I'm trying to add a hybrid encryption scheme to my PHP application, and by "hybrid" I mean that each record in the database is encrypted by its own unique symmetric key and each symmetric key is encrypted by a shared private key not stored in the database. The symmetric keys are 256 bit AES keys and the private key is a 2048 bit RSA key.
The hybrid encryption scheme works but decrypting the symmetric keys is introducing a bottleneck into the application - decrypting one key is fine, but if I need to retrieve 100 records from the database and decrypt a field in them the script execution time is becoming a real issue because of the overhead decrypting the symmetric key adds. My unscientific tests using the speed tool in OpenSSL suggest that going from a 1024 bit RSA key to a 2048 RSA key is resulting in a decryption time seven times longer on my machine.
Is there a good reason why I can't just use a shared symmetric key (stored securely) to encrypt the symmetric keys for each record? I'm not entirely clear on what the benefit of using an asymmetric key scheme is. I understand that the RSA key can't be used to encrypt large amounts of data (which is why I'm using a symmetric key to do that) but is it the case that a symmetric key shouldn't be used to protect a small amount of data i.e. a 256 bit AES key?
Thanks in advance for any help or guidance!
The irony of your question is that the use of a 2048-bit RSA key to encrypt a 256-bit AES key actually degrades the security -- see Table 1 (the difficulty to break an 88-bit symmetric key is about the same as the difficulty to break a 2054-bit RSA key)!
The benefit of public key cryptography for an application like this is when the decryption happens in an isolated place than the encryption. However, if they are both happening in the same place, then you are only making things worse by bringing in RSA. Instead, just stick with the AES.