• Vaultree

Encrypted Data In The Cloud – The Future (2/4)

The Second Wave - Symmetric Encryption

Symmetric encryption is also referred to as conventional encryption. It relies on a secret key or single key for encryption. It has five ingredients: Plaintext - encryption algorithm - secret key – ciphertext - decryption algorithm. Encryption is computationally secure if the cost of breaking the cipher exceeds the value of the information. It can usually be difficult to estimate the amount of effort required to break it but we can estimate the time/cost of a brute-force attack.


An example of a symmetric encryption algorithm is the Data Encryption Standard (DES). It is a minor variation on a Feistel Network. It was adopted in 1976 with a block size of 64 bits and a key length of 56 bits (any 56-bit string can be a DES key). The symmetric block cipher consists of a sequence of rounds with substitutions and permutations controlled by keys. It is not considered secure for quite some time.


In 1997, The National Institute for Standards in Technology (NIST) requested proposals for a new Advanced Encryption Standard (AES) to replace DES. This was a block cipher. NIST required that the algorithm be (1) a symmetric key cryptosystem, (2) a block cipher, (3) capable of supporting a block size of 128 bits. It is also capable of supporting key lengths of 192 and 256 bits and is available on a worldwide, non-exclusive and royalty-free basis.


After eight months of analysis and public comment, NIST eliminated DEAL, Frog, HPC, Loki97, and Magenta as they had major security flaws and were among the slowest algorithms submitted. Crypton, DFC, E2, and SAFER+ had minor security flaws along with CAST-256 for other unimpressive characteristics on the other evaluation criteria. Five candidates, MARS, RC6, Rijndael, Serpent, and Twofish, advanced to the second round but the Rijndael algorithm was finally the winner due to its adequate security margin, fast encryption, decryption, and key setup speeds, as well as low RAM and ROM requirements. Rijndael is a symmetric key block cipher with block sizes of 128, 192, or 256 bits (key lengths are 128, 192, or 256 bits). It performs several rounds of operations to transform each block of plaintext into a block of ciphertext, the actual number of rounds depends on the block size and the length of the key: Nine regular rounds if both the block and key are 128 bits, eleven regular rounds if either the block or key are 192 bits, thirteen regular rounds if either the block or key is 256 bits. There is one, slightly different, final round performed after the regular rounds.


There are also stream ciphers. Considerations for stream ciphers include the following:

  1. The encryption sequence should have a large period. A pseudorandom number generator uses a function that produces a deterministic stream of bits that eventually repeats. The longer the period of repeat, the more difficult it will be to do cryptanalysis.

  2. The keystream should approximate the properties of a true random number stream as close as possible. For example, there should be an approximately equal number of 1s and 0s. If the keystream is treated as a stream of bytes, then all of the 256 possible byte values should appear approximately equally often, i.e. confusion/diffusion (by Shannon).

  3. With a properly designed pseudorandom number generator, a stream cipher can be as secure as a block cipher of comparable key length. The primary advantage of a stream cipher is that stream ciphers are almost always faster and use far less code than block ciphers do.

  4. The advantage of a block cipher is that you can reuse keys. However, if two plaintexts are encrypted with the same key using a stream cipher, then cryptanalysis is often quite simple. If the two ciphertext streams are XORed together, the result is the XOR of the original plaintexts. If the plaintexts are text strings, credit card numbers, or other byte streams with known properties, then cryptanalysis may be successful.

These algorithms transform plaintext into ciphertext but alone without a proper framework, they are not sufficient for security especially when it comes to data residing on third party servers in the cloud.


Up next: The Third Wave - Public Key Cryptography