Secret-Key (Symmetric) algorithms in cryptography
What is Symmetric Encryption?
A secret key algorithm (sometimes called a symmetric algorithm) is a cryptographic algorithm that uses the same key to encrypt and decrypt data.
Types of Symmetric Encryption
- Block algorithms - Set lengths of bits are encrypted in blocks of electronic data with the use of a specific secret key. As the data is being encrypted, the system holds the data in its memory as it waits for complete blocks.
- Stream algorithms - Data is encrypted as it streams instead of being retained in the system’s memory.
Examples of symmetric encryption algorithms include
AES (Advanced Encryption Standard)
DES (Data Encryption Standard)
IDEA (International Data Encryption Algorithm)
Blowfish (Drop-in replacement for DES or IDEA)
RC4 (Rivest Cipher 4)
RC5 (Rivest Cipher 5)
RC6 (Rivest Cipher 6)
What is Symmetric Encryption Used For?
While symmetric encryption is an older method of encryption, it is faster and more efficient than asymmetric encryption, which takes a toll on networks due to performance issues with data size and heavy CPU use. Due to the better performance and faster speed of symmetric encryption (compared to asymmetric), symmetric cryptography is typically used for bulk encryption / encrypting large amounts of data, e.g. for database encryption. In the case of a database, the secret key might only be available to the database itself to encrypt or decrypt.
Some examples of where symmetric cryptography is used are:
Payment applications, such as card transactions where PII needs to be protected to prevent identity theft or fraudulent charges.
Validations to confirm that the sender of a message is who he claims to be.
Random number generation or hashing.
Key management for symmetric encryption — what we need to consider
Key Exhaustion
Symmetric Encryption suffers from behavior where every use of a key ‘leaks’ some information that can potentially be used by an attacker to reconstruct the key. The defenses against this behavior include using a key hierarchy to ensure that master or key-encryption keys are not over-used and the appropriate rotation of keys that do encrypt volumes of data. To be tractable, both these solutions require competent key-management strategies as if (for example) a retired encryption key cannot be recovered the data is potentially lost.
Attribution data
Unlike asymmetric (public-key) Certificates, symmetric keys do not have embedded metadata to record information such as expiry date or an Access Control List to indicate the use the key may be put to — to Encrypt but not Decrypt for example.
The latter issue is somewhat addressed by standards such as ANSI X9–31 where a key can be bound to information prescribing its usage. But for full control over what a key can be used for and when it can be used, a key-management system is required.
Key Management at large scale
Where only a few keys are involved in a scheme (tens to low hundreds), the management overhead is modest and can be handled through manual, human activity. However, with a large estate, tracking the expiration and arranging rotation of keys quickly becomes impractical.
Consider an EMV payment card deployment: millions of cards multiplied by several keys-per-card requires a dedicated provision and key-management system.