Symmetric Encryption Ciphers – CompTIA Security+ SY0-401: 6.2


The speed of symmetric encryption makes it a good choice for our high-speed networks. In this video, you’ll learn about RC4, DES, 3DES, AES, Blowfish, and Twofish.

<< Previous Video: Cryptographic Hash FunctionsNext: Asymmetric Cryptography Algorithms >>


Let’s look at a number of symmetric encryption ciphers. As you recall, symmetric encryption means that we’re using exactly the same key to encrypt the data as we are to decrypt the data. The first one we’ll look at is RC4. This stands for Rivest Cipher 4. Some people may say it stands for Ron’s Code 4 because this was written by Ron Rivest, one of the fathers of cryptography, or at least modern cryptography.

This is also, as you recall, part of the WEP standard. This was the wireless encryption that we used that we really don’t use any more because of all the problems associated with WEP, and part of those problems were related to vulnerabilities and issues in the RC4 methodology. RC4 has what we call a biased output.

And here’s the interesting part of this spelled out. If the third byte of the original state is 0 and the second byte is not equal to 2, then the second output byte is always 0. And by having these types of discoveries in the cipher, itself, we were able to find that, perhaps, it was not as secure as we would like it to be.

So although it was, for short time, very useful to be able to use over our wireless networks, once we started digging in and discovering these little problems, we quickly realized this was not going to be the symmetric cipher that we wanted to use for our wireless networks or really for much of anything anymore. So you don’t really see RC4 around much anymore. Even our wireless networking, we decided to take and change the algorithms in our wireless encryption to be the WPA2 standard. And in that, we moved completely away from RC4 and began to use the AES Cipher.

Another common set of symmetric key ciphers that you’ll see out there is both DES and Triple DES, and you’ll occasionally see Triple DES abbreviated as 3DES. This stands for the Data Encryption Standard. It’s one that was created between 1972 and 1977, specifically for the National Security Agency in the United States by IBM. This was something that they wanted to create as a standard for the entire government, and they did. This became part of what they called the FIPS standard, or the Federal Information Processing Standards, and it’s one that you still see around, being used, perhaps not the DES part, but certainly, the Triple DES part.

DES was a 64-bit block cipher that used a 56-bit key, and that’s a very important part of this. DES is a very, very small key to be able to use this. And as our processing power has gotten better and better and stronger and stronger and faster in modern times, we have found it very, very simple to be able to crack, to brute force, a DES key, and because of that, we’ve decided not to use DES any longer. In fact, it’s really hard to find a technology still using DES. You could crack a DES with a mobile phone these days. It’s painfully easy.

So what we’ve decided to do instead is use Triple DES. Triple DES takes that same idea of DES and really does the same encryption three times, and in each case, you could be using three different keys every time. You could be using one key on the first pass, a different key on the second pass, and then, back to the first key on the third pass. Or maybe, you just use the same key all three times to be able to encrypt this. This makes it harder to do the brute force. It takes a lot longer to be able to try to figure out what the original key might be, and these days, we are really seeing Triple DES in a lot of the products we use. Although, many people have even realized this is getting a little long in the tooth.

We would really like to use AES for what we’re doing, and that stands for Advanced Encryption Standard. It’s really one of the most modern symmetric key ciphers out there and one that you’ll see in a lot of different places. AES became part of the FIPS standard in 2001. The Federal Government decided that the Advanced Encryption Standard was the one that they would like to go with into the future. It took them five years of evaluating different types of ciphers to finally standardize on AES.

And it was created, interestingly enough, by two Belgian cryptographers. Here’s their names. I’m not even going to try to pronounce their names. But you can see that the effort that went into getting a particular type of cipher that would be very secure and very flexible for the Federal Government was extremely important to them. This is a 128-bit block symmetric cipher, and they have different key sizes that you can use, anywhere from a 128-bit up to a 256-bit key size on both sides of this symmetric cipher.

You’ll see this used in WPA2. When we moved from the WEP encryption to WPA2 on our wireless networks, AES was a big part of that encryption standard. Two rather significant symmetric key ciphers are Blowfish and Twofish. You may have heard these before because they are very open. Anybody can take advantage of them. Blowfish was created in 1993 by Bruce Schneier, a very well-renowned security expert. It’s a 64-bit block cipher, and it can have a variable length key, anywhere from 1 bit up to 448 bits. And it’s been a very secure set of encryption. Nobody’s really been able to break all 16 rounds of this encryption, and it’s still even being used today in many applications.

What’s also interesting about Blowfish and about Twofish is there are no patents associated with this encryption algorithm. A lot of the earlier encryption algorithms had patents associated with them. You had to pay a licensing fee to be able to use them, but this was specifically created to be in the public domain, which means anybody can take advantage of this. Twofish came after Blowfish. It is the successor to Blowfish. It uses a 128-bit block size, and it can have key sizes up to 256 bits.

And many people contributed to this particular algorithm. The effort was to make it even stronger, even better than Blowfish. And again, they’ve still got a set of algorithms, a set of ciphers, that nobody’s really been able to find any big problems with, and it’s still being used today. Again, there’s no patent associated with Blowfish or Twofish. These are in the public domain, and so anybody can be able to take these particular algorithms and use them in their development, use them in their applications, without any type of licensing whatsoever.