Codepath

Symmetric Key Algorithms

A Symmetric-Key Algorithm uses a string of data to encrypt and decrypt information. This string of data acts like a real-world key which can lock and unlock a door. In fact, it is often called a "key" or a "password". With symmetric-key algorithms, the same key is used for encrypting and for decrypting (that is what makes it "symmetric").

Anyone who knows or possesses the key can decrypt the information. Anyone who does not know or possess the key cannot decrypt it easily. It cannot be simply unscrambled like a substitution cipher. Someone would need to use advanced techniques to "break" the encryption.

If the algorithm is hard to break, this is a better way to encrypt messages than a substitution cipher. Messages can be sent publicly, but only the recipient who knows the password can decrypt it. Much of the history of cryptography (and military communication/intelligence) has been dedicated towards either developing stronger algorithms or trying to break current algorithms.

The rapid increase of computing power beginning in the 1970s transformed the cryptography landscape. Hundreds of algorithms have been developed and hundreds have been broken. There are three algorithms which are notable for their resistance to decryption and their wide-spread usage.

  • The Data Encryption Standard (DES) algorithm was developed at IBM and first published in 1977. It was one of the first N.S.A. approved standards for encryption. It was widely used from 1977 until 2000. It was also widely studied and informs the design of later algorithms. However, it is now considered insecure. Modern computers can decrypt a DES encrypted message in less than a day. There is a successor to DES which is Triple DES (DES encyrption applied three times) which is still considered secure and is commonly used.

  • The Advanced Encryption Standard (AES) algorithm was selected by the N.S.A. as the winner of an algorithm competition held in 2002. It is also known as "Rijndael" (pronounced rain-dahl) because that was its name during the competition. AES has not yet been broken is still considered strong enough to encrypt U.S. classified data.

  • The Blowfish algorithm was designed in 1993. It has not yet been broken, even though a few technical and theoretical weaknesses have been identified. It is also widely used in many encryption software products. The feature that make Blowfish interesting is that it is slow compared to other encryption algorithms. This is a useful trait for password encryption.


Symmetric Key Algorithms Pros and Cons

Symmetric key algorithms are very fast and can encrypt large amounts of data.

The primary drawback of symmetric key algorithms is the "key distribution problem". Once data is encrypted it can be sent publicly, however, the key or password must also be given to the recipient. If the key is sent with the data or sent in plain text through another visible channel, then it is easily intercepted and the data will be easily decrypted.

One common solution is to use symmetric key algorithms to encrypt the data and then to use asymmetric key algorithms (a.k.a. public key cryptography) to encrypt only the key which unlocks the encrypted data.


Encryption/Decryption in PHP using AES

Use PHP's OpenSSL functions to encrypt data with a key.

<?php

  const CIPHER_METHOD = 'AES-256-CBC';

  $plaintext = 'This is a secret.';
  $key = 'a1b2c3d4e5';

  // Needs a key of length 32 (256-bit)
  $key = str_pad($key, 32, '*');

  // Create an initialization vector which randomizes the
  // initial settings of the algorithm, making it harder to decrypt.
  // Start by finding the correct size of an initialization vector 
  // for this cipher method.
  $iv_length = openssl_cipher_iv_length(CIPHER_METHOD);
  $iv = openssl_random_pseudo_bytes($iv_length);

  // Encrypt
  $encrypted = openssl_encrypt($plaintext, CIPHER_METHOD, $key, OPENSSL_RAW_DATA, $iv);

  // Return $iv at front of string, need it for decoding
  $message = $iv . $encrypted;
  
  // Encode just ensures encrypted characters are viewable/savable
  echo base64_encode($message);

  // LmnhW5OjbciSmcmmlrsTyHwSkRQgqSUitfZtJBXLUl4+ZFp9vDVQ6hFI9jJ0g6ru
  
?>

Use PHP's OpenSSL functions to decrypt data with a key.

<?php

  const CIPHER_METHOD = 'AES-256-CBC';

  $message = 'LmnhW5OjbciSmcmmlrsTyHwSkRQgqSUitfZtJBXLUl4+ZFp9vDVQ6hFI9jJ0g6ru';
  $key = 'a1b2c3d4e5';

  // Needs a key of length 32 (256-bit)
  $key = str_pad($key, 32, '*');

  // Base64 decode before decrypting
  $iv_with_ciphertext = base64_decode($message);
  
  // Separate initialization vector and encrypted string
  $iv_length = openssl_cipher_iv_length(CIPHER_METHOD);
  $iv = substr($iv_with_ciphertext, 0, $iv_length);
  $ciphertext = substr($iv_with_ciphertext, $iv_length);

  // Decrypt
  $plaintext = openssl_decrypt($ciphertext, CIPHER_METHOD, $key, OPENSSL_RAW_DATA, $iv);

  echo $plaintext;
  // This is a secret.
  
?>
Fork me on GitHub