Introduction to cryptography, Part 2: Symmetric cryptography

Murdoch Mactaggart (IBMDev@TextBiz.com), Freelance writer

Murdoch Mactaggart is a freelance writer and business consultant who writes on software development, the Internet and on business and management issues around these areas. Whether readers can make accurate sense of what he writes is a moot point but, flexible though he tries to be, he generally sticks to English rather than introducing languages of his own making. Contact him at IBMDev@TextBiz.com

Summary: Symmetric cryptography, otherwise known as secret key cryptography, has been in use for thousands of years in forms ranging from simple substitution ciphers to more complex constructions. However, developments in mathematics and the growth of computing power have made it possible to create ciphers that are effectively unbreakable. Symmetric systems are generally very fast but are vulnerable so that the key used to encrypt must be shared with whomever needs to decrypt the message. The IBM-developed cipher DES has been very widely used but is now at the end of its useful life and is due for replacement. Whatever cipher developers use in their applications, it's important to consider the methods used, to recognize the trade-offs that occur and to plan for a future with more powerful computer systems.

Tag this!

Date: 01 Mar 2001
Level: Introductory
Activity: 327 views

Introduction

Symmetric, or secret key, cryptography has been in use for thousands of years and includes any form where the same key is used both to encrypt and to decrypt the text involved. One of the simplest forms is sometimes known as the Caesar cipher -- reputedly used by Julius Caesar to conceal messages -- in which the process is simply one of shifting the alphabet so many places in one direction or another. The example given in part 1 of HAL/IBM is in exactly this form with the key being the instruction to shift one letter forwards to decrypt. In this trivial example, the decryption key is a mirror image rather than a replica of the encryption key, but that doesn't vitiate the classification as a symmetric mechanism.

A variation on this simple scheme involves using an arbitrarily ordered alphabet of the same length as the one used for the plain text message. In this case the key might be a long sequence of numbers such as 5, 19, 1, 2, 11 ... indicating that A would map to E, B to S, C to A, D to B, E to K and so on -- or it might be one of a number of more or less ingenious schemes involving letters taken from, say, sentences of particular novels.

Such systems are ludicrously weak, of course, and modern systems use sophisticated algorithms based on mathematical problems that are difficult to solve and so tend to be very strong.

Unlike the situation in asymmetric cryptography where there is a public element to the process and where the private key is almost never shared, symmetric cryptography normally requires the key to be shared and simultaneously kept secret within a restricted group. It's simply not possible for a person who views the encrypted data with a symmetric cipher to be able to do so without having access to the key used to encrypt it in the first place. If such a secret key falls into the wrong hands, then the security of the data encrypted using that key is immediately and completely compromised. Hence, what all systems in this group of secret key methods share is the problem of key management, something discussed in more detail in the feature on practical implications (to follow shortly in the series).

Reference is often made to keys of particular bit lengths, such as 56-bit or 128-bit. These lengths are those for symmetric key ciphers, while key lengths for at least the private element of asymmetric ones are considerably longer. Further, there is no correlation between the key lengths in the two groups except incidentally through the perceived level of security which a given key length might offer using a given system. However, Phil Zimmermann, originator of the extremely efficient and important software package known as Pretty Good Privacy (PGP), suggests than an 80-bit symmetric key might approximately equate in security terms at the present moment to a 1024-bit asymmetric key; to gain the security offered by a 128-bit symmetric key, one might need to use a 3000-bit asymmetric key. Others will certainly take issue with some of those comparisons as well as, no doubt, with the attempt even to make them.

Within any particular group, however, the length of the key used is generally a significant element in determining security. Further, key length is not linear but doubles with each additional bit. Two to the power two is four, to the power three is eight, to the power four sixteen, and so on. Giga Group offers a homespun analogy suggesting that if a teaspoon were sufficient to hold all possible 40-bit key combinations, it would take a swimming pool to hold all 56-bit key combinations, while the volume to hold all possible 128-bit key combinations would be roughly equivalent to that of the earth. A 128-bit value, rendered in decimal, is approximately 340 followed by 36 zeros.

Symmetric key methods are considerably faster than asymmetric methods and so are the preferred mechanism for encrypting large chunks of text. A cipher such as DES (qv) will be at least 100 times faster than the asymmetric cipher RSA (discussed in the feature on asymmetric systems) in software and might be up to 10,000 times faster when implemented on specialist hardware. Secret key ciphers are most suitable for protecting data in a single-user or small group environment, typically through the use of passwords or passphrases. In practice, as mentioned elsewhere, the most satisfactory methods for dispersed or large-scale practical use tend to combine both symmetric and asymmetric systems.

Types of symmetric ciphers

Symmetric ciphers are now usually implemented using block ciphers or stream ciphers, which are discussed here. This feature also looks at what are known as Message Authentication Codes (MACs), a checksum mechanism that uses a secret key. MACs are quite different from message digests, which are used in digital signatures and discussed in the feature on asymmetric cryptography (part 3).

Block ciphers

Block ciphers convert a fixed-length block of plain text into cipher text of the same length, which is under the control of the secret key. Decryption is effected using the reverse transformation and the same key. For many current block ciphers the block size is 64 bits, but this is likely to increase.

Plain text messages are typically much longer than the particular block size and different techniques, or modes of operation, that are used. Examples of such modes are electronic codebook (ECB), cipher block chaining (CBC) or cipher feedback (CFB). ECB simply encrypts each block of plain text, one after another, using the same key; in CBC mode, each plain text block is XORed with the previous cipher text block before being encrypted, thus adding a level of complexity that can make certain attacks harder to mount. Output FeedBack mode (OFB) resembles CBC mode although the quantity that's XORed is generated independently. CBC is widely used, for example in DES (qv) implementations, and these various modes are discussed in depth in appropriate books on technical aspects of cryptography. Note that a common vulnerability of roll-your-own cryptosystems is to use some published algorithm in a simple form rather than in a particular mode that gives additional protection.

Iterated block ciphers are those where the process of encryption has several rounds, thus improving security. In each round, an appropriate transformation may be applied using a subkey derived from the original secret key that uses a special function. Inevitably, this additional computing requirement has an impact on the speed at which encryption can be managed, therefore there is a balance between security needs and speed of execution. Nothing is free and in cryptography; as elsewhere, part of the skill in applying appropriate methods is derived from understanding the tradeoffs that need to be made and how these relate to the balance of requirements.

Block ciphers include DES, IDEA, SAFER, Blowfish, and Skipjack -- this last being the algorithm used in the US National Security Agency (NSA) Clipper chip.

Stream ciphers

Stream ciphers can be extremely fast compared with block ciphers although some block ciphers working in certain modes (such as DES in CFB or OFB) effectively operate as stream ciphers. Stream ciphers operate on small groups of bits, typically applying bitwise XOR operations to them using as a key a sequence of bits, known as a keystream. Some stream ciphers are based on what is termed a Linear Feedback Shift Register (LFSR), a mechanism for generating a sequence of binary bits.

Stream ciphers are developed out of a specialist cipher, the Vernam cipher, also known as the one-time pad. Examples of stream ciphers include RC4 and the Software Optimized Encryption Algorithm (SEAL), as well as the special case of the Vernam cipher or one-time pad.

Message authentication codes

A message authentication code (MAC) is not a cipher but a particular form of checksum, typically 32 bits, generated using a secret key in combination with a particular authentication scheme and appended to a message. In contrast to message digests, generated using a one-way hash function, and the closely-connected digital signature, generated and validated using asymmetric key pairs, the intended recipient requires access to the secret key in order to validate the code.

Examples of symmetric ciphers

DES

Data Encryption Algorithm (DEA), of which the Data Encryption Standard (DES) is the formal description, derives from work done by IBM and adopted officially by the US government in 1977. It is probably the most widely used secret key system, particularly in securing financial data, and was originally developed to be embedded in hardware. Automated Teller Machines (ATMs) typically use DES.

DES uses a 56-bit key with an additional eight parity bits to bring the block size up to 64 bits. It's an iterated block cipher using what's known as Feistel techniques where the text block being encrypted is split into two halves. The round function is applied to one half using a subkey and that output is then XORed with the other half; the two halves are then swapped and the process continues except that the last round is not swapped. DES uses 16 rounds.

The main form of attack on DES is what's known as brute force or exhaustive key search, a repeated trying of keys until one fits. Given that DES uses a 56-bit key, the number of possible keys is 2 56 . With the growth in power of computer systems, this makes DES far less secure than it was when first implemented, although for practical purposes of a non-critical nature, it can still be considered adequate. However, DES is now certified only for legacy systems and a new encryption standard -- Advanced Encryption Standard (AES) -- has been selected.

A common variant on DES is triple-DES, a mechanism that encrypts the material three times using a key of 168; this generally (but not always) provides considerably more security. If the three-key 56-bit sub-elements are identical, then triple-DES is backwards compatible with DES.

For years, IBM held a patent on DES, but this expired in 1983 and was placed in the public domain, allowing royalty-free use under certain conditions.

IDEA

The International Data Encryption Algorithm (IDEA) was developed at ETH in Zurich by two researchers, Xuejia Lai and James L. Massey, with the patent rights held by a Swiss company, Ascom Systec. IDEA is implemented as an iterative block cipher and uses 128-bit keys and eight rounds. This gives much more security than DES does, but when choosing keys for IDEA it's important to exclude what are known as "weak keys." Whereas DES has only four weak keys and 12 semi-weak keys, the number of weak keys in IDEA is considerable at 2 51 . However, given that the total number of keys is substantially greater at 2 128 this still leaves 2 77 keys to choose from.

IDEA is widely available throughout the world with royalty charges, typically of around $6.00 a copy (these charges apply in some areas but not in others. IDEA is considered extremely secure. With a 128-bit key, the number of tests made in a brute force attacks needs to be increased significantly compared with DES, even allowing for weak keys. Further, it's shown itself particularly resistant to specialist forms of analytical attack.

CAST

CAST is named for its designers, Carlisle Adams and Stafford Tavares of Nortel. It's a 64-bit Feistel cipher using 16 rounds and allowing key sizes up to 128 bits. A variant, CAST-256, uses a 128-bit block size and allows the use of keys of up to 256 bits.

Although CAST is fairly new, it appears to be extremely secure against attacks, both brute force and analytical. Although reasonably fast, its main benefit is security rather than speed. It is used in recent versions of PGP as well as in products from IBM, Microsoft, and elsewhere.

Entrust Technologies holds a patent on CAST but says that it can be used without royalty payments in both commercial and non-commercial applications.

The one-time pad

The one-time pad, or Vernam cipher, has the merit of being considered completely secure and so has great value in certain specialized situations, typically in war time. It uses a randomly-generated key exactly as long as the message. This is applied to the plain text, typically using bitwise XOR, to produce the encrypted text. Applying the same key and appropriate algorithm easily decrypts the message:

Simple illustration of one-time pad encryption/decryption



00101100010....11011100101011 Original plain text message

01110111010....10001011101011 Randomly generated key equal to message in length

01011011000....01010111000000 Encrypted message

01110111010....10001011101011 Key re-used to decrypt

00101100010....11011100101011 Original message restored

Although the one-time pad is completely and absolutely secure, it is often not very practical, since the key of the same length as the message needs to be transmitted in some secure way to the receiver to allow decryption. Further, the key is used only once and is then discarded, and although this clearly benefits security, it adds to the key management problems. One area where the one-time pad might currently be used is in MACs.

AES

The Advanced Encryption Standard (AES) is intended to replace DES as a new, secure standard, given that DES has reached the end of its useful life. In 1997, a competition was announced by the US National Institute of Standards and Technology (NIST) and the 15 original entries were reduced to a short list of five. The eventual winner was a product submitted by Joan Daemen and Vincent Rijmen of Belgium, named Rijndael, which is currently undergoing extensive trials and evaluation.

Rijndael is technically complex and somewhat unconventional in its construction but appears to be extremely secure and versatile in that it is fast in execution, well-suited to modern requirements (such as in smart cards), and capable of being used with a range of key sizes.

Conclusion

Key length is one of a number of factors that determine the degree of security that a cipher offers. As with all security issues, the important matter is to balance risk against cost, time, money, and other elements. 56-bit keys used with, for example, DES, are certainly not secure, but then neither are the ordinary Yale locks relied on by most homeowners as even mortice locks are inadequate to keep out determined intruders.

Developers need to evaluate what is needed along with development costs, speed of execution, royalty payments, and security strengths. That said, it clearly makes sense to use as strong security as possible, consistent with other factors and taking account of the expected life of the application. Faster computers mean that longer keys can be processed rapidly but also mean that short keys in legacy systems can be more easily broken.

It's also extremely important to look at the methods of applying particular algorithms, recognizing that simple applications may not be very secure. Related to this is the issue of allowing public scrutiny, something that is essential in ensuring confidence in the product. Any developer or software publisher who resists making the cryptographic elements of their application publicly available simply doesn't deserve trust and is almost certainly supplying an inferior product.

About the author

Comments (Undergoing maintenance)

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=Tivoli

ArticleID=15014

ArticleTitle=Introduction to cryptography, Part 2: Symmetric cryptography

publish-date=03012001

author1-email=IBMDev@TextBiz.com

author1-email-cc=