Symmetric Encryption: Inside the Black Box (Part 2)

Share:

The Workhorse of the Internet

aes des encryption block-ciphers stream-ciphers

The Workhorse of the Internet

In Part 1, we established that Symmetric Encryption uses a single key for both locking and unlocking data. It’s fast, efficient, and handles the bulk of the world’s encrypted traffic. When you watch Netflix or browse over HTTPS, Symmetric Encryption is doing the heavy lifting.

But how does it actually work? How do we scramble data so effectively that even a supercomputer would need billions of years to crack it?

Stream Ciphers vs. Block Ciphers

Symmetric algorithms fall into two main categories:

1. Stream Ciphers (The Firehose)

Stream ciphers encrypt data bit-by-bit or byte-by-byte. They generate a pseudorandom stream of bits (keystream) and XOR it with the plaintext.

• Example: RC4 (obsolete), ChaCha20 (modern standard used by Google/Android).
• Pros: Extremely fast, low latency, great for hardware.
• Cons: Reusing a key/nonce pair is catastrophic (bit-flipping attacks).

2. Block Ciphers (The Shipping Containers)

Block ciphers break the data into fixed-size chunks (blocks), usually 64 or 128 bits. If the data isn’t long enough, it gets “padded”.

• Example: AES, DES, 3DES, Blowfish.
• The Gold Standard: AES (Advanced Encryption Standard).

---

The King: AES (Rijndael)

AES isn’t just “math”; it’s a series of transformations designed to spread confusion and diffusion. It operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits.

Inside AES, the data goes through multiple “rounds” (10, 12, or 14 rounds depending on key size). In each round, four operations occur:

1. SubBytes: A non-linear substitution step where each byte is replaced with another according to a lookup table (S-Box). This provides Confusion.
2. ShiftRows: A transposition step where the rows of the state are shifted cyclically.
3. MixColumns: A mixing operation which operates on the columns of the state, combining the four bytes in each column. This provides Diffusion.
4. AddRoundKey: The state is combined (XOR) with the round key derived from the main secret key.

---

Modes of Operation: Look Ma, No Patterns!

A common mistake is thinking the algorithm (AES) is all that matters. How you use the algorithm is just as critical. This is called the Mode of Operation.

Electronic Codebook (ECB) - The Failure

In ECB mode, identical blocks of plaintext produce identical blocks of ciphertext.

• Why it fails: If you encrypt a bitmap image of the Tux Penguin using ECB, you can still clearly see the penguin in the static features of the encrypted image. It leaks patterns.
• Verdict: NEVER USE ECB.

Cipher Block Chaining (CBC)

Each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point.

• Requirement: Needs an Initialization Vector (IV) for the first block.
• Verdict: Better, but vulnerable to Padding Oracle attacks if not implemented carefully.

Galois/Counter Mode (GCM) - The Modern Choice

GCM turns the block cipher into a stream cipher (using a counter) and adds Authentication.

• Feature: Authenticated Encryption (AEAD). It acts as both encryption (Confidentiality) and a Message Authentication Code (Integrity).
• Verdict: Standard. Use AES-GCM for verified security.

---

The Problem with Symmetric Encryption

We have a robust lock (AES-256) and a safe mode (GCM). But we have a logistical nightmare: Key Distribution.

If I want to send you a secure message, I have to give you the key first.

• If I email it, a hacker reads it.
• If I shout it, a hacker hears it.

How do two people who have never met agree on a secret key over an insecure channel?

This is the problem that Asymmetric Encryption solves, and that is where we will head in Part 3.

Discussion