| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <[email protected]> |
CC-BY-SA-4.0 |
Practical cryptography course: Symmetric encryption introduction |
Joel Rangsmo <[email protected]> |
© Course authors (CC BY-SA 4.0) |
An introduction to uses of symmetric encryption |
|
#ffffff |
|
section.center {
text-align: center;
}
|
Same key is used for encryption and decryption.
Used primarily for protecting confidentiality of information at rest and in transit.
Most symmetric ciphers are categorized as block ciphers or stream ciphers.
Block ciphers split plaintext data into parts of a fixed size and encrypts each part/block independently.
Most commonly used for "at rest" encryption.
Stream ciphers performs encryption of each bit in a stream of plaintext.
Most commonly used for "in transit" encryption.
Data Encryption Standard.
Block cipher released in 1977 by the US government as a part of the Federal Information Processing Standard.
If you see it, assume that it's broken.
Advanced Encryption Standard, also known as "Rijndael".
Block cipher standardized in 2001 by the US National Institute of Standards and Technology.
Supports different key sizes and modes (more about that later).
Heavy, but accelerated in hardware by most modern processors ("AES-NI").
Rivest Cipher 4 (or perhaps "Ron's Code 4").
Proprietary stream cipher developed by Ron Rivest in 1987.
Historically used in network protocols like WEP/WPA, SSL/TLS and RDP.
Highly efficient, but considered insecure by modern standards.
Successor to the "Salsa20" stream cipher, developed by Daniel J. Bernstein.
Used in several network protocols, like TLS, standardized by the Internet Engineering Task Force.
Fast/efficient even without hardware acceleration.
We want to keep some information secret, don't we?
Data encryption can be implemented at...
- File level
- File system layer
- Block layer
- Hardware layer
Cherry-pick files and encrypt em'!
Built-in support in several file formats, like PDF, DOCX and XLSX.
Encrypted ZIP archives are a popular option (often using broken ciphers like 3DES).
Modern file systems like EXT4, BTRFS, ZFS and APFS natively support encrypting selective parts file system tree.
Used to provide per-user data encryption on Android and MacOS.
Efficient, but may leak metadata about encrypted files.
Application/OS provides a virtual block device (storage disk) that transparently encrypts data before storage on physical disk.
Popular option for Full Disk Encryption-solutions like BitLocker, VeraCrypt and LUKS.
All data is encrypted, regardless of sensitivity.
Encryption is handled in the storage drive without assistance from the host's operating system.
"Opal" is a common standard for Self-Encrypting Drives developed by the Trusted Computing Group.
No performance overhead, but require trust in a proprietary black box.
Passphrase is not the same as encryption key.
Your device must still be trusted.
