Symmetric Encryption
- Symmetric encryption is used for encrypting data with 1 encryption key.
- Encryption key is not the same as password, but the key can be derived from a password.
- Encryption keys do not have any specific structure and can be random arrays of character.
- Encryption or encryption related alogirthm is also called a cipher.
- Data to be encrypted is called plaintext.
- The result of encryption on plaintext is called ciphertext.
- In order to encrypt plaintext you need to:
- Chose an encryption algorithm or cipher
- Generate encryption Key
- Generate initialization vector or IV
- Chose cipher operation mode
- Chose padding type
- Encrypt plaintext with cipher, key and padding using the cipher operation mode.
Overview of Cipher Modes
Block Cipher
- Operate on blocks of data
- A popular cipher is AES or Advanced Encryption Standard
- Block size of 128 bits
- Cipher encrypts or decrypts in 128-bit blocks
- If the plaintext is not a multiple of the block size, then the last block is usually padded up to the block size according to the chosen padding type.
Stream Ciphers
- Operate on single bytes or even bits of data
- Do not need padding
- This makes stream ciphers easier to use
- Stream cipher generates a so-called pseudorandom cipher digit stream or keystream, based on the encryption key and the IV or nonce (number used once)
- However researchers believe existing stream ciphers are less secure than block ciphers and it is easier to weaken the security through an implementation mistake.
Symmetric Cipher Security
- If an attacker needs to perform 2^256 computational operations to break the cipher then the cipher security is 256 bits.
- Maximum amount of security bits a cipher can have is the length of the used encryption key.
- If a cipher uses a 256-bit encryption key its strength is no more than 256 bits.
- If the key length is 256 bits then there are 2^256 possible encryption keys that can be used with the current cipher.
- A computational operation does not mean a very basic CPU operation, but a complete attempt at decrypting a small amount of ciphertext.
- Computational complexity grows exponentially depending on the key length.
- As of 2021 the recommendation of the NIST is
- 112 bits of security should be enough until 2030
- 128 bits of security should be enough until the next breakthrough in technology
Reviewing Popular Ciphers
AES Cipher
- Most popular modern symmetric cipher
- Fast and secure
- Block cipher
- Rijndael, supports block and key sizes of 128, 192, and 256 bits, but in AES the block size is always 128 bits.
- The modern x86 and x86_64 CPUs have hardware accelration for AES called Advanced Encryption Standard New Instructions (AES-NI), making AES very fast.
- AES (Advanced Encryption Standard) is a specification for encrypting electronic data, and it uses a specific encryption algorithm called Rijndael (pronounced "Rhine-dahl") as its core encryption technique.
- Rijndael was selected as the winner of the NIST competition to become AES in 2001
DES and 3DES Ciphers
- Data Encryption Standard (DES) was the predecessor of AES
- Block cipher with block size of 664 bits and key length of 56 bits
- 3DES is DES applied three times with two or three different keys
- It is not recommended to use DES or 3DES for new encryptions
- DES is rather slow cipher and 3DES is even slower compared to AES.
RC4 Cipher
- Old stream cipher that can use key lengths from 40 to 2048 bits
- Very popular in the past.
- But currently many flaws were discovered
- One of the flaws reduces the security of RC4 with 128 bit keys to just 26 bits
- In 2013,RC4 was used as the main SSL/TLS cipher as all block cipher used in SSL 3.0 was targeted by the infamous Browser Exploit Against SSL/TLS (BEAST) attack, but RC4 being a stream cipher was not affected.
ChaCha20 cipher
- Modern Stream Cipher
- Secure and fast
- Can be used with 128-bit or 256-bit key
- OpenSSL supports only the 256-bit key
- This cipher became famous when Google started to use it in their Chrome browser
- Then support was also added to OpenSSH
- Successor of RC4
- ChaCha20 is faster than AES
- Encryption of network data streams
- One disadvantage of ChaCha20 is that it uses a block counter which is only 32-bit.
- Secure on contiguos plaintexts that do not exceed 256 GB of data.
- Is enough for network data streams but not enough for large files.
Other Ciphers
- Block Ciphers
- Blowfish → 64 bits
- CAST5 or CAST-128 → 64 bits (Developed by Canada)
- GOST5 → 64 bits
- GOST89 → 64 bits (Russia)
- IDEA → 64 bits
- RC2 → 64 bits
- RC5 → 64 bits
- ARIA → 128 bit blocks (South Korea)
- Camellia → 128 bit block
- SEED → 128 bit block (South Korea)
- SM4 → 128 bit block (China)
Block Cipher Modes Of Operation
- Modes of operation or encryption modes
- Specify how the blocks are chained together
- ECB or Electronic Code Book
- Each plaintext block is encrypted into a cipher text block using only encryption key
- Ciphertext blocks are concatenated
- Same plaintext always produces the same cipehrtext
- Security issue since the patterns are preserved and can be reverse-engineered
- CBC or Cipher Block Chain
- The ciphertext of the current block depends on the ciphertext of the previous block
- The 1st block is XOR-ed with an IV or a nonce
- The rest of the blocks are XOR-ed with the ciphertext of the previous block
- The IV must be unpredictable for a given message to resist the “Chosen Plaintext Attack”
- CTR Mode
- Plaintext is not processed by encryption algorithm.
- Sequence of counter blocks which consist of 64-bit random nonce and an actual 64 bit counter incrementing for each block is encrypted by the block cipher.
- The first counter block is not reused for encryption of another plaintext.
- Then the encrypted counter blocks are XOR-ed with the plaintext blocks. The result is our ciphertext.
- CTR mode converts a block cipher into a stream cipher where the sequence of encrypted counter blocks is the keystream.
- The IV used in CTR mode must never be reused with the same encryption key for another message. If you reuse it then the same keystream will be generated for encrypting mutiple messages.
- Plaintext padding is not required.
- Different plaintext blocks can be encrypted or decrypted in parallel using pre-calculated keystream
- GCM Mode
- Ciphertext is produced in the same way as in CTR Mode
- Counter blocks are enrypted with block cipher forming the keystream
- The keystream is then XOR-ed with the plaintext, producing the ciphertext.
- Difference is GCM not only encrypts the plaintext but also authenticates the ciphertext.
- Knowledge of the encryption key allows us to verify the integrity of the ciphertext. Basically it can detect unauthorized changes to the the ciphertext if the verification fails.
- Each ciphertext block is converted into a number and is used in the finite field arithmetic over the Galois field together with an initial block which depends on the encryption key
- The output of encryption in GCM mode contains IV, ciphertext, authentication tag.
- Just like CTR, the GCM IV also needs to be unique.
- Works on 128-bit block sizes and requires 96-bit IV.
- To respond to this weakness Advanced Encryption Standard in Galois/Counter Mode with a Synthetic Initialization Vector was invented or AES-GCM-SIV
- It does not take IV as a part of the input data.
- This algorithm takes a second secret key for authentication
- The authetnication tag is based on plaintext, additional autheticated data, authentication key. This is called the SIV.
- This is called Authenticated Encryption or AE.
- Can combine encrypted and unencrypted data for authentication. It is called Authenticated Encryption with Associated Data or AEAD. GCM is an AEAD.
Padding
- In CBC, block ciphers pad up the last block size, which is usually lower than the block size, to the recommended block size.
- OpenSSL can automatically add the padding and remove the padding during encryption and decryption
- For symmetric encryption, OpenSSL only supports PKCS7 padding.
- It pads each remaining bytes with the value ‘N’ or 0x06
- If the block size also matches the exact block a padding block with value 0x10 is added anyway.
- Susceptible to padding oracle attacks.
Symmetric Encryption Key Others
- Generating an encryption key for symmetric encryption is easy.
- Generate the needed amount of random bytes from Cryptogaphically Secure Random Number Generator
- In Linux you can use:
xxd -plain -len 32 -cols 32 /dev/random
openssl rand -hex 32
- Download and install OpenSSL
sudo apt install openssl libssl3 libssl-dev libssl-doc
- The OpenSSL toolkit consists of the following components:
- Dynamic libraries
- static libraries
- C Header Files
openssl
command line tool- documentation
How to encrypt and decrypt with AES on the command line
- Let’s generate a sample file to encrypt:
seq 1000 > somefile.txt
- From the above to encrypt using Symmetric Encryption let’s use the followig options
- Cipher: AES-256
- Operation mode: CBC (we should have chosen GCM but that mode is not supported by the CLI tool)
- Let’s generate a 256-bit encryption key
openssl rand -hex 32
- We need to generate a 128-bit IV the same length as the block size
openssl rand -hex 16
- Now using the values from above let’s encrypt the file
openssl enc -aes-256-cbc -K 6740471107b6238b3a8b173f119117649d51c3410545c3f8466201b00a8c99ac -iv 63e204ba5e1f34b785be5abd218fc216 -e -in plaintext.txt -out plaintext.txt.enc
- If you try and
cat
the file you will see that it’s full of random characters.
- Let’s try and decrypt the file
openssl enc -aes-256-cbc -K 6740471107b6238b3a8b173f119117649d51c3410545c3f8466201b00a8c99ac -iv 63e204ba5e1f34b785be5abd218fc216 -d -in plaintext.txt.enc -out plaintext.txt.dec diff plaintext.txt plaintext.txt.dec
- We can check the checksum also of both the files to verify
shasum -a 256 plaintext.txt shasum -a 256 plaintext.txt.dec
What happens if we try and decrypt a file using wrong key
Let’s re-run the same decrypt command but this time we use a different key which is a wrong one
openssl enc -aes-256-cbc -K 6744471107b6238b3a8b173f119117649d51c3410545c3f8466201b00a8c99ac -iv 63e204ba5e1f34b785be5abd218fc216 -d -in plaintext.txt.enc -out plaintext.txt.dec
Decryption here is just a sequence of arithmetical and logical operations on a block of 16 bytes. It is the standard padding here that helped.
The decryption of the last block resulted in a block of garbage data, which did not have the right padding at the end and openssl detected that.
So in a decryption process untill the last block it is impossible to detect failure.
What happens if we used cipher operation mode that did not require padding - like CTR?
openssl enc -aes-256-ctr -K 6744471107b6238b3a8b173f119117649d51c3410545c3f8466201b00a8c99ac -iv 63e204ba5e1f34b785be5abd218fc216 -d -in plaintext.txt.enc -out plaintext.txt.dec ls -l rw-r--r-- 1 boredtoolbox staff 3 KiB Sun Feb 11 22:18:36 2024 plaintext.txt rw-r--r-- 1 boredtoolbox staff 3 KiB Sun Feb 11 22:48:36 2024 plaintext.txt.dec rw-r--r-- 1 boredtoolbox staff 3 KiB Sun Feb 11 22:20:31 2024 plaintext.txt.enc diff plaintext.txt plaintext.txt.dec Binary files plaintext.txt and plaintext.txt.dec differ shasum -a 256 plaintext.txt.dec b67eda76485fe249e4d5cce4226b62bcee7224a3d35931a652be94c889bb2a4d plaintext.txt.dec shasum -a 256 plaintext.txt 67d4ff71d43921d5739f387da09746f405e425b07d727e4c69d029461d1f051f plaintext.txt
There was no error even though we tried to decrypt in the wrong key and in the wrong mode. The checksums of the decrypted and the original file are clearly different. So what happened?
We were decrypting in CTR mode. Thus all the wrongly decrypted data was considered plaintext without padding. The padding was neither checked nor was it removed.
Thus we can see that it is quite useful to have some checksum or message digest in order to check the decryption result.
Summary
- openssl rand -hex 32 > enc.key - openssl rand -hex 16 > iv.key - openssl enc -aes-256-cbc -kfile enc.key -iv $(cat iv.key) -e -in plaintext.txt -out plaintext.txt.enc - openssl enc -aes-256-cbc -kfile enc.key -iv $(cat iv.key) -d -in plaintext.txt.enc -out plaintext.txt.dec