# Symmetric Encryption

As mentioned, symmetric encryption uses the same key for both encryption and decryption. The algorithms associated with symmetric encryption are able to encrypt large amounts of data in little time thanks to the use of a single key and the fact that symmetric encryption algorithms are much simpler when compared to asymmetric encryption algorithms. (See Figure 1.1.)

Note Symmetric encryption is often referred to as bulk encryption because of its speed encrypting large amounts of plaintext data.

Plain Text Symmetric Cipher Text Symmetric Plain Text Key Key

Figure 1-1 The symmetric encryption process

Plain Text Symmetric Cipher Text Symmetric Plain Text Key Key

### Figure 1-1 The symmetric encryption process

When data is encrypted with a symmetric algorithm, the data sender generates a random symmetric key. The length of the key, typically in bits, is determined by the algorithm and the application using the symmetric algorithm.

Once the symmetric key is generated, the key is used to encrypt the plaintext data into an encrypted state, referred to as ciphertext. The ciphertext is then sent or made available to the data recipient.

Note The symmetric key must be securely transmitted to the recipient before the recipient can decrypt the ciphertext. The transmission of the symmetric key is the biggest security risk when using symmetric encryp tion algorithms. If the symmetric key is intercepted, attackers can decrypt all data.

When a recipient receives the encrypted ciphertext and the symmetric key, he or she can use the symmetric key to decrypt the data back into its original plaintext format.

### Symmetric Algorithms

Many of the most commonly used encryption algorithms are symmetric because of their ability to encrypt large amounts of data in little time. Symmetric algorithms used by PKI-enabled applications include:

Note This is not an exhaustive list of symmetric encryption protocols.

■ Data Encryption Standard (DES). An encryption algorithm that encrypts data with a 56-bit, randomly generated symmetric key.

■ Data Encryption Standard XORed (DESX). DESX is a stronger variation of the DES encryption algorithm. Rather than encrypting the plaintext directly, the plaintext is processed through an Exclusive Or (XOR) function with 64 bits of additional key material before the resulting data is encrypted with the DES algorithm. The output of the DES algorithm is also transformed with an XOR function with another 64 bits of key material. This helps protect the data against key search attacks based on the relatively short length of the DES 56-bit key.

■ Rivest's Cipher version 2 (RC2) (40 bit). A variable key-size block cipher with an initial block size of 64 bits that uses an additional string of 40 bits called a salt. The salt is appended to the encryption key, and this lengthened key is used to encrypt the message.

■ RC2 (128 bit). A variation on the RC2 (40-bit) cipher, where the salt length is increased to 88 bits.

■ RC4. A variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation and is commonly used for the encryption of traffic to and from secure Web sites using the SSL protocol.

■ Triple DES (3DES). A variation on the DES encryption algorithm in which DES encryption is applied three times to the plaintext. The plaintext is encrypted with key A, decrypted with key B, and encrypted again with key C. A common form of 3DES uses only two keys: the plaintext is encrypted with key A, decrypted with key B, and encrypted again with key A.

■ Advanced Encryption Standard (AES). Developed as a successor to DES, rather than using a 56-bit key, AES is able to use 128-bit, 192-bit, and 256-bit keys.

Note AES was developed in response to a call for proposals by the National Institute of Standards and Technology (NIST) for encryption of unclassified data. Several algorithms were proposed, and the algorithm ulti mately selected was the Rijndael algorithm. More information on AES is pro vided in the "Additional Information" section at the end of this chapter.