Symmetric encryption algorithms use the same secret key for both encryption and decryption. This means that the sender and the recipient of an encrypted message need to share a copy of the secret key via a secure channel before starting to send encrypted data. Symmetric encryption algorithms come in two different varieties: block and stream ciphers.
A block cipher encrypts data in fixed-size chunks. For example, the Advanced Encryption Standard (AES) uses a block length of 128 bits.
If the plaintext is shorter than the block length, then it is padded out to the desired length before encryption. At the other end, the recipient of the message will decrypt it and then remove the padding to restore the original message.
If a plaintext is longer than the block length, then it is broken up into multiple different chunks for encryption. A block cipher mode of operation defines how these chunks are related to one another.
Each mode of operation has its pros and cons. For example, Electronic Code Book (ECB) mode is the simplest mode of operation. With ECB, each block is encrypted completely independently.
The downside of this is that blocks with the same plaintext produce the same ciphertext. The image above is a picture of the Linux penguin. While this data is encrypted, the ciphertexts for a pixel of a certain color (black, white, etc.) are the same throughout the image, so the penguin is still visible.
Other modes of operation eliminate this issue by interrelating the encryption of each block. Some also provide additional features, such as Galois Counter Mode (GCM), which generates a message authentication code (MAC) that verifies that data has not been modified in transit.
The most famous block cipher is the Advanced Encryption Standard (AES). This encryption algorithm was selected as the result of a contest run by the National Institute of Standards and Technology (NIST) to replace the aging Data Encryption Standard (DES).
AES is a family of three different algorithms designed to use a 128, 192, or 256 bit encryption key. These algorithms are broken into a key schedule and an encryption algorithm.
The encryption algorithm of AES is largely the same for all three versions. It is divided into rounds, which are composed of a set of mathematical operations. The main difference between the different AES versions is the number of rounds used: 10, 12, and 14.
Each round of AES uses a unique round key that is derived from the original secret key. Deriving these round keys is the job of the key schedule Each AES version’s key schedule is different because they take different length secret keys and produce different numbers of 128-bit round keys.
The other type of symmetric encryption algorithm is a stream cipher. Unlike a block cipher, a stream cipher encrypts a plaintext one bit at a time.
A stream cipher is designed based on the only completely unbreakable encryption algorithm: the one-time pad (OTP). The OTP takes a random secret key the same length as the plaintext and exclusive-ors (XORs) each bit of the plaintext and key together to produce the ciphertext as shown in the image above.
Decryption with a OTP is the same as encryption. This is because anything XORed with itself is zero and anything XORed with zero is itself. With a plaintext P, ciphertext C, and key K
C XOR K = (C XOR K) XOR K = C XOR (K XOR K) = C XOR 0 = C
While it has great security, the OTP is rarely used because it is impractical to securely share the massive amounts of key material that it needs to work. A stream cipher uses the same idea as the OTP with a slightly less secure key.
Instead of a fully random key, a stream cipher uses a secret key to feed a pseudo-random number generator. By sharing the same secret key and algorithm, the sender and recipient of a message can crank out the same string of bits, enabling them to encrypt and decrypt a message.
RC4 is an example of a widely-used stream cipher. It was created by Ron Rivest in 1987 and was originally a trade secret of RSA Security. In 1994, the details of the cipher were leaked, making it publicly usable.
RC4 is used in a variety of different applications, including the WEP and WPA encryption standards for Wi-Fi. The cipher has some known vulnerabilities, especially for certain applications, but can still be used if some of the initial bytes of the generated keystream are discarded.