Symmetric cryptography


  Cryptography with symmetric algorithms uses the same key to crypt and decrypt; this key is usually called "secret" (in opposition to "private") because the whole security of the scheme directly relies on the fact that only the sender and the receiver know this key. Symmetric cryptography is widely used and can be characterized by fast implementations (thus allowing on-the-fly encryption) in softwares (Krypto Zone, firewalls like Firewall-1 and VPN-1 from Checkpoint) as well as in hardware implementations (crypto-processors 8 or 32 bits, wired algorithms...), which highly improve troughputs and allow its massive use.

This kind of cryptography usually works following 2 different ways, ie block ciphering or stream-ciphering, and under 4 different modes : Electronic CodeBook (ECB), Cipher Block Chaining (CBC), Cipher FeedBack (CFB) or Output FeedBack (OFB).

To understand stream ciphering, just remind for example those videos encoded with the RealVideo format, widely known on the internet : one watches the pictures as soon as they reach the computer; you don't have to wait for the whole file to be received. This principle applies to our stream-ciphers : encryption is performed bit per bit without waiting for the complete reception of the data to be encrypted. The result is a very light encryption that doesn't ensure high confidentiality; indeed, the number of possibilities that offers a single bit is very limited and that reduces the overall efficiency of the algorithm. If this one was taking into account the previous or following bits, the number of possibilities would be ten times greater as we will see in the study of the 4 modes.
Another technique consists to apply a logical XOR, that is to say to perform an exclusive OR between the message and another predefined message. Of course, it requires both sides to know this predefined message, thus increasing the overall complexity of the scheme. Stream ciphers are not used a lot in today's applications (as we will see, block ciphers can even perform a kind of stream ciphering now)

Block ciphering is a lot more used and allows a better security. Its algorithms are also wellknown (DES, AES, Skipjack...); their name comes from the fact that they operate on blocks of data instead of single bits (cf stream ciphers). Those blocks have usually 64 bits but this depends completely on the selected algorithm and on its implementation. In the same idea, the size of the key can vary depending on the algorithm and the required level of security. Thus, a 40-bits encryption (ie that uses a key size of 40 bits) is said to be weak because easily breakable. A 56-bits encryption (which is the standard for DES) is average for it can be broken but that requires some means in order to be valuable (in regards to the time needed and the value of the data). Eventually, a 128-bits encryption (standard value for AES aka Rijndael) is quite strong today.
At this subject, let's remind Moore's law about the processing power, which foresees that figures will double every 18 months. Without going into details, one must know that breaking ciphers essentially requires processing power and RAM. So, the general evolution is very fast and it is difficult to talk about absolute security especially when dealing with symmetric cryptography.


The 4 modes that have been introduced above are more or less independents from the algorithms. However, not all algorithms support them. For a better understanding, let's see those modes closer. In order to make the comprehension easier, we will use the following notation :


where K stands for the key used by the algorithm, E for the encryption process, M (or m, mi) for the clear text (that is to say a block of it) and C (or c, ci) the resulting cipher text.


- The mode called Electronic CodeBook (ECB) is the simplest mode and applies to block ciphers. It consists of a normal encryption of a block independtly from the others; that allows to crypt in a random order (databases, etc...) but on the other hand this mode is particularly vulnerable to lots of attacks. For instance, it is possible to establish the list of all possible cipher texts for a specified block length (ie to make codebooks) then after performing a statistic analysis, to recompose the original message without having to attack the key directly (brute force or whatever).


- The Cipher Block Chaining (CBC) mode can also be used by block ciphers. By-the-way, it is the most usual mode. It introduces additional complexity in the encryption process by creating a dependency among successive blocks; in other words, the encryption of a block will be, in a way or the other, tied to the previous block/cipher texts. The basic scheme will be the following :


The initial message M is divided into n blocks according to the specifications of the algorithm (for example into 64-bits blocks). Each block leads to the corresponding cipher text (ci) after the computation following the same algorithm E using the key K. As explained above the CBC mode introduces a dependency between 2 rounds : the cipher text obtained at rank i-1 is used to computes the cipher text at rank i. Concretely, a XOR is performed between the cipher text i-1 and the message block mi.
One can wonders what happens in the first round, when there is no previous cipher text to perform a XOR with. The answer is that one uses a default value predefined called initialization vector (IV) which can lead to serious leaks if it is badly designed and thus compromise the integrity of the whole scheme in spite of some strong components (algo, key, ...).


- The Cipher FeedBack (CFB) mode is a mode designed to widen the use of block ciphers in such a way that their behaviour can be seen as the one of stream ciphers in extrem case. Actually, starting from a block cipher that accepts lengths of n-bits blocks, the CFB mode allows the encryption of blocks having a length from 1 to n bits! However, in the last case, it would more economic in computations to use a stream cipher directly. And in the case where the blocks have the normal length of n bits (the original algorithm blocks' length), the scheme is a little bit like the CBC's one, with some variations :




- The Output FeedBack (OFB) mode is a variation of the previously seen CFB mode; it is sometimes called internal feedback. It shows many security problems and is usually not used (the only time where it can be used is when its block length is the same as the one of the algorithm).


 
  Back to main page: