Types of Ciphers

Symmetric encryption ciphers come in two basic types: substitution and transposition (permutation). The
substitution cipher replaces bits, characters, or blocks of characters with different bits, characters, or
blocks. The transposition cipher does not replace the original text with different text, but rather moves the
original values around. It rearranges the bits, characters, or blocks of characters to hide the original
meaning.

Substitution Ciphers

A substitution cipher uses a key to dictate how the substitution should be carried out. In the Caesar cipher,
each letter is replaced with the letter three places beyond it in the alphabet. The algorithm is the alphabet,
and the key is the instruction “shift up three.”

As a simple example, if George uses the Caesar cipher with the English alphabet to encrypt the important
message “meow,” the encrypted message would be “phrz.” Substitution is used in today’s symmetric
algorithms, but it is extremely complex compared to this example, which is only meant to show you the
concept of how a substitution cipher works in its most simplistic form.

Transposition Ciphers

In a transposition cipher, the values are scrambled, or put into a different order. The key determines the
positions the values are moved to, as illustrated in the following Figure.

This is a simplistic example of a transposition cipher and only shows one way of performing transposition.
When implemented with complex mathematical functions, transpositions can become quite sophisticated
and difficult to break.

Symmetric algorithms employed today use both long sequences of complicated substitutions and
transpositions on messages. The algorithm contains the possible ways that substitution and transposition
processes can take place (represented in mathematical formulas). The key is used as the instructions for
the algorithm, dictating exactly how these processes will happen and in what order. Simple substitution and
transposition ciphers are vulnerable to attacks that perform frequency analysis.

Frequency analysis

In every language, some words and patterns are used more often than others. For instance, in the English
language, the most commonly used letter is E. If Mike is carrying out frequency analysis on a message, he
will look for the most frequently repeated pattern of eight bits (which make up a character). So, if Mike sees
that there are 12 patterns of eight bits and he knows that E is the most commonly used letter in the language,
he will replace these bits with this vowel. This allows him to gain a foothold on the process, which will allow
him to reverse-engineer the rest of the message.

Today’s symmetric algorithms use substitution and transposition methods in their encryption processes,
but the mathematics used are (or should be) too complex to allow for simplistic frequency-analysis attacks
to be successful.

Key Derivation Functions

For complex keys to be generated, a master key is commonly created, and then symmetric keys are
generated from it. For example, if an application is responsible for creating a session key for each subject
that requests one, it should not be giving out the same instance of that one key. Different subjects need to
have different symmetric keys to ensure that the window for the bad guy to capture and uncover that key is
smaller than if the same key were to be used over and over again. When two or more keys are created
from a master key, they are called subkeys.

Key Derivation Functions (KDFs) are used to generate keys that are made up of random values. Different
values can be used independently or together as random key material. The algorithm is created to use
specific hash, and password values, which will go through a certain number of rounds of mathematical
functions dictated by the algorithm. The more rounds that this keying material goes through, the more
assurance and security for the cryptosystem overall.

Methods of Encryption
Although there can be several pieces to an encryption process, the two main pieces are the algorithms and
the keys.

As stated earlier, algorithms used in computer systems are complex mathematical formulas that dictate the
rules of how the plaintext will be turned into ciphertext.

A key is a string of random bits that will be used by the algorithm to add to the randomness of the encryption
process. For two entities to be able to communicate via encryption, they must use the same algorithm and,
many times, the same key.

In some encryption technologies, the receiver and the sender use the same key, and in other encryption
technologies, they must use different but related keys for encryption and decryption purposes. The following
sections explain the differences between these two types of encryption methods.

Symmetric vs. Asymmetric Algorithms

Cryptography algorithms are either symmetric algorithms, which use symmetric keys (also called secret
keys), or asymmetric algorithms, which use asymmetric keys (also called public and private keys).
Symmetric Cryptography
In a cryptosystem that uses symmetric cryptography, the sender and receiver use two instances of the
same key for encryption and decryption, as shown in below Figure. So the key has dual functionality, in that
it can carry out both encryption and decryption processes.

Symmetric keys are also called secret keys, because this type of encryption relies on each user to keep
the key a secret and properly protected. If an intruder were to get this key, they could decrypt any
intercepted message encrypted with it.

Each pair of users who want to exchange data using symmetric key encryption must have two instances of
the same key.

This means that if Dan and Iqqi want to communicate, both need to obtain a copy of the same key. If Dan
also wants to communicate using symmetric encryption with Norm and Dave, he needs to have three
separate keys, one for each friend.

This might not sound like a big deal until Dan realizes that he may communicate with hundreds of people
over a period of several months, and keeping track and using the correct key that corresponds to each
specific receiver can become a daunting task.

If ten people needed to communicate securely with each other using symmetric keys, then 45 keys would
need to be kept track of. If 100 people were going to communicate, then 4,950 keys would be involved. The
equation used to calculate the number of symmetric keys needed is

N (N – 1) / 2 = number of keys

When using symmetric algorithms, the sender and receiver use the same key for encryption and decryption
functions. The security of the symmetric encryption method is completely dependent on how well users
protect the key.

This should raise red flags for you if you have ever had to depend on a whole staff of people to keep a
secret. If a key is compromised, then all messages encrypted with that key can be decrypted and read by
an intruder.

This is complicated further by how symmetric keys are actually shared and updated when necessary. If
Dan wants to communicate with Norm for the first time, Dan has to figure out how to get the right key to
Norm securely. It is not safe to just send it in an e-mail message, because the key is not protected and can
be easily intercepted and used by attackers..

Because both users employ the same key to encrypt and decrypt messages, symmetric cryptosystems can
provide confidentiality, but they cannot provide authentication or nonrepudiation. There is no way to prove
through cryptography who actually sent a message if two people are using the same key. If symmetric
cryptosystems have so many problems and flaws, why use them at all? Because they are very fast and can
be hard to break.

Compared with asymmetric systems, symmetric algorithms scream in speed. They can encrypt and decrypt
relatively quickly large amounts of data that would take an unacceptable amount of time to encrypt and
decrypt with an asymmetric algorithm. It is also difficult to uncover data encrypted with a symmetric
algorithm if a large key size is used. For many of our applications that require encryption, symmetric key
cryptography is the only option.

The following list outlines the strengths and weakness of symmetric key systems:

Strengths

• Much faster (less computationally intensive) than asymmetric systems.

• Hard to break if using a large key size.

Weaknesses

• Requires a secure mechanism to deliver keys properly.

• Provides confidentiality but not authenticity or nonrepudiation.
• Each pair of users’ needs a unique key, so as the number of individual’s increases, so does the number
of keys, possibly making key management overwhelming.

The following are examples of symmetric algorithms, which will be explained later in the “Block and Stream
Ciphers” section:-

• Data Encryption Standard (DES)

• Triple-DES (3DES)

• Blowfish

• International Data Encryption Algorithm (IDEA)

• RC4, RC5, and RC6

• Advanced Encryption Standard (AES)

Asymmetric Cryptography
Some things you can tell the public, but some things you just want to keep private. In symmetric key
cryptography, a single secret key is used between entities, whereas in public key systems, each entity has
different keys, or asymmetric keys. The two different asymmetric keys are mathematically related. If a
message is encrypted by one key, the other key is required in order to decrypt the message.
In a public key system, the pair of keys is made up of one public key and one private key. The public key
can be known to everyone, and the private key must be known and used only by the owner.

Many times, public keys are listed in directories and databases of e-mail addresses so they are available
to anyone who wants to use these keys to encrypt or decrypt data when communicating with a particular
person. See the following Figure that illustrates the use of the different keys.

The public and private keys of an asymmetric cryptosystem are mathematically related, but if someone gets
another person’s public key, she should not be able to figure out the corresponding private key.

This means that if an evildoer gets a copy of Bob’s public key, it does not mean she can employ some
mathematical magic and find out Bob’s private key. But if someone got Bob’s private key, then there is big
trouble—no one other than the owner should have access to a private key.

If Bob encrypts data with his private key, the receiver must have a copy of Bob’s public key to decrypt it.
The receiver can decrypt Bob’s message and decide to reply to Bob in an encrypted form.

All she needs to do is encrypt her reply with Bob’s public key, and then Bob can decrypt the message with
his private key.

It is not possible to encrypt and decrypt using the same key when using an asymmetric key encryption
technology because, although mathematically related, the two keys are not the same key, as they are in
symmetric cryptography.

Bob can encrypt data with his private key, and the receiver can then decrypt it with Bob’s public key. By
decrypting the message with Bob’s public key, the receiver can be sure the message really came from Bob.

A message can be decrypted with a public key only if the message was encrypted with the corresponding
private key.

This provides authentication, because Bob is the only one who is supposed to have his private key. If the
receiver wants to make sure Bob is the only one who can read her reply, she will encrypt the response with
his public key. Only Bob will be able to decrypt the message because he is the only one who has the
necessary private key.

The receiver can also choose to encrypt data with her private key instead of using Bob’s public key. Why
would she do that? Authentication—she wants Bob to know that the message came from her and no one
else. If she encrypted the data with Bob’s public key, it does not provide authenticity because anyone can
get Bob’s public key. If she uses her private key to encrypt the data, then Bob can be sure the message
came from her and no one else. Symmetric keys do not provide authenticity because the same key is used
on both ends. Using one of the secret keys does not ensure the message originated from a specific
individual.

If confidentiality is the most important security service to a sender, she would encrypt the file with the
receiver’s public key. This is called a secure message format because it can only be decrypted by the
person who has the corresponding private key.

If authentication is the most important security service to the sender, then she would encrypt the data with
her private key. This provides assurance to the receiver that the only person who could have encrypted the
data is the individual who has possession of that private key. If the sender encrypted the data with the
receiver’s public key, authentication is not provided because this public key is available to anyone.

Encrypting data with the sender’s private key is called an open message format because anyone with a
copy of the corresponding public key can decrypt the message. Confidentiality is not ensured.

Each key type can be used to encrypt and decrypt, so do not get confused and think the public key is only
for encryption and the private key is only for decryption. They both have the capability to encrypt and decrypt
data. However, if data are encrypted with a private key, they cannot be decrypted with a private key. If data
are encrypted with a private key, they must be decrypted with the corresponding public key.

The following list outlines the strengths and weaknesses of asymmetric key algorithms:

Strengths

• Better key distribution than symmetric systems.

• Better scalability than symmetric systems
• Can provide authentication and nonrepudiation

Weaknesses

• Works much more slowly than symmetric systems

• Mathematically intensive tasks

• The following are examples of asymmetric key algorithms:

• Rivest-Shamir-Adleman (RSA)
• Elliptic curve cryptosystem (ECC)
• Diffie-Hellman
• El Gamal
• Digital Signature Algorithm (DSA)
• Merkle-Hellman Knapsack
The following Table summarizes the differences between symmetric and asymmetric algorithms

Block and Stream Ciphers

The two main types of symmetric algorithms are block ciphers, which work on blocks of bits, and stream
ciphers, which work on one bit at a time.

Block Ciphers

When a block cipher is used for encryption and decryption purposes, the message is divided into blocks
of bits. These blocks are then put through mathematical functions, one block at a time. Suppose you need
to encrypt a message you are sending to your mother and you are using a block cipher that uses 64 bits.

Your message of 640 bits is chopped up into 10 individual blocks of 64 bits. Each block is put through a
succession of mathematical formulas, and what you end up with is 10 blocks of encrypted text. You send
this encrypted message to your mother. She has to have the same block cipher and key, and those 10
ciphertext blocks go back through the algorithm in the reverse sequence and end up in your plaintext
message.
A strong cipher contains the right level of two main attributes: confusion and diffusion. Confusion is
commonly carried out through substitution, while diffusion is carried out by using transposition. For a cipher
to be considered strong, it must contain both of these attributes to ensure that reverse-engineering is
basically impossible.

The randomness of the key values and the complexity of the mathematical functions dictate the level of
confusion and diffusion involved.

This means that if one plaintext bit changes, then about half of the ciphertext bits will change. A very similar
concept of diffusion is the avalanche effect. If an algorithm follows a strict avalanche effect criteria, this
means that if the input to an algorithm is slightly modified then the output of the algorithm is changed
significantly. So a small change to the key or the plaintext should cause drastic changes to the resulting
ciphertext. The ideas of diffusion and avalanche effect are basically the same—they were just derived from
different people. Horst Feistel came up with the avalanche term, while Claude Shannon came up with the
diffusion term. If an algorithm does not exhibit the necessary degree of the avalanche effect, then the
algorithm is using poor randomization.

This can make it easier for an attacker to break the algorithm. Block ciphers use diffusion and confusion in
their methods.

Stream Ciphers

As stated earlier, a block cipher performs mathematical functions on blocks of bits. A stream cipher, on the
other hand, does not divide a message into blocks. Instead, a stream cipher treats the message as a
stream of bits and performs mathematical functions on each bit individually. When using a stream cipher,
a plaintext bit will be transformed into a different ciphertext bit each time it is encrypted. Stream ciphers use
keystream generators, which produce a stream of bits that is XORed with the plaintext bits to produce
ciphertext, as shown in following Figure.
If the cryptosystem were only dependent upon the symmetric stream algorithm, an attacker could get a
copy of the plaintext and the resulting ciphertext, XOR them together, and find the keystream to use in
decrypting other messages. So the smart people decided to stick a key into the mix. In block ciphers, it is
the key that determines what functions are applied to the plaintext and in what order. The key provides the
randomness of the encryption process.