## Symmetric Encryption Algorithms: Live Long & Encrypt – Hashed Out by The SSL Store – Hashed Out by The SSL Store

Much like tribbles in Star Trek, symmetric encryption is everywhere. Well explore symmetric key algorithms and take you to places no non-IT person has gone before

Symmetric encryption algorithms are the underlying processes that make secure communications possible. If you were to put it into Star Trek-related terms, symmetric algorithms are the warp drive for your starships propulsion system. Theyre integral to information security and are what help your business move forward with data encryption securely and at faster-than-light speeds.

(Yes, I know, Im really flying my nerd flag high today. While fascinating, symmetric key algorithms arent exactly light or easy reading so Ive got to have some fun when writing. Damn it, Jim, Im a cybersecurity writer, not a cryptographer.)

Make sure to refresh your coffee (or earl grey tea, if thats more your speed). Were about to take a deep dive into exploring what symmetric encryption algorithms are, why theyre important, and what the most common symmetric encryption algorithm types are.

Make it so.

Lets hash it out.

Symmetric algorithms are the cryptographic functions that are central to symmetric key encryption. Theyre a set of instructions or steps that computers follow to perform specific tasks relating to encrypting and decrypting data.

Feel like you need a universal translator? Okay, lets break this down a bit more.

Symmetric encryption algorithms are used (combined with an encryption key) to do two main things:

Symmetric encryption algorithms use the same encryption key for both encryption and decryption. (Unlike asymmetric encryption algorithms, which use two different keys.)

Encryption algorithms, in general, are based in mathematics and can range from very simple to very complex processes depending on their design. In the case of symmetric encryption algorithms, theyre paired with a single key to convert readable (plaintext) data into unintelligible gibberish (ciphertext). They then use the same key to then decrypt the ciphertext back into plaintext. And all of this is done in a way that ensures data confidentiality and privacy. Pretty cool, huh?

Symmetric encryption algorithms are actually known by a few different names:

In general, the purpose or goal of encryption is to make it so that only someone with the key can decrypt and read the secret message. In case you need a quick reminder of how symmetric encryption works, heres a quick overview:

In this graphic above, moving from left to right, youll see that you start with the plaintext, readable data. Once the symmetric encryption algorithm and key are applied to that data, it becomes unreadable ciphertext. The way to decrypt that message to decipher its meaning is to use a decryption key. In the case of symmetric encryption, the decryption key is identical to the key that was used to encrypt the data. Basically, you use the same key twice.

In a nutshell, a symmetric algorithm is a set of instructions in cryptography that use one key to encrypt and decrypt data. These encryption algorithms and keys are lightweight in the sense that theyre designed for speed in processing large blocks or streams of data. (This is why symmetric encryption algorithms are known as bulk ciphers.)

Asymmetric key algorithms and keys, on the other hand, are resource eaters. The keys are massive and are expensive to use at scale. What I mean is that they suck up a lot of your CPU processing resources and time, battery power, and bandwidth to execute.

Remember how we described symmetric algorithms as being a key component of your warp drive? Lets continue with that analogy. So, if you were to think about what asymmetric encryption algorithms are, theyd be like the equivalent of the thrusters in the propulsion system. Sure, theyll get you there eventually, but theyre not suitable for rapid encryption at scale.

However, theyre great for encrypting smaller batches of data in public channels. And asymmetric key exchanges (which well talk more about shortly) are a great way to distribute keys in those insecure public channels.

This is why people often turn to symmetric encryption for encoding large amounts of data.

As youll soon discover, not all symmetric algorithms are created equally. They vary in terms of strength but what exactly is does strength mean in cryptography? The short answer is that cryptographic strength is all about how hard it is for a hacker to break the encryption to gain access to the data. The longer answer, of course, may vary depending on the type of algorithm you evaluate. But, in general, cryptographic strength typically boils down to a few key traits:

Symmetric encryption can be a bit of a balancing act because you need algorithms and keys that are computationally hard yet practical enough to use with acceptable performance.

While symmetric encryption algorithms might sound like the most logical tools for all types of online data encryption, its not quite that simple. Much like the ever-logical Spock and the charismatic Captain Kirk, symmetric encryption also has weaknesses especially when used on their own in public channels. These weaknesses come in the form of key distribution and key management issues:

When using symmetric encryption, ideally, you and the person youre communicating with sort out your secret key ahead of time (prior to using it for any data exchanges). This means that in order to share a symmetric key securely with someone, youd need to meet up with them in person to give it to them. But what if youre across the country from the other party? Or, worse, what if youre on the other side of the world from them?

While this wouldnt be an issue in the Star Trek universe, where you could simply transport from one place to another within seconds, this isnt feasible in our 21st century transporterless world. Here, people are exchanging information with web servers worldwide every moment of every day. This means that people cant meet up ahead of time to hand out or receive keys. So, we have to rely on other means to securely exchange keys with other parties.

This is where asymmetric algorithms or, more specifically, key exchange protocols come into play. Asymmetric key exchanges make it possible to exchange symmetric keys in otherwise insecure public channels. What you may or may not realize is that youre actually using this combination of symmetric and asymmetric encryption techniques right now.

Lets consider your connection to our website as an example. See that padlock icon in your browser? It means youre connected to a secure website.

So, when you initially connected to TheSSLstore.com, your browser had to perform a process with our server thats known as a TLS handshake. This handshake is a way for the server to prove to your browser that its legitimate and isnt an imposter. (You know, cause cybercriminals love to pretend to be other people to trick people in connecting with them. Theyre kind of like Romulans in that way always engaging in subterfuge.) The handshake process uses asymmetric encryption and asymmetric key exchange processes to do this.

Of course, there are a few versions of the handshake TLS 1.0, TLS 1.2, TLS 1.3 and there specific differences in how they work. (For example, the Internet Engineering Task Force [IETF] pushes for the strict use of forward-secrecy-only ciphers in TLS 1.3 but thats a topic for another time.) Just know that only the TLS 1.2 handshake should be the minimum used. As of October 2020, Qualys SSL Labs reports that 99% of sites support the TLS 1.2 protocol and 39.8% support the TLS 1.3 protocol.

We wont get into the specifics of how the TLS handshake works here, but know that it involves the use of cipher suites. These groups of ciphers are what help to make it possible to establish a secure, HTTPS connection by determining which of each of the following to use:

You can read more about the process in this explainer blog on how the TLS handshake works. But for now, lets stay with the topic at hand of symmetric encryption algorithms.

During the symmetric encryption that takes place when you connect securely to a website, youre using a bulk cipher to make that happen. There are two subcategories of bulk ciphers: block ciphers and stream ciphers.

In this type of cipher, plaintext data breaks down into fixed-length groups of bits known as blocks (which are typically connected via a process known as chaining). Each block then gets encrypted as a unit, which makes this process a bit slow. And if theres not enough data to completely fill a block, padding (typically an agreed upon number of 0s) is then used to ensure that the blocks meet the fixed-length requirements.

The ideal block cipher has a massive key length that isnt practical, so many modern ciphers have to scale back key sizes to make them usable. But just as a quick note: Unlike with asymmetric encryption, symmetric encryption key sizes dont determine the size of the data blocks.

The majority of modern symmetric encryption algorithms fall within the block cipher camp, and these types of ciphers have broader usage and application opportunities. So, were mainly going to focus on them here. But if youre wondering what the most popular or common stream ciphers are, dont worry, weve got you covered.

With this type of cipher, it encrypts plaintext data one bit at a time. As such, data gets processed in a stream rather than in chunks like in block ciphers. This makes the process less resource-intensive and faster to achieve.

Now, were not going to get into all of the specifics of block ciphers and stream ciphers thats a whole other topic for another time. Just be sure to keep an eye out in the coming weeks for a separate article that breaks down block ciphers and stream ciphers.

Okay, now this is where things start to get exciting (or more complicated, depending on your perspective). With shared key encryption, there are several well-known symmetric key algorithms to know. Lets break them all down to understand what they are and how they work.

For this section, weve put together a symmetric algorithm list that will help us navigate the most common symmetric ciphers. Well start with one of the oldest and work our way up to the latest and greatest meaning, the algorithm that we typically use today for modern symmetric encryption.

First up on our list is the data encryption standard. DES, also known as DEA (short for data encryption algorithm), is one of the earliest symmetric encryption algorithms thats since been deprecated. Its based on the Feistel Cipher (much like many other varieties of block ciphers) and was actually deemed one of the first symmetric algorithms to be adopted as a Federal Information Processing Standard (FIPS) in 1976.

DES dates back to the early 1970s when its original form (Lucifer) was developed by IBM cryptographer Horst Feistel. IBM reports that the encryption method was originally created at the behest of Lloyds Bank of the United Kingdom. The National Bureau of Standards (now known as the National Institute of Standards, or NIST for short) ended up seeking proposals for a commercial application for encryption, and IBM submitted a variation of it. It was even desired for use by the National Security Agency (NSA) to protect their data.

This type of symmetric encryption maps inputs of a specific length to outputs of a specific length. As such, it operates on 64-bit blocks meaning that it could encrypt data in groups of up to 64 blocks simultaneously and has a key size of 56 bits. There are also 8 additional parity bits to the key, which serve as a way to check for data transmission errors. However, its important to note that parity bits arent something youd ever use for encryption.

This size key is actually very small by todays standards, which makes it highly susceptible to brute force attacks. Also, the key and block lengths differ from the original Lucifer key and block lengths, both of which were reduced from 128 bits.

To learn more about how DES encryption and Feistel Networks work, check out this great video from Coursera and Stanford University.

The Data Encryption Standard (DES) document (FIPS PUB 46-3) was officially withdrawn on May 19, 2005, along with the documents FIPS 74 and FIPS 81. The National institute of Standards and Technologys Secretary of Commerce published the following in the Federal Register:

These FIPS are withdrawn because FIPS 46-3, DES, no longer provides the security that is needed to protect Federal government information. FIPS 74 and 81 are associated standards that provide for the implementation and operation of the DES.

DES encryption was succeeded by triple data encryption algorithm (TDEA) for some applications, although not all. However, DES was primarily superseded as a recommendation by the advanced encryption standard, or whats known as AES encryption, in 2000. This is what we most commonly use today for symmetric encryption.

Now, lets explore those two other types of symmetric encryption algorithms.

The triple data encryption algorithm, which was created in the late 1990s, is a bit tricky as it actually goes by several abbreviations: TDEA, TDES, and 3DES. But as you can probably guess from its name, 3DES is based on the concept of DES but with a twist.

Unlike its predecessor, TDEA uses multiple separate keys to encrypt data one variation of TDEA uses two keys and the other variation uses three keys (hence the triple in its name). The stronger of the two is the one that uses three keys.

Heres an illustration of how the three-key TDEA process works:

The use of multiple keys makes processing data slow and increases the computational overhead, which is why organizations often skipped over 3DES and moved straight on to using AES.

TDEA operates using a decent 168-bit key size. However, like DES, 3DES also operates on small 64-bit blocks. Its small block size made it susceptible to the sweet32 vulnerability (CVE-2016-2183 and CVE-2016-6329), or whats known as the sweet32 birthday attack. This exploit takes advantage of a vulnerability that enables unintended parties to access portions of DES/TDEA-encrypted data.

The TDEA symmetric key encryption algorithm is set to deprecate in terms of being useful for cryptographic protection in 2023. However, in the meantime, NIST SP 800-76 Rev. 2 specifies that 3DES can be used by federal government organizations to protect sensitive unclassified data so long as its used within the context of a total security program. Such a program would include:

AES is the most common type of symmetric encryption algorithm that we use today. In fact, even the NSA uses AES encryption to help secure its sensitive data.

AES is a variant of the Rijndael family of symmetric encryption algorithms. Unlike its DES or TDEA counterparts, its based on a substitution-permutation network. So, it uses this as its foundation in lieu of the Feistel cipher. Youll find the advanced encryption standard in use for everything from SSL/TLS encryption to wireless and processor security. Its fast, secure, and doesnt noticeably increase your processing overhead (at least, when you use the right key).

AES operates on block sizes of 128 bits, regardless of the key size used, and performs encryption operations in multiple rounds.

Theres a total of four AES encryption sub-processes:

The rounds, which are performed on the plaintext data, uses substitutions from a lookup table. So, one of the rounds looks akin to this:

AES, which became the new FIPS-approved encryption standard after replacing DES and superseding 3DES, has a maximum key size of up to 256 bits. This is about 4.5 times larger than a DES key. Any larger, and it wouldnt be practical for at-scale applications. Now, the size of the key determines how many rounds of operations will execute for example, a 128-bit key will have 10 rounds, whereas a 256-bit key will have 14.

Of course, AES encryption is incredibly strong. So, any attempts to crack AES via brute force using modern computer technology is futile, as a certain collective of cybernetic individuals love to say. Even Lt. Commander Data would likely struggle with such a computational effort. I say that because even quantum computers arent expected to have as big of an effect on symmetric encryption algorithm as it will on, say, modern asymmetric encryption methods. (Symmetric encryption methods would require larger keys to be quantum resistant, whereas public key methods will no longer be secure period.)

For a more in depth look at the advanced encryption standard, be sure to check out our other article on the topic. There, youll get a highly technical look at how AES works.

There are plenty of other types of symmetric encryption algorithms that are useful for different purposes and cryptographic functions. Just to give you a quick taste, the list of some of these algorithms include:

Of course, there are other ciphers, too but were not going to include them all here. But this at least gives you some examples of whats out there as far as AES algorithms are concerned.

Symmetric encryption algorithms, when used on their own, are best suited for encrypting data at rest or in non-public channels. I say that because theyre often found protecting at-rest data in various situations, including databases, online services, and banking-related transactions. (The latter is because the Payment Card Industry Data Security Standards, or PCI DSS for short, requires it.)

However, those arent the only places theyre useful. Oh, no youll also find symmetric algorithms in use across the internet. When you use them in conjunction with asymmetric encryption for key exchange such as when you connect to a secure website then symmetric encryption comes into play with services such as:

Didnt feel like diving into all of the technical mumbo-jumbo? (Or didnt feel like reading through my nerdy Star Trek comparisons of symmetric encryption algorithms?) No worries. Here are a few of the main takeaways from this article on symmetric key algorithms:

Be sure to stay tuned for our next chapter in this blog series on symmetric encryption in the coming weeks. And until next time live long and proper.