# Symmetric-key Encryption
Encryption is an important tool in cryptography, and
cryptography is an important building block for
security. But there's much more to security than just cryptography or encryption.
- **Cryptography is not the solution.** It can help and harm security. Used
incorrectly, cryptography makes systems less secure.
- **Cryptography is not easy.** Don't invent it yourself. Use well-studied
solutions (and standards, though they sometimes have problems).
- **Cryptography is not cheap, but who cares?** It may incur a performance
hit, but what do you want: a fast system, or a secure system? We
have enough fast, insecure systems.
This material is dangerous. You won't know enough about cryptography when
we're done, but you'll go off and use it anyway. Be **very** suspicious
of yourself. Take further courses in cryptography if you really want to
play in this space.
There are two branches of cryptography: modern and applied.
- **Modern:** we prove it's secure, mathematically, but the algorithms
are typically inefficient.
- **Applied:** we think it's secure, in practice, and the algorithms
are typically efficient.
## Encryption as a countermeasure
**Threat:** An attacker who controls the communication network. This
attacker can arbitrarily read, modify, and delete messages. Think of
this communication model as one in which messages are always sent to the
attacker, never to the intended recipient. The attacker can then forward
the message along if he chooses, redirect the message, save it for later
replay, etc. This kind of threat is called a *Dolev–Yao* attacker.
**Harm:** Messages containing secret information could be disclosed to
the adversary, thus violating confidentiality.
**Vulnerability:** The communication channel between sender and receiver
can be read by untrusted principals.
**Countermeasure:** Encryption.
## Symmeric-key encryption schemes
```
1. Alice: c = Enc(m; k)
2. Alice -> Bob: c
3. Bob: m = Dec(c; k)
```
The format we use above is a *protocol narration*: each step is
numbered and is either a computation or a message. We identify the
principal(s) involved at each step by writing their names followed by a
colon.
Enc is the encryption algorithm; Dec is decryption. Alice and Bob must
somehow *share* a key k that has previously been generated:
```
0. k = Gen(len) // len is length of key
1. ...
```
Together, (Gen,Enc,Dec) constitute an *encryption scheme* or
*cryptosystem*. Well known examples of encryption schemes include AES
(which uses shared keys) and RSA (which does not).
What makes an encryption scheme secure?
- **Kerckhoffs' Principle:** Secrecy should depend *only* upon key
being secret—not the algorithms. You might see "proprietary
encryption" algorithms touted as a good thing. [They're
not.](http://www.google.com/#q=proprietary+encryption+broken)
This principle is an instance of Open Design.
- Given a ciphertext, no function of the plaintext can be computed.
There is a provably perfectly secure encryption scheme called the
*one-time pad*. Gen must generate a uniformly random sequence of bits of
the same length as the message to be encrypted. Enc simply xors those
random bits with the message, and Dec is identical to Enc. There are
practical problems to deploying this scheme:
1. The keys must be really long (as long as the messages).
2. You may never re-use a key (because doing so would reveal
[relationships between messages](https://cryptosmith.com/2008/05/31/stream-reuse/):
(m1 ⊕ k) ⊕ (m2 ⊕ k) = m1 ⊕ m2).
3. Hence distributing the keys is difficult.
Practical encryption schemes instead rely on one short key that can be
reused for many messages.
## Block Ciphers
Efficient encryption schemes usually operate on fixed-size messages
called *blocks*. Such schemes are called *block ciphers*.
Here are some well-known examples:
- **DES (Data Encryption Standard).** Block size: 64 bits; key size:
56 bits. DES was designed by IBM in 1973-4, tweaked by the NSA, then
became the US standard for encryption. International adoption
followed.
- **3DES (Triple DES).** Block size: 64 bits; key size: 112 or 168
bits. 3DES is a strengthening of DES introduced in 1998, because 56
bit keys had become feasible to brute force. 3DES is simply three
DES encryptions with two different keys, for an effective 112 bit
key; or with three different keys, for an effective 168 bit key.
- **AES (Advanced Encryption Standard).** Block size: 128 bits; key
size: 128, 192, or 256 bits. AES resulted from a public competition
held by NIST, ending in 2001. It's now the US standard, approved by
the NSA for Top Secret information.
When a block cipher has multiple key lengths available, we indicate the
particular length being used by appending it to the name of the cipher.
AES-192, for example, means AES with 192 bit keys.
### Breaking an encryption scheme
An attacker might attempt to recover an unknown key (hence be able to
decrypt ciphertexts), or directly decrypt a ciphertext (without
necessarily recovering the key), or learn relationships amongst related
keys or messages, etc. For sake of this discussion, let's assume the
attack objective is to recover a key, given knowledge of many plaintexts
and ciphertexts encrypted under that key; the ideas here generalize to
other kinds of attacks. A *brute force* or *exhaustive* search means
trying every possible key (e.g., for AES-128, trying 2^128 keys) to
determine which is the right key. We'll say that a *break* of an
encryption scheme is an attack that succeeds in recovering the key in
fewer steps than brute force. (e.g., only 2^99.5 tries for AES-256,
which is what one theoretical, impractical attack already achieves). If
2^X is the number of steps necessary to succeed at an attack then we'll
say that X is the *strength* (or *security level*) of an encryption
scheme. In the best case, the strength equals the key length. In
practice, the strength goes down as attacks are discovered. E.g.,
3DES-168 has a known attack that requires only 2^112 steps, reducing its
strength from 168 to 112. Currently no practical attacks are known for
AES, so—for now—its strength remains at the key length.
## Recommended key lengths
Various entities publish recommendations for cryptographic strength based on
known attacks, hardware capabilities, and predicted advances. This
website summarizes recommendations by NIST, ECRYPT, and others:
.
## Exercises
1. It's difficult to define an *ideal block cipher* without involving a
some theory we haven't covered. But you could think about it in the following way.
For every possible key, there is a lookup table mapping input blocks
(plaintexts) to output blocks (ciphertexts). This set of tables would
be huge. Every table would be chosen uniformly at random from the space
of all permutations on blocks. How much space would be required to store
a table for an entire ideal block cipher that operates on 64 bit blocks
and 80 bit keys?
2. Under what circumstances might you choose 3DES over AES? Under
what circumstances might you choose AES over 3DES?
3. One-time pads are theoretically perfect ciphers. So why are they
not used in practice on the Internet?
4. Suppose a company chose to
use encryption to protect its most sensitive information, and the only
person in the company who had the decryption key was the chief security
officer (CSO). Under what circumstances might the key need to be made
available to other employees? Describe a strategy such that the key
could become available if needed but would generally be protected
against casual access.
5. If a company had encrypted its most sensitive data with a key held
by the CSO, and the CSO were fired, the company would want to change its
decryption key. Describe what would be necessary to revoke the old key
and deploy a new one.