cyber revision

Symmetric encryption

One shared key, AES, block cipher modes, and why ECB is the canonical mistake.

~4 min read

The model

Symmetric encryption uses the same key to encrypt and decrypt. Alice and Bob share key K; ciphertext travels in the open; anyone without K learns (ideally) nothing. It's fast (hardware-accelerated AES encrypts gigabytes per second), which is why bulk data encryption is always symmetric.

Its built-in problem is key distribution: how do Alice and Bob agree on K in the first place over an insecure channel, and how do you manage keys when n people each need to talk privately to each other (that's n(n−1)/2 keys)? Asymmetric cryptography exists largely to solve this, and real systems are hybrid: asymmetric to establish a key, symmetric for everything after.

Block vs stream ciphers

Block ciphers encrypt fixed-size blocks (AES: 128 bits). To encrypt anything longer, you need a mode of operation (below).

Stream ciphers generate a keystream of pseudorandom bits and XOR it with the plaintext, byte by byte, good for unknown-length or low-latency data. ChaCha20 is the modern example, used in TLS alongside AES. The fatal rule for any stream cipher (or any XOR-keystream construction): never reuse a key+nonce pair. Two messages encrypted under the same keystream let an attacker XOR the ciphertexts and cancel the key out entirely. RC4, the old stream cipher in WEP and early TLS, is broken and banned.

AES

The Advanced Encryption Standard (the Rijndael algorithm, standardised by NIST in 2001) is the default symmetric cipher everywhere. Key facts:

  • Block size 128 bits; key sizes 128, 192 or 256 bits (10/12/14 rounds).
  • Each round applies SubBytes (an S-box substitution), ShiftRows, MixColumns and AddRoundKey: substitution and permutation layered until the output is statistically unrelated to the input. You won't be asked to perform a round; you may be asked what substitution/permutation networks achieve: confusion (obscuring the key–ciphertext relationship) and diffusion (spreading each input bit's influence everywhere). These are Shannon's two terms.
  • No practical break exists against AES itself. Real failures are around it: bad modes, bad key handling, bad randomness.
  • AES-128 remains secure against classical attack; AES-256 is the conservative choice and the hedge against quantum attack (Grover's algorithm halves effective key strength, so 256-bit keys retain ~128-bit security).

DES, its 1977 predecessor, has a 56-bit key, brute-forceable since the late 1990s. 3DES patched it by tripling the work but is deprecated. If a question mentions DES, the answer is "key too short; superseded by AES."

Modes of operation

A mode turns a one-block primitive into something that encrypts real messages. The differences are exam favourites.

ECB (Electronic Codebook): each block encrypted independently with the same key. Identical plaintext blocks → identical ciphertext blocks, so patterns survive encryption. The famous demonstration is the ECB-encrypted Linux penguin image: still recognisably a penguin. Never use ECB; its only legitimate role is being the wrong answer.

CBC (Cipher Block Chaining): each plaintext block is XORed with the previous ciphertext block before encryption, with a random IV (initialisation vector) starting the chain. Hides patterns, but encryption is sequential, padding is required, and careless implementations enable padding oracle attacks (an attacker decrypts data by watching how the server responds to invalid padding).

CTR (Counter): encrypts an incrementing counter to produce a keystream, turning the block cipher into a stream cipher. Parallel, fast, no padding. Same nonce-reuse death sentence as any stream construction.

GCM (Galois/Counter Mode): CTR encryption plus a built-in authentication tag. This is authenticated encryption (AEAD): it protects integrity and authenticity as well as confidentiality, so tampered ciphertext is detected on decryption. AES-GCM is the modern default (it's what TLS 1.3 uses). Plain encryption without authentication is considered a design flaw, because encryption alone does not stop an attacker flipping bits.

Exam pattern: "Why is ECB unsuitable?" → identical blocks leak patterns. "Why GCM over CBC?" → authentication built in, parallelisable, no padding oracle.

Key handling realities

  • Keys come from a CSPRNG (cryptographically secure random generator), never from passwords directly; passwords go through a key derivation function (PBKDF2, scrypt, Argon2) first.
  • Key length is meaningless if the key is in a config file in a public repo. Key management (generation, storage, rotation, destruction) fails far more often than algorithms; that's why "Cryptographic Failures" in the OWASP Top 10 is mostly about deployment, not maths.
  • Hardware support: HSMs (hardware security modules) and TPM/secure-enclave chips keep keys out of reachable memory.

Quick recall

  • Symmetric = one shared key; fast; key distribution is the weak point; n(n−1)/2 key problem.
  • AES: 128-bit blocks; 128/192/256-bit keys; unbroken, with failures happening around it.
  • Confusion and diffusion are what a good cipher provides.
  • ECB leaks patterns (penguin). CBC chains with an IV. CTR makes a stream. GCM = CTR + authentication = the default.
  • Never reuse a stream key+nonce; never encrypt without authenticating (use AEAD).
PreviousNext