Symmetric encryption uses the same key to encrypt and to decrypt data. When encrypting a given piece of data, there are two different approaches an algorithm can use: stream cipher or block cipher. Stream ciphers operate one bit at a time by applying a pseudorandom key to the plaintext. In a block cipher, data is divided into fixed lengths, or blocks (often 64 bits); all the bits are then transformed by the cipher to produce an output. The output size of each of these ciphers is the same as the input size, which means they can be used for real-time applications, such as voice and video. Many encryption algorithms are block ciphers.

Here are some basic concepts necessary to understand how cryptography works:

• Unencrypted data is known as cleartext or plaintext. Don’t get confused by the four letters at the end (text). Cleartext and plaintext both refer to information that is in an unencrypted format that is understandable to a person or an application. It doesn’t have to be readable by a human. For example, it could be raw video.

• Encrypted data is known as ciphertext and cannot be understood by any party that does not know the correct encryption algorithm and possess the proper key.

• Keys are used to determine the specific settings to be used for encryption. The key can be thought of as a combination of bits that determines the settings to be used to encrypt or decrypt. Keys can be generated by hashing some keyboard inputs (weak, which could be duplicated through guessing or brute force) or by a pseudorandom number generator (stronger, which is much more difficult to duplicate). There is a concept called a “weak key,” which means that it causes the algorithm to “leak” information from plaintext to ciphertext. Often, these keys have patterns in them, such as all zeros, all ones, or some repeating pattern. Algorithms that use longer keys will have a larger keyspace—the universe of all possible keys. The larger the keyspace, the more computation required by an adversary to try all of them. Longer keys combined with a strong algorithm represent better security.

• The quality of the chosen algorithm is of vital importance to the effectiveness of the encryption process. The algorithm determines how encryption will be performed and, along with a key, the effectiveness of the cryptosystem. Remember that an algorithm, the length of a key, the quality of the algorithm’s implementation, and how well the key or keys are protected determine how secure a system is.

Symmetric encryption is in widespread use in various applications and services as well as techniques such as data transmission and storage. Symmetric encryption, like any other encryption technique, relies on the secrecy of and strength of the key. If the key-generation process is weak, the entire encryption process will be weak.

In symmetric encryption, the same single key is used for both the encryption and decryption processes. Therefore, the key must be distributed to all the parties who will need to perform encryption or decryption of data. Due to this requirement, it is necessary for a process to be in place to distribute the keys to all parties involved because keys cannot simply be transmitted in the same way as the encrypted data because transmitting unencrypted data could be intercepted by unauthorized parties. In symmetric encryption, additional steps are needed to protect the key because the interception of a key will allow unrestricted access to the secured information. (Remember, whoever has the key can decrypt everything encrypted with that same key.) One way to prevent the disclosure of a key to unauthorized parties is to use what is referred to as out-of-band communications. Using this technique, you provide the encryption key to an authorized recipient using some delivery method that is different from the medium you’ll use to send encrypted data. For example, you could send an email to someone in an encrypted format and then call her on the phone and tell her the key. If a large key and a strong algorithm are used with symmetric encryption, the strength of the system increases dramatically, but this strength does not amount to much if the key is accessible to unauthorized parties. An example of symmetric encryption is shown in FIGURE 3-3.

So if exchanging keys is so hard with symmetric encryption, then why is it used so frequently? The answer to that question lies in the fact that symmetric encryption algorithms are inherently faster than asymmetric algorithms of similar strength because of the nature of the computations performed. When processing even modest amounts of data, this performance advantage becomes significant. To get the best of both worlds, modern cryptography typically utilizes asymmetric encryption to establish the initial handshake, passing a symmetric encryption key from one party to another. That key is then used by both parties to encrypt and decrypt the bulk of the information using symmetric encryption.

The most widely recognized symmetric-key algorithm is DES. DES is so recognized because it was thought to be the gold standard of data encryption for years, and then it was shown that advances in hardware technology allowed DES to be cracked in just a matter of minutes (or even less). Other popular symmetric algorithms include the following:

• 3DES (aka Triple DES)—A more secure version of DES that performs the equivalent of three rounds of DES encryption. (Yes, there was a Double DES algorithm, which was quickly found to be just as easy to crack as the original DES when using a clever “meet-in-the-middle” attack.)

• Advanced Encryption Standard (AES)—The successor for DES that is far more resistant to brute-force attacks. AES is mathematically constructed to be virtually impossible to break using current technology.

• Blowfish—A highly efficient block cipher that can have a key length up to 448 bits.

• International Data Encryption Algorithm (IDEA)—Uses 64-bit input and output data blocks and features a 128-bit key.

• RC4—A stream cipher designed by Ron Rivest that is used by WEP.

• RC5—A fast block cipher designed by Ron Rivest that can use a large key size.

• RC6—A cipher derived from RC5.

• Skipjack—A symmetric algorithm of 80-bit lengths developed by the National Security Agency (NSA).

The algorithms listed here are only a small number of the symmetric algorithms available, but they represent the ones most commonly used in encryption systems. Although each one is a little different, they all share certain characteristics, such as the common single key to encrypt and decrypt and the performance benefits associated with symmetric algorithms.

To guarantee confidentiality when using symmetric algorithms, all authorized users must share a unique key. If the desire is to keep communication confidential between two specific users, each pair of users must create and share a unique key. This means the number of keys for pairs of users increases rapidly and, for n users, is represented by the sum of all the numbers from 1 to (n − 1).

This is expressed as follows:

A system of 5 users would need 10 unique keys, and a system of 100 users would need 4,950 unique keys. As the number of users increases, so does the problem of key management. With so many keys in use, the manager of keys must define and establish a reliable and secure key-management program. Key management is the process of carefully considering everything that possibly could happen to a key, from securing it on the local device to securing it on a remote device and providing protection against corruption and loss. The following responsibilities all fall under key management:

• Keys should be stored and transmitted by secure means to avoid interception by any unauthorized entity.

• Keys should be generated by a pseudorandom process (rather than letting users pick their own keys) to prevent guessing the key.

• The key’s lifetime should correspond with the sensitivity of the data it is protecting, and the authorization to use it needs to expire in a timely fashion.

• Keys should be properly destroyed when the process for which they were used has lapsed. The destruction of keys will be defined in the key-management policies of the organization and should be done so with respect to those policies.