In this second installment of a three-part series on symmetric key encryption technology, we look at the evolution of symmetric key encryption algorithms, the variety of algorithms available today, their strengths and weaknesses, and the importance of crypto-agility.
DES algorithm family
The original DES (Data Encryption Standard) block cipher algorithm, also known as DEA (Data Encryption Algorithm), was developed by IBM in the early 1970s and published (with small alterations) as a standard by the US Government in 1977, quickly becoming a de-facto international standard.
However, with a key-length of only 56 bits (plus 8 parity bits), it became clear in the 1990s that it was no longer sufficiently secure against brute-forcing of the key using modern computers, which were growing in power according to Moore’s Law. Thus Triple-DES (aka TDES, TDEA or 3DES) was introduced in 1998, using a bundle of 3 keys, giving a nominal strength of 168 bits, but at the price of slow performance. Optionally, the key length can be reduced to 112 bits by making two of the keys the same – this is sometimes called 2DES or 2TDEA; however, this is no faster and a 112-bit key is no longer considered secure.
Triple-DES is still widely used today, particularly in the financial industry, although many applications skipped Triple-DES due to its poor performance and went straight from DES to AES instead. However, even though a 168-bit key is still considered to be strong, it is no longer recommended for new applications because it uses a small block size (64 bits). This makes it susceptible to what is known as the “Sweet 32” attack, which means that the key can be broken if more than 232 blocks of data are encrypted without changing the key. Given the high volume of data stored or transmitted by modern systems, this means having to change the key frequently, which is impractical.
RC algorithm family
The first members of the RC algorithm family, RC2 and RC4 (aka ARC4 or ARCFOUR), were designed by Ron Rivest (of RSA fame) in 1987. RC2 is a 64-bit block cipher that supports a key length of up to 128 bits, although it was initially only approved for US export with a 40-bit key. RC4 is a stream cipher that has been very widely used (e.g. in the SSL/TLS protocol and early Wi-Fi security standards). However, neither RC2 nor RC4 are considered secure today.
RC5 is a block cypher with variable block sizes (32, 64, or 128 bits), variable key lengths (up to 2,040 bits), and variable round lengths (up to 255). This allows for a trade-off between performance and security, and when used with appropriate parameters, it is still considered secure. It was later modified to produce RC6 with a fixed block size of 128 bits as a competitor for the Advanced Encryption Standard - see below for more information. However, because they are patented, RC5 and RC6 are not widely used.
A subset of the Rijndael algorithm family of block ciphers was selected as the Advanced Encryption Standard (AES) in 2001 to replace DES, following a competition run by the US National Institute of Standards and Technology (NIST). It is now commonly known as the AES algorithm, featuring a block size of 128 bits and three key length options: 128, 192 or 256 bits. The number of rounds varies with key length.
AES is the symmetric algorithm of choice for most applications today, and it is widely used, typically with 128 or 256-bit keys, the latter of which is considered strong enough to protect military TOP SECRET data. It is worth noting that, assuming no known flaws in an algorithm, brute forcing a single 128-bit key will take billions of years using any classical computing technology available today or in the foreseeable future (but see quantum computing below).
Other symmetric algorithms
Many other block ciphers have been developed over the years, such as Blowfish, IDEA and CAST-128 (aka CAST5). However, most older algorithms are limited by block size and/or key length limitations as well as (in some cases) security issues and/or patent restrictions and have thus had relatively little success outside of one or two specific applications.
A number of block ciphers were developed to participate in the AES competition, such as Twofish, Serpent, MARS and CAST-256. Many of these are still very good, even though Rijndael was eventually chosen based on a combination of security, performance and other factors, so these are rarely used.
There are also many examples of other stream ciphers.
Some governments develop their own national algorithms, whether for military or commercial use. The US National Security Administration (NSA) has developed many algorithms over the years, although the details of most remain secret. Other relatively well-known examples of national algorithms include Magma (aka GOST 28147-89) and Kuznyechik (aka GOST R 34.12-2015) in Russia, SM1 and SM4 in China and SEED in South Korea.
There is presently a lot of research into lightweight algorithms, suitable for implementation in low-cost mobile devices and Internet-of-Things (IoT) applications, which typically have limited CPU performance, limited memory and/or limited power available.
When large-scale quantum computing becomes available, possibly in about 10 years from now, it will have a major impact on cryptography. In particular, the asymmetric algorithms predominantly used today will be effectively broken. Fortunately, the impact on symmetric algorithms appears to be less severe – Grover’s algorithm has the effect of halving the key length, thus AES-128 has an effective strength equivalent to a 64-bit key, and AES-256 is reduced to the strength of a 128-bit key. This means that AES-256 can still be confidently used in the face of quantum computing (as far as we know today).
As we've seen, no algorithm is perfect, and cryptographic attacks become more powerful as new tools and techniques are developed. Algorithms that were once thought to be strong are now easily broken on a home PC. Quantum computing will weaken even today's best algorithms. New algorithms will be developed in the future to improve security and to target new applications with specific requirements, such as IoT.
However, history has shown that changing algorithms can be more difficult than anticipated, with old algorithms continuing to be used long after they are no longer considered secure.
You only have to look at MD5, SHA1, DES, 2TDEA, RC4, RSA-1024 and so on to see how painful and lengthy the process can be.
The issue is one of interoperability. When entire ecosystems have been built up around a specific algorithm, as the financial industry has been built up around DES and Triple-DES, it takes many years of cooperation from nations, industries, standards bodies, and vendors to effect change. Hardware, software, and protocols must all be updated. There are significant financial implications, especially where existing infrastructure must be replaced.
Quantum computing threatens to cause major upheaval in the next 5-10 years, and companies that do not want to be left behind must begin planning now. All new applications should be built with "crypto-agility" in mind, which means the ability to switch algorithms with simple, painless software upgrades. To avoid having to contact each application individually to upgrade it, this process should ideally be controlled and managed centrally.
In the final article in this series we will look at the use of encryption modes with symmetric block ciphers, including the need for padding and initialization vectors.
References and Further Reading
- 3DES is Officially Being Retired (2018), by Jasmine Henry
- Trends in Cryptography Part 1 – Algorithms and Encryption (2018), by Rob Stubbs
- Quantum Computing and its Impact on Cryptography (2018), by Rob Stubbs
- What is Crypto-Agility? (2018), by Jasmine Henry
- Steps to reach crypto agility to get prepared for quantum computing (2019), by Terry Anton
- Achieving Agile Cryptography Management with Crypto Service Gateway (CSG) (2019), by Rob Stubbs
- What is a Crypto-Abstraction Layer? (2018), by Chris Allen
- Turning Cryptography into a Service - Part 1 (2018), by Rob Stubbs