Warning message

Log in to add comments.

Symmetric Encryption

Red Hat published on 2013-10-16T13:30:23+00:00, last updated 2013-10-16T13:30:23+00:00

So far we have looked at what cryptography is and have taken a brief look at the history of cryptography; it's time for us to take a dive into how cryptography works. Cryptography often involves two important and complimentary processes called encryption and decryption.

The process of encryption and decryption involves a secret key which is known only to the sender and the receiver of the message. Needless to say, the secrecy of the message depends on the secrecy of the key. This is analogous to a lock and a key; the cipher text (encrypted data) is the lock and the secret key is the key to the lock. The form of the secret key plays an important role in any form of an encryption mechanism. In symmetric encryption, the same secret key is used for encryption and decryption. (As opposed to asymmetric encryption)

Symmetric encryption comes in two flavors: stream ciphers and block ciphers. Stream ciphers involve encryption of data one bit at a time. Block ciphers encrypt data in blocks.
RC4 is the most famous stream cipher used today. It's the only stream cipher in TLS (Transport Layer Security) and the only stream cipher approved by NIST. Like most stream ciphers, RC4 has a pseudo-random generator which generates random numbers based on a key. The pseudo-random numbers are generated one bit at a time and are then XORed with the plain text to generate the final encrypted data. The PRNG generates the same random numbers for a given key. However, there is no way to predict the key from given pseudo-random numbers. The reverse process happens on the decryption end, and the plain text is generated from the cipher text.

rc4Block ciphers are the work horses of cryptography. A typical block cipher involves multiple rounds of a mathematical function being applied to the plain text. Block ciphers also use the principle of confusion and diffusion. Confusion obscures the relationship between the key and the ciphertext. This is usually achieved by using a substitution table, in which text bits are substituted by different bits. Diffusion involves spreading the influence of one plaintext symbol over many ciphertext symbols with the goal of hiding statistical properties of the plaintext. This is usually achieved by using some kind of transposition which involves scrambling bits of data.

A lot of block ciphers are also based on Feistel networks. Simply put, a Feistel network is a mathematical structure that uses a number of iterations to achieve encryption and decryption, which are very similar and even identical in some cases.


The Data Encryption Standard (DES) is a Feistel network-based block cipher. It has a key size of 56 bits, and is currently considered to be insecure (based on the small key size). DES is mostly replaced by the Advanced Encryption Standard or AES. AES uses 3 key sizes namely 128, 192 or 256 bits. AES is based on a substitution-permutation network.

Block ciphers are used along with "mode of encryption". Often, data to be encrypted is much bigger than the block size of the cipher; therefore, the data has to be divided into blocks according to the size of the block cipher. There are various methods of encrypting these blocks to form the final cipher text. The simplest method is to encrypt each block individually with the same key (this is called ECB mode or electronic code block mode). Though this method is very simple and can be parrallelized, it has the obvious disadvantage that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, such method does not hide data patterns.

Cipher-block chaining or CBC mode is the more commonly used (supposedly more secure) mode of encryption, in which the output from the previous block is included when computing the cipher text for the current block. There are several other modes of encryption available, but often these are rarely used.

Recently, research has been done on various encryption mechanisms; notably among them is the BEAST attack on the CBC mode of encryption, the CRIME attack on compression and key biases in RC4. Flaws have also been found in specific usages of CBC, such as in XML encryption. Galois/Counter Mode (GCM) is another mode of operation for symmetric key block ciphers which mitigates some of these weaknesses. I will attempt  to describe some of these weaknesses in my upcoming blog entries.


About The Author

RH Red Hat

Red Hat

This user is used for automation in Pantheon as part of the Docs publishing toolchain.