Symmetric key encryption (also known as secret key encryption, pre-shared key or private key encryption) uses only one key to encrypt and decrypt data.
- Symmetric key encryption is a form of cryptography that provides confidentiality with a weak form of authentication or integrity.
- Symmetric encryption is well suited for bulk encryption of less sensitive data because it is less CPU-intensive than other encryption methods.
- Before communications begin, both parties must exchange the shared secret key using a secure channel. This is often done manually or with some form of asymmetric key cryptography.
- Each pair of communicating entities requires a unique shared key. This means that the number of keys required grows exponentially as the number of communication partners grows. For example, 1,000 users in a system would require the generation of almost 500,000 different keys.
- The key space is typically short, ranging from 56-bits to a maximum of 512-bits. (As the number of bits in the key increases, so does the strength of the encryption. However, the greater the number of bits in the key, the more CPU resources are required to perform the encryption.)
- Symmetric encryption uses two algorithm types:
Method Description Block Block ciphers encrypt by transposing plaintext to cipher text in chunks (block-by-block). Block ciphers:
- Are fast.
- Can process large amounts of data. They do not process small amounts of data well.
- Are typically implemented in software.
Stream Stream ciphers use a sequence of bits known as a keystream which is the key used for encryption. The encryption is performed on each bit within the stream in real time. Stream ciphers:
- Are best used for small amounts of data, usually less than 64 bits.
- Are slower than symmetric key block ciphers.
- Are best implemented in hardware because the data size makes it infeasible to have enough RAM or CPU cycles to process the data.
Common symmetric cryptography methods include:
- Rivest Cipher (RC)
- International Data Encryption Algorithm (IDEA)
- Carlisle Adams Stafford Tavares (CAST)
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advanced Encryption Standard (AES)
Be aware of the following:
- DES was one of the first symmetric encryption methods and is now obsolete (known weaknesses can be used to break the encryption).
- 3DES improves upon DES by applying the encryption three times. It is an acceptable alternative to DES.
- AES is stronger and faster than 3DES when implemented with a large key size (256-bits).
- Blowfish and Twofish were alternatives to DES, but AES was selected as the protocol to implement to replace DES.
Hashed Keyed Message Authentication Code (HMAC) embeds a symmetric key into a message before the message is hashed. When the message is received, the recipient's symmetric key is added back into the message before hashing the message. If the hash values match, message integrity is proven. HMAC:
- Can use any hashing function, although more secure hashing functions are preferable, including SHA-1, MD5, and RIPEMD.
- Is suitable anytime senders and receivers wish to guarantee integrity between sender and receiver.
- May not be used for non-repudiation; both sender and receiver can correctly generate an HMAC output.