Asymmetric Encryption
Also Known As
public key cryptography
RSA
ECC
public key encryption
TL;DR
A cryptographic system with a public key (shared freely) and a private key (kept secret) — data encrypted with the public key can only be decrypted with the private key.
Explanation
RSA and ECC (Elliptic Curve Cryptography) are the dominant asymmetric systems. The public key encrypts or verifies; the private key decrypts or signs. Asymmetric encryption solves the key distribution problem — you can share your public key openly. However, it is 100-1000× slower than symmetric encryption, so in practice it is used to encrypt a symmetric session key (hybrid encryption), which then encrypts the actual data. TLS uses this hybrid approach.
Diagram
flowchart LR
subgraph Key_Generation
PRIV[Private Key<br/>kept secret]
PUB[Public Key<br/>shared freely]
PRIV -.->|mathematically linked| PUB
end
subgraph Encryption
PLAIN[Plaintext] -->|encrypt with PUBLIC key| CIPHER[Ciphertext]
CIPHER -->|decrypt with PRIVATE key| PLAIN2[Plaintext]
end
subgraph Signing
MSG[Message] -->|sign with PRIVATE key| SIG[Signature]
SIG -->|verify with PUBLIC key| VALID[Valid or Invalid]
end
style PRIV fill:#f85149,color:#fff
style PUB fill:#238636,color:#fff
style CIPHER fill:#6e40c9,color:#fff
style VALID fill:#238636,color:#fff
Common Misconception
✗ Asymmetric encryption is better than symmetric — they serve different purposes; asymmetric solves key exchange, symmetric handles bulk data; TLS uses both together.
Why It Matters
Understanding asymmetric encryption explains how HTTPS, SSH keys, JWTs, and code signing work — it is the foundation of all secure internet communication.
Common Mistakes
- Encrypting large data directly with RSA — RSA is limited to key size minus padding; use hybrid encryption for bulk data.
- Using RSA 1024 — considered broken; use RSA 4096 or prefer Ed25519 for new systems.
- Confusing encryption (public key encrypts, private decrypts) with signing (private key signs, public verifies).
- Not verifying the certificate chain — public keys must be trusted via PKI; a bare public key with no chain verification is not secure.
Code Examples
✗ Vulnerable
// RSA encryption of large data — will fail or be insecure:
$data = file_get_contents('largefile.pdf'); // Several MB
openssl_public_encrypt($data, $encrypted, $publicKey);
// RSA max data size: (key_size/8) - 42 bytes for PKCS#1 v1.5 padding
// Encrypting 1MB with RSA-2048 fails — data too large
✓ Fixed
// Hybrid encryption — correct approach:
// 1. Generate a random AES key
$sessionKey = random_bytes(32);
// 2. Encrypt the data with AES (fast)
$encryptedData = aesEncrypt($data, $sessionKey);
// 3. Encrypt the AES key with RSA (small — just 32 bytes)
openssl_public_encrypt($sessionKey, $encryptedKey, $publicKey);
// Store: $encryptedKey + $encryptedData
// Decrypt: RSA decrypt $encryptedKey → AES decrypt $encryptedDataTags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
40
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 13
Perplexity 9
Ahrefs 3
Google 2
Unknown AI 2
SEMrush 2
Also referenced
How they use it
crawler 30
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: High
⚡ Quick Fix
Use openssl_public_encrypt() with OPENSSL_PKCS1_OAEP_PADDING for encryption — never use PKCS1v1.5 padding which is vulnerable to Bleichenbacher attacks
📦 Applies To
PHP 5.0+
web
cli
🔗 Prerequisites
🔍 Detection Hints
openssl_public_encrypt with OPENSSL_PKCS1_PADDING; RSA for bulk data encryption (use hybrid: RSA-encrypt AES key, AES-encrypt data)
Auto-detectable:
✓ Yes
semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: High
Context: Function
Tests: Update
CWE-326
CWE-327