In this article, the second in a 3-part series on symmetric key encryption technology, we look at the development of symmetric key encryption algorithms and the range of algorithms available today along with their strengths and weaknesses, as well as the importance of crypto-agility.
DES algorithm family
The original DES (Data Encryption Standard) block cipher algorithm, also known as DEA (Data Encryption Algorithm), was developed by IBM in the early 1970s and published (with small alterations) as a standard by the US Government in 1977, quickly becoming a de-facto international standard.
However, with a key-length of only 56 bits (plus 8 parity bits), it became clear in the 1990s that it was no longer sufficiently secure against brute-forcing of the key using modern computers, which were growing in power according to Moore’s Law. Thus Triple-DES(aka TDES, TDEA or 3DES) was introduced in 1998, using a bundle of 3 keys, giving a nominal strength of 168 bits, but at the price of slow performance. Optionally, the key length can be reduced to 112 bits by making two of the keys the same – this is sometimes called 2DES or 2TDEA; however, this is no faster and a 112-bit key is no longer considered secure.
Triple-DES is still widely used today, particularly in the financial industry, although many applications skipped Triple-DES due to its poor performance and went straight from DES to AES instead. However, even though a 168-bit key is still considered to be strong, it is no longer recommended for new applications because it uses a small block size (64 bits). This makes it susceptible to what is known as the “Sweet 32” attack, which means that the key can be broken if more than 232 blocks of data are encrypted without changing the key. Given the high volume of data stored or transmitted by modern systems, this means having to change the key frequently, which is impractical.
RC algorithm family
The first members of the RC algorithm family, RC2 and RC4 (aka ARC4 or ARCFOUR), were designed by Ron Rivest (of RSA fame) in 1987. RC2 is a 64-bit block cipher that supports a key length of up to 128 bits, although it was initially only approved for US export with a 40-bit key. RC4 is a stream cipher that has been very widely used (e.g. in the SSL/TLS protocol and early Wi-Fi security standards). However, neither RC2 nor RC4 are considered secure today.
RC5 is a block cipher with a variable block size (32, 64 or 128 bits), variable key length (up to 2,040 bits) and variable number of rounds (up to 255). This enables a trade-off between performance and security, and it is still considered secure when used with suitable parameters. It was later modified to produce RC6 with a fixed block size of 128 bits as a contestant for the Advanced Encryption Standard – see below. However, RC5 and RC6 are not widely used as they are patented.
A subset of the Rijndael algorithm family of block ciphers was selected as the Advanced Encryption Standard (AES) in 2001 to replace DES, following a competition run by the US National Institute of Standards and Technology (NIST). It is now commonly known as the AES algorithm, featuring a block size of 128 bits and three key length options: 128, 192 or 256 bits. The number of rounds varies with key length.
AES is the symmetric algorithm-of-choice for most applications today and is very widely used, mostly with 128 or 256-bit keys, with the latter key length even considered strong enough to protect military TOP SECRET data. Note that, assuming there are no known weaknesses in an algorithm, a single 128-bit key will take billions of years to brute force using any classical computing technology today or in the foreseeable future (but see quantum computing below).
Other symmetric algorithms
Many other block ciphers have been developed over the years, such as Blowfish, IDEA and CAST-128 (aka CAST5). However, most older algorithms are limited by block size and/or key length limitations as well as (in some cases) security issues and/or patent restrictions and have thus had relatively little success outside of one or two specific applications.
A number of block ciphers were developed to participate in the AES competition, such as Twofish, Serpent, MARS and CAST-256. Many of these are still very good, even though Rijndael was eventually chosen based on a combination of security, performance and other factors, so these are rarely used.
There are also many examples of other stream ciphers.
Some governments develop their own national algorithms, whether for military or commercial use. The US National Security Administration (NSA) has developed many algorithms over the years, although the details of most remain secret. Other relatively well-known examples of national algorithms include Magma (aka GOST 28147-89) and Kuznyechik (aka GOST R 34.12-2015) in Russia, SM1 and SM4 in China and SEED in South Korea.
There is presently a lot of research into lightweight algorithms, suitable for implementation in low-cost mobile devices and Internet-of-Things (IoT) applications, which typically have limited CPU performance, limited memory and/or limited power available.
When large-scale quantum computing becomes available, possibly in about 10 years from now, it will have a major impact on cryptography. In particular, the asymmetric algorithms predominantly used today will be effectively broken. Fortunately, the impact on symmetric algorithms appears to be less severe – Grover’s algorithm has the effect of halving the key length, thus AES-128 has an effective strength equivalent to a 64-bit key, and AES-256 is reduced to the strength of a 128-bit key. This means that AES-256 can still be confidently used in the face of quantum computing (as far as we know today).
As we have seen, no algorithms are perfect – cryptographic attacks only get stronger as new tools and techniques are developed. Algorithms that were once considered strong are today easy to break on a home PC. Even today’s best algorithms will be weakened by quantum computing. New algorithms will continue to be developed to improve security and to target new applications with specific needs, such as IoT.
However, history has shown that changing algorithms can be more difficult than expected, with old algorithms still being used well after they are no longer considered secure.
You only have to look at MD5, SHA1, DES, 2TDEA, RC4, RSA-1024 and so on to see how painful and lengthy the process can be.
The problem is interoperability. When whole ecosystems have been built up around a particular algorithm, just as the financial industry has been built up around DES and Triple-DES, it requires the cooperation of nations, industries, standards bodies and vendors over many years to effect change. Hardware, software, protocols all have to be updated. There are huge financial implications, particularly where existing infrastructure has to be replaced.
Quantum computing threatens to create a major upheaval in the next 5-10 years, and companies not wishing to be stuck on the back foot have to start planning now. All new applications should be designed with “crypto-agility” in mind – i.e. the ability to switch algorithms via simple, painless software upgrades. Ideally, this process should be controlled and managed centrally to save having to reach out to each and every application individually to upgrade it.
In the final article in this series we will look at the use of encryption modes with symmetric block ciphers, including the need for padding and initialization vectors.
References and Further Reading
- 3DES is Officially Being Retired (2018), by Jasmine Henry
- Trends in Cryptography Part 1 – Algorithms and Encryption (2018), by Rob Stubbs
- Quantum Computing and its Impact on Cryptography (2018), by Rob Stubbs
- What is Crypto-Agility? (2018), by Jasmine Henry
- Steps to reach crypto agility to get prepared for quantum computing (2019), by Terry Anton
- Achieving Agile Cryptography Management with Crypto Service Gateway (CSG) (2019), by Rob Stubbs
- What is a Crypto-Abstraction Layer? (2018), by Chris Allen
- Turning Cryptography into a Service - Part 1 (2018), by Rob Stubbs