Back to All Questions
Question 72 of 100
API Security Testing
Advanced
Q72: Symmetric vs. Asymmetric Encryption in Web APIs.
🔑Core Concept
Symmetric vs. Asymmetric Encryption in Web APIs.
Key Takeaways & Architecture Summary
- ✓Symmetric: Uses a single shared secret key for encryption and decryption.
- ✓Asymmetric: Uses public/private key pairs (RSA, ECDSA).
- ✓Asymmetric is the standard for secure signatures like SSL/TLS and JWTs.
Direct Answer Summary
Symmetric encryption uses a single shared secret key to encrypt and decrypt data (e.g. AES), requiring secure key distribution. Asymmetric encryption uses a public/private key pair (e.g. RSA, Elliptic Curve), where anyone can encrypt data using the public key, but only the holder of the private key can decrypt it.
⚠️ Senior Engineering Warning (Red Flag)
Avoid using symmetric encryption to sign JWTs across distributed systems. If microservices share the signing secret, a breach in one microservice compromises the signing authority for the entire cluster.
💡 STAR Architectural Explanation & Pro Tip
JWT signatures commonly use Asymmetric algorithms (like RS256). The authorization server signs tokens using its private key, while other services verify the signature using the public key, enhancing security.
RestAssuredTest.java
Rest-Assured + Java// Dynamic asymmetric signature verification inside JWT (RS256)
// Headers indicate RS256 algorithm:
// { "alg": "RS256", "typ": "JWT" }