This post is from my series of short essays on cybersecurity.

CIA – Confidentiality, Integrity, and Availability – is a well known acronym that define the model of information security needs. I can’t think of any topic other than confidentiality to start discussion on security technology and tools. Maintaining confidentiality is keeping the information hidden from everyone other than the person whom it is intended to. In today’s digital world information travels on open internet networks, stored on transportable storage devices, and on public cloud storage services. Thanks to the inventions of cryptographic algorithms to empower us to transform the digital content to a cryptic form (encryption) such that it is easy to convert it back in original form (decryption) when needed. In this post, I am discussing the idea of symmetric key cryptography, where symmetric means the single key used for encrypting and decrypting the content. 

Magic of cryptography is in the concept of confusion (substitution) and diffusion (transposition).

Magic of cryptography is in the concept of confusion and diffusion. Confusion is transforming the  information such that the interceptor cannot readily extract it. This is done by the substitution technique –  replacing one letter with another. Diffusion is spreading the information from a region of plaintext widely over the ciphertext. This is done by the rearranging technique called transposition. As a simple example (not a real encryption algorithm, just a demonstration of substitution and transposition), let’s pick the word “ADARSH”, if I apply the next letter substitution transformed word will be “BEBSTI”. For transposition, if I apply 123456 rearrange as 214365, the final encrypted representation will be EBSBIT. Receivers of encrypted text EBSBIT can apply the reverse algorithm to get the original text ADARSH. All encryption algorithms are based on some combination of substitution and transposition. Actual substitution and transposition mechanism depends on the input key and algorithm.

Data encryption standard (DES) was the original standard published in 1977 as Federal Information Processing Standard (FIPS). Originally DES standards were classified, this lack of transparency makes it difficult for researchers to assess the security and vulnerability of DES. Later DES was replaced by Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, that addressed some of the vulnerabilities discovered in DES. Finally in November 2001, with the publication of FIPS197, Advanced Encryption Standard (AES) became the default standard for symmetric block cipher. Originally the key requirement for AES-128 was a 128 bit key. If you want future proofing, you can upgrade it to AES-256 (256bit key). AES-256 is considered secure enough that the attack is computationally infeasible for the foreseeable future even by well-funded adversaries. Consequently, the AES has passed the test of time in the last twenty years. Keeping the encryption algorithms open not only builds confidence in the hardening of the algorithm but also develops confidence in transparency of its usage. Among the commercial standards that include AES are Internet security standard IPSec, TLS, Wifi encryption 802.11i, Secure shell protocol (SSH) to modern communication protocols.

The symmetric key cryptography serves great for confidentiality, assuming the secrecy of the key is maintained and the key is large enough to resist exhaustive search. But symmetric key cryptography alone doesn’t provide any support for message integrity or authenticity, the obvious reason for that is the use of the same key for both encryption and decryption. Anyone with the key can modify and re-encrypt the message; there is no way to prove that message integrity is broken. Sharing the key to the remote party in a secure and authentic way also requires additional protocol mechanisms. In a future post I will discuss in detail how the issue of key establishment and authenticity is addressed with a combination of symmetric and asymmetric key cryptography.