Symmetric-Key Cryptography

Every time you open a browser with https://, log into SSH, or unlock an encrypted disk, a symmetric cipher is doing the heavy lifting. Understanding how symmetric encryption works — and why several generations of designs failed before modern standards emerged — is essential background for every systems-security engineer.

What cryptography is (and is not)

Cryptography (Greek: krypto = hide) is the study of techniques for securing communication over insecure channels. The most basic problem it solves is confidentiality: keeping eavesdroppers from reading your message. But cryptography also helps with:

One important caution: cryptography is a branch of mathematics, but security is about math plus engineering, hardware, software, and people. Attackers hunt the weakest link — and in practice that is almost never the mathematics. The 2014 Heartbleed vulnerability did not break AES; it exploited a bounds-check bug in OpenSSL. The lesson: even perfectly sound math can be defeated by implementation mistakes.

Core terminology

• Plaintext — the original message to be protected.
• Ciphertext — the disguised, encrypted form of the message.
• Key — the secret sequence that controls the encryption algorithm.
• Keyspace — the total number of distinct possible keys for an algorithm.
• Cryptosystem — the combination of algorithm, key, and key-management functions used together.

Kerckhoffs's principle

Published in Auguste Kerckhoffs's 1883 handbook on military cryptography:

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Why does this matter? Assume the enemy will learn the algorithm — they can capture machines, read patents, or simply reverse-engineer software. If secrecy relied on keeping the algorithm hidden, you would need to invent a completely new algorithm every time one was compromised. By making the algorithm public and concentrating all secrecy in the key, you only ever need to rotate a short secret. This is why AES, RSA, and every other production cipher is fully published.

The symmetric encryption model

In symmetric (also called secret-key or private-key) encryption, the same key K is used to both encrypt and decrypt:

Ciphertext = E(K, Plaintext)
Plaintext  = D(K, Ciphertext)

Formally, the scheme consists of three polynomial-time algorithms (Gen, Enc, Dec):

• Gen(1ⁿ) — generates a key k given security parameter n.
• Enc_k(m) — encrypts message m with key k to produce ciphertext c.
• Dec_k(c) — recovers plaintext m from ciphertext c using k.

Desired properties: (1) Kerckhoffs's — security depends only on K; (2) without K it must be computationally hard to invert; (3) E and D are fast to compute. All cryptosystems before the 1970s were symmetric; asymmetric systems that allow different encryption and decryption keys came later.

Classical ciphers and why they fail

Caesar cipher — too small a keyspace

Julius Caesar shifted each letter of the alphabet a fixed distance, wrapping around at Z. With a shift of 3, ATTACK becomes XQQXZH. The keyspace is only 25 — an attacker can simply try all shifts by hand. Big keyspaces are necessary for security; they are not sufficient.

Substitution cipher — vulnerable to frequency analysis

Generalizing Caesar: map each letter to an arbitrary other letter. The key is the full mapping (a→J, b→L, c→B, …). The keyspace grows to 26! ≈ 4 × 10²⁶ — if every person on Earth tried one key per second, exhaustive search would take 5 billion years.

Yet the cipher is not secure. It is monoalphabetic: the same plaintext letter always maps to the same ciphertext letter, so it preserves the statistical structure of English. The letter e is the most common in English (~13%); whatever ciphertext symbol appears most frequently is almost certainly the encryption of e. By exploiting letter-frequency tables and n-gram frequencies (common bigrams like TH, common trigrams like THE and AND), an attacker can crack even a long substitution-ciphertext in minutes. A large keyspace is necessary but not sufficient — the cipher must also hide statistical properties of the plaintext.

Transposition (permutation) cipher

Rather than replacing letters, a transposition cipher rearranges them. Example: write the message across rows of a grid, then read out in a counter-clockwise spiral. The letters used are unchanged; only their order is scrambled. Transposition alone also fails for similar statistical reasons: character frequencies are completely preserved.

Toward modern ciphers: confusion and diffusion

Claude Shannon (1945) proved that strong ciphers need two properties:

• Confusion — obscure the relationship between key and ciphertext (achieved by substitution).
• Diffusion — spread the influence of one plaintext bit across many ciphertext bits (achieved by transposition/permutation).

Applying substitution then transposition — a product cipher — produces a much harder cipher than either technique alone. This insight is the foundation of every modern block cipher.

Stream ciphers vs. block ciphers

Modern symmetric ciphers handle arbitrarily large messages with a fixed-size key using one of two approaches:

Stream ciphers destroy statistical structure because the XOR of random-looking keystream with plaintext produces uniform-looking ciphertext regardless of input patterns.

The one-time pad — perfect secrecy, impractical cost

The one-time pad (OTP) is a stream cipher where the keystream is a truly random string the same length as the message, used exactly once. Shannon proved it achieves perfect secrecy: the ciphertext reveals no information about the plaintext to an adversary without the key, regardless of their computing power.

The catch is practical: the key must be as long as the message, must be truly random, and must never be reused. Distributing a 1 GB key securely to send a 1 GB file is often harder than just sending the file through a secure channel in the first place. The OTP is theoretically optimal but operationally costly — it motivates the search for ciphers that achieve good computational security with short, reusable keys.

DES, 3DES, and the march to AES

DES (Data Encryption Standard) — developed by IBM, standardized by NIST in 1977. Key: 56 bits; block: 64 bits. The 56-bit key was always considered marginal. In 1999, Deep Crack and distributed.net cracked a DES key by brute force in 22 hours 15 minutes using 100,000 computers. A $10,000 FPGA machine later cracked it in about 9 days.

Double DES — apply DES twice with two independent keys: c = E_k2(E_k1(m)). Naively looks like 112-bit security, but the meet-in-the-middle attack reduces it to roughly 57-bit work, making the gain marginal.

3DES (Triple DES) — the practical fix: Encrypt–Decrypt–Encrypt with two or three keys.

• 2-key variant: c = E_k1(D_k2(E_k1(m))), effective keyspace 112 bits.
• 3-key variant: c = E_k3(D_k2(E_k1(m))), effective keyspace 168 bits. Setting k1 = k3 makes it backward-compatible with single DES.

AES (Advanced Encryption Standard) — NIST issued an open worldwide competition in 1997; the Rijndael algorithm was selected and published as AES in 2001. Block size: 128 bits. Key sizes: 128, 192, or 256 bits. AES remains unbroken and is the current standard for symmetric encryption.

Block cipher modes of operation

A block cipher only encrypts one block at a time. For multi-block messages, a cipher mode governs how blocks interact.

ECB (Electronic Codebook) — encrypt each block independently with the same key: C_i = E_k(P_i). Simple, but dangerous: identical plaintext blocks always produce identical ciphertext blocks, leaking pattern information. Encrypting a bitmap image in ECB mode leaves the outlines of the original image visible in the ciphertext.

CBC (Cipher Block Chaining) — XOR each plaintext block with the previous ciphertext block before encryption: C_i = E_k(P_i XOR C_{i-1}). The first block uses a random Initialization Vector (IV). Because each block depends on the previous ciphertext, identical plaintext blocks now produce different ciphertext. CBC decryption can be parallelized; CBC encryption cannot. CBC with a fresh, unpredictable IV is the minimum acceptable mode for real data.

The key-distribution problem

Symmetric encryption requires both parties to share the same secret key before they communicate. If Alice and Bob are strangers on the Internet, how do they establish that shared secret without an eavesdropper (Eve) intercepting it? Sending the key over the same insecure channel defeats the purpose. This is the key-distribution problem, and it is the fundamental limitation of symmetric-only cryptography. The solution — public-key (asymmetric) cryptography and key-exchange protocols like Diffie-Hellman — is the subject of the next module.

Key takeaways

• Cryptography addresses confidentiality, integrity, authenticity, and non-repudiation; the weakest link in practice is rarely the algorithm.
• Kerckhoffs's principle: assume the algorithm is public — all security must rest on the key alone.
• Symmetric encryption uses the same key to encrypt and decrypt; it is fast and forms the bulk of real-world data encryption.
• Classical ciphers fail not because of small keyspaces (substitution has 26! keys) but because they preserve statistical structure — frequency analysis breaks them.
• Strong modern ciphers combine confusion (substitution) and diffusion (permutation) to destroy statistical relationships.
• Block ciphers (AES) encrypt fixed-size blocks; stream ciphers XOR a pseudo-random keystream bit-by-bit.
• The one-time pad achieves perfect secrecy but is impractical due to key-length requirements.
• DES (56-bit key) was brute-forced in under a day by 1999; 3DES extended its life; AES (128/192/256-bit) replaced it in 2001 and remains secure.
• ECB mode leaks patterns; CBC mode with a random IV breaks block-to-block correlation and is the minimum safe way to use a block cipher on real data.
• Symmetric cryptography cannot bootstrap a shared secret between strangers — the key-distribution problem motivates public-key cryptography.