — everyone struggled with it.

Asymmetric Encryption — Slow But Magical

In the 1970s, a small group of cryptographers (Diffie, Hellman, Merkle, and later Rivest, Shamir, Adleman) cracked it open. They invented asymmetric encryption — also called public-key cryptography.

The trick: each person gets two keys that are mathematically linked.

• A public key, which they hand out to anyone — print it on a business card if you want;
• A private key, which they keep secret forever.

Here's the magic: anything encrypted with the public key can only be decrypted by the private key. So anyone can send the owner a secret, but only the owner can read it.

When Maria wants to send Daniel a secret message, she asks Daniel for his public key (which he posts publicly), encrypts the message with it, and sends it. The eavesdropper sees the public key and the encrypted message but can't decrypt it — because they don't have Daniel's private key.

The key distribution problem disappears. No prior meeting required.

So why don't we just use asymmetric encryption for everything?

The Catch — Asymmetric Is Brutally Slow

Asymmetric encryption is hundreds to thousands of times slower than symmetric. Encrypting a 4 KB file with RSA takes longer than encrypting 4 GB with AES. The math involves enormous numbers — typical keys are 2048 to 4096 bits long — and the operations don't run nicely on modern CPUs.

If you tried to encrypt all your HTTPS traffic with RSA, watching a YouTube video would melt your laptop.

The Hybrid Trick — Use Both

TLS solves the dilemma by combining them like a relay race:

• Step 1 — Asymmetric encryption is used at the start of the connection to safely agree on a shared secret. This is just a few small messages — slow doesn't matter for a one-time setup;
• Step 2 — Symmetric encryption uses that shared secret as its key and carries every byte of the actual conversation. This is the fast part, which is most of the data.

It's like meeting a stranger in a public square: you use a clever public protocol (asymmetric) to whisper a one-time password to each other, then walk away and chat normally (symmetric) using that password as your code word. The hard part happens once. The easy part happens millions of times.

This is the fundamental architecture of TLS. Every TLS connection — every HTTPS page load — does this dance.

Real Algorithm Names You'll See

You'll bump into these names everywhere:

• Asymmetric (used at handshake) — RSA, ECDHE, ECDSA, Ed25519;
• Symmetric (used for data) — AES-128-GCM, AES-256-GCM, ChaCha20-Poly1305.

Don't memorize them. Just know which type each one is. We'll dissect cipher suite names in Section 2.

A Quick Detour — There's A Third Thing Too

TLS also needs to detect tampering — to make sure no byte was flipped in transit. Symmetric encryption alone doesn't catch that. So TLS adds a third primitive: hashing and message authentication codes. That's the next chapter.