Exploring Symmetric Encryption

Symmetric encryption uses a single key to encrypt and decrypt data. Symmetric encryption algorithms are constant. The keys used to encrypt different sets of data are changed to avoid compromising security. For example, the Advanced Encryption Standard (AES) always uses the same algorithms to encrypt and decrypt data, no matter how many times it’s used. The key used to encrypt a file will also be used to decrypt this file. However, a different key is used to encrypt and decrypt another file.

EXAM TIP Symmetric encryption uses a single key to encrypt and decrypt data. This key should be protected and changed regularly. In contrast, asymmetric encryption uses two keys (called public and private keys), where one key encrypts the information and the other key decrypts the information.

Symmetric encryption is used in many applications. For example, Chapter 2 presented Kerberos as a network authentication protocol and discussed how it uses tickets for authentication. Kerberos uses symmetric encryption to protect the confidentiality of these tickets.

ROT13

The simplest way to demonstrate symmetric encryption is with ROT13, an encryption scheme that was used in ancient Rome. It’s still sometimes used today by people posting information online in an attempt to make it harder to read. For example, if someone posts movie spoilers on online forums using ROT13, a reader can’t easily read the spoilers.

ROT13 rotates letters 13 spaces. If you wanted to post a message saying, “The butler did it,” with ROT13, you would rotate each letter 13 spaces. T rotated 13 spaces is G, h rotated 13 spaces is u, and so on. The ultimate message is “Gur ohgyre qvq vg.” Anyone receiving this cipher text can rotate the letters backward 13 spaces to read the plaintext.

NOTE On sites such as rot13.com, when you enter a message, the site provides the cypher text in ROT13 form.

There are variations on ROT13. For example, you could use a rotation algorithm to encrypt and decrypt the data, but instead of always using the key of 13, you could use a different key at different times. On Monday, for instance, you might use a key of three to rotate the letters three spaces forward. To decrypt the data, you would use the same key of three but rotate three spaces backward. This allows you to modify the key regularly so that if someone discovered the data, he or she wouldn’t necessarily know what the key was and may have trouble decoding it. Although this is a very weak encryption algorithm compared to what’s in use today, it does allow you to see easily the difference between the algorithm and the key.

This symmetric rotation algorithm could be defined as follows:

• Encryption Rotate X spaces forward to encrypt, where X is the key.

• Decryption Rotate X spaces backward to decrypt, where X is the key.

• Key The key is any number. Data encrypted with a key can be decrypted with the same key. In other words, if a key of three was used to encrypt the data, the same key of three must be used to decrypt the data. The challenge is to ensure that both entities know what key is used at different times

Encryption algorithms are usually published and well known. For example, if you wanted to look up the encryption algorithm used for any of the symmetric encryptions discussed in this chapter, you can probably find it on the Internet. However, because data is encrypted with different keys, attackers will not be able to read cipher text with only the algorithm. They also need the key.

TIP When weak keys are used or not changed often, attackers can discover them and decrypt the data. For example, if ROT13 were always used, once attackers discovered that characters were always rotated 13 spaces, they could decrypt any message. However, if a different key (not just 13) is used, the enemy will have more difficulty cracking the code.

Comparing Block and Stream Ciphers

Two common types of ciphers used in symmetric encryption are block ciphers and stream ciphers. Both ciphers use a single key to encrypt and decrypt specific pieces of data, but they divide the data differently.

A block cipher encrypts fixed-length groups of bits, or blocks of data, individually. It starts by dividing the plaintext data into fixed-length sizes, such as 128-bit blocks of text. It then encrypts each block individually.

In contrast, a stream cipher encrypts the bits as a stream of data rather than as fixed-length blocks. Stream ciphers are susceptible to more vulnerabilities when not used properly. For example, an important rule related to stream ciphers is never to reuse a key. WEP used the RC4 stream cipher and broke this important stream cipher rule. WEP reused keys for encryption of data in the same stream and it was easily cracked.

TIP Chapter 3 presented wireless concepts, including WEP, WPA, and WPA2. WEP should never be used today. WPA was an intermediate replacement, and WPA2 is a permanent replacement.

It’s worth stressing that stream ciphers are secure when used properly. For example, Secure Sockets Layer (SSL) used by HTTPS to encrypt Internet traffic uses the same RC4 stream cipher used by WEP. However, SSL uses sound cryptography standards and is secure.

Advanced Encryption Standard

One of the most popular symmetric block cipher encryption algorithms is AES. It is a fast, efficient algorithm that has gone through rigorous testing. NIST spent five years examining multiple encryption algorithms looking for what it considered the best to replace an older standard. The institute ultimately picked AES (from the algorithm known as Rijndael) in 2002 as the standard used by the U.S. government. AES has since been adopted in both the public and private sectors.

AES is used in many different applications. For example, WPA and WPA2 can both use AES to encrypt wireless transmissions. AES is used to encrypt entire hard drives with trusted platform modules (TPMs) and can encrypt data on USB flash drives. These are just a few of the examples of AESs popularity as a symmetric encryption standard, and it is important to realize why—AES is strong and efficient.

EXAM TIP AES is a strong, efficient symmetric algorithm and is used in many applications. NIST selected it as a replacement for Data Encryption Standard (DES) over 15 other competing algorithms.

AES uses keys of varying sizes to add strength to the cipher:

• AES is sometimes listed as AES-128 and uses 128-bit keys.

• AES-192 uses a 192-bit key.

• AES-256 uses a 256-bit key.

Larger key sizes make the encryption significantly harder to break, but there is an associated resource cost. For example, AES-256 is stronger than AES-128, but systems can encrypt and decrypt AES using 128-bit keys quicker than they can encrypt and decrypt AES-256.

TIP You can’t accurately compare the strength of different encryption algorithms based simply on their key sizes alone. For example, imagine if I created a simplistic cipher called Gibson’s Cipher and used 2,048-bit keys. It wouldn’t be accurate to say this cipher is stronger than AES-256 simply because Gibson’s Cipher uses bigger keys. However, it is accurate to say that AES-256 is stronger than AES-128 because it’s the same algorithm with larger keys.

Other Symmetric Encryption Algorithms

The following list shows many of the other symmetric encryption algorithms that you may come across. However, none of these have the combined strength and efficiency of AES, so their usage is significantly less common today than it has been in years past.

• DES DES is an older block cipher symmetric encryption standard that uses 56-bit keys. It has been broken and is rarely used anymore. It was standard selected by the National Bureau of Standards (now known as NIST), but was replaced by AES.

• 3DES Triple DES (or three DES) improves DES by encrypting data in three passes with three separate keys. It was one of the standards evaluated by NIST with AES but was not selected. It is a slower and processor-intensive block cipher, but is still strong and used in some applications.

• Blowfish Blowfish is another strong symmetric block encryption cipher that is still used in many applications. It was designed as a replacement for DES, although its use is being overshadowed by AES. Bruce Schneier designed this cipher.

• IDEA The International Data Encryption Algorithm (IDEA) is a symmetric algorithm using 128-bit keys that was also submitted as a replacement for DES. Many implementations of Pretty Good Privacy (PGP) used IDEA for encrypting e-mails. PGP is described in more depth later in this chapter.

• RC4 Rivest’s Cipher (RC) was invented by Ron Rivest and is the most widely used symmetric stream cipher. It is used successfully with SSL with HTTPS to encrypt traffic on the Internet. This is sometimes called Ron’s Code or Rivest’s Cipher.

TIP There is a series of RC encryption algorithms. RC2 was developed as a replacement for DES. RC5 is a fast block cipher. RC6 is a block cipher that was submitted to NIST and was one of the five finalists that NIST considered for the AES competition.