CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Asymmetric Encryption

Cryptography PHP 5.0+ Advanced
debt(d5/e5/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5), semgrep rules can flag openssl_public_encrypt with PKCS1 padding or RSA used for bulk data, but it requires a security-focused tool, not a default linter.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor' (e5), swapping padding mode is one line (quick_fix), but moving from raw RSA to hybrid encryption (RSA-wrap AES key + AES-encrypt data) requires restructuring the encryption layer across multiple call sites.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5), crypto choices applied across web/cli contexts shape key management, certificate handling, and rotation policies for many work streams; not architecture-defining but a sustained tax.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), the misconception that asymmetric is simply 'better' than symmetric, plus the encryption-vs-signing key-direction confusion and the silent Bleichenbacher vulnerability in default PKCS1 padding, all contradict naive intuition.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-06 · reviewed by human

Also Known As

public key cryptography RSA ECC public key encryption

TL;DR

A cryptographic system with a public key (shared freely) and a private key (kept secret) — data encrypted with the public key can only be decrypted with the private key.

Explanation

RSA and ECC (Elliptic Curve Cryptography) are the dominant asymmetric systems. The public key encrypts or verifies; the private key decrypts or signs. Asymmetric encryption solves the key distribution problem — you can share your public key openly. However, it is 100-1000× slower than symmetric encryption, so in practice it is used to encrypt a symmetric session key (hybrid encryption), which then encrypts the actual data. TLS uses this hybrid approach.

Diagram 

flowchart LR
    subgraph Key_Generation
        PRIV[Private Key<br/>kept secret]
        PUB[Public Key<br/>shared freely]
        PRIV -.->|mathematically linked| PUB
    end
    subgraph Encryption
        PLAIN[Plaintext] -->|encrypt with PUBLIC key| CIPHER[Ciphertext]
        CIPHER -->|decrypt with PRIVATE key| PLAIN2[Plaintext]
    end
    subgraph Signing
        MSG[Message] -->|sign with PRIVATE key| SIG[Signature]
        SIG -->|verify with PUBLIC key| VALID[Valid or Invalid]
    end
style PRIV fill:#f85149,color:#fff
style PUB fill:#238636,color:#fff
style CIPHER fill:#6e40c9,color:#fff
style VALID fill:#238636,color:#fff

Common Misconception

Asymmetric encryption is better than symmetric — they serve different purposes; asymmetric solves key exchange, symmetric handles bulk data; TLS uses both together.

Why It Matters

Understanding asymmetric encryption explains how HTTPS, SSH keys, JWTs, and code signing work — it is the foundation of all secure internet communication.

Common Mistakes

  • Encrypting large data directly with RSA — RSA is limited to key size minus padding; use hybrid encryption for bulk data.
  • Using RSA 1024 — considered broken; use RSA 4096 or prefer Ed25519 for new systems.
  • Confusing encryption (public key encrypts, private decrypts) with signing (private key signs, public verifies).
  • Not verifying the certificate chain — public keys must be trusted via PKI; a bare public key with no chain verification is not secure.

Code Examples

✗ Vulnerable 
// RSA encryption of large data — will fail or be insecure:
$data = file_get_contents('largefile.pdf'); // Several MB
openssl_public_encrypt($data, $encrypted, $publicKey);
// RSA max data size: (key_size/8) - 42 bytes for PKCS#1 v1.5 padding
// Encrypting 1MB with RSA-2048 fails — data too large
✓ Fixed 
// Hybrid encryption — correct approach:
// 1. Generate a random AES key
$sessionKey = random_bytes(32);
// 2. Encrypt the data with AES (fast)
$encryptedData = aesEncrypt($data, $sessionKey);
// 3. Encrypt the AES key with RSA (small — just 32 bytes)
openssl_public_encrypt($sessionKey, $encryptedKey, $publicKey);
// Store: $encryptedKey + $encryptedData
// Decrypt: RSA decrypt $encryptedKey → AES decrypt $encryptedData
Added 15 Mar 2026
Edited 22 Mar 2026
Views 78

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 4 pings F 4 pings S 5 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Amazonbot 16 Scrapy 13 Perplexity 9 Ahrefs 5 SEMrush 5 Google 3 Unknown AI 2 Claude 1 Bing 1 Meta AI 1 Sogou 1 PetalBot 1
Also referenced
Symmetric Encryption 54 TLS Handshake 52 Public Key Infrastructure (PKI) 51 Digital Signatures 41
How they use it
crawler 56 crawler_json 2
Related categories
networking 1k cryptography 816
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
Use openssl_public_encrypt() with OPENSSL_PKCS1_OAEP_PADDING for encryption — never use PKCS1v1.5 padding which is vulnerable to Bleichenbacher attacks
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
openssl_public_encrypt with OPENSSL_PKCS1_PADDING; RSA for bulk data encryption (use hybrid: RSA-encrypt AES key, AES-encrypt data)
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-326 CWE-327
✓ schema.org compliant