Symmetric-Key Cryptography

Cryptography Fundamentals

Chapter 5 · Symmetric-Key Cryptography — Block & Stream Ciphers, AES

Chapters 2 through 4 covered ciphers no one would trust with real data today — but the underlying ideas (substitution, permutation, and the danger of a repeating key) turn out to be exactly the ideas modern symmetric cryptography is built from, just executed with vastly more rigor and mathematical scrutiny. This chapter leaves history behind and covers the ciphers actually protecting real systems right now — including the ones briefly introduced in https1-2, covered here in real depth.

Block Ciphers vs. Stream Ciphers — Two Different Approaches

Modern symmetric cryptography splits into two families, based on how they handle data:

Block ciphersStream ciphers
Unit of operationFixed-size chunks ("blocks," e.g. 128 bits)One bit or byte at a time
Partial dataNeeds padding to fill out the last blockNo padding needed at all
How it worksComplex, keyed transformation applied to each blockGenerates a pseudorandom keystream, XORed with plaintext
ExamplesDES, 3DES, AESRC4, ChaCha20

Block ciphers also need a mode of operation to handle messages longer than one block — that's genuinely its own topic, covered fully in Chapter 6.

The Data Encryption Standard (DES) — A Brief History

Developed by IBM and adopted as the US federal encryption standard in 1977, DES was the first widely-used, publicly-specified block cipher — a real-world application of Chapter 1's Kerckhoffs's Principle, published openly rather than kept secret. It operates on 64-bit blocks using a 56-bit key and a structure called a Feistel network, which splits each block in half and repeatedly mixes the halves together across 16 rounds.

56 bits gives roughly 7.2 × 10¹⁶ possible keys — enormous by 1970s standards, but computing power caught up. By 1998, the Electronic Frontier Foundation's purpose-built "Deep Crack" machine brute-forced a DES key in under a day, publicly and decisively demonstrating that 56 bits was no longer remotely adequate.

Triple DES (3DES) — The Stopgap

Rather than design a wholly new cipher immediately, the industry's first response was to apply DES three times in a row, typically with two or three different keys, extending the effective key length without changing the underlying algorithm at all.

3DES doesn't triple the security you might expect
A "meet-in-the-middle" attack means two-key 3DES provides roughly 80 bits of effective security, not the 112 bits naive doubling might suggest — and 3DES is also roughly three times slower than plain DES, since it genuinely runs the cipher three times. It was always understood as a stopgap while a proper replacement was developed, and it still lingers in some legacy systems today, but it is not a recommended choice for new designs.

The AES Competition & Rijndael

Rather than have a single government agency design DES's replacement behind closed doors, the US National Institute of Standards and Technology (NIST) ran a genuinely open, public competition from 1997 to 2000 — every candidate algorithm was published in full and attacked publicly by cryptographers worldwide, the largest real-world demonstration of Kerckhoffs's Principle this course covers.

The winner, submitted by Belgian cryptographers Joan Daemen and Vincent Rijmen under the name Rijndael, became the Advanced Encryption Standard (AES) in 2001 — and remains, over two decades later, the world's dominant symmetric cipher, with no practical attack against the full algorithm ever found.

AES Internals — A Conceptual Overview

AES operates on 128-bit blocks, with a choice of 128-, 192-, or 256-bit keys (correspondingly using 10, 12, or 14 rounds). Each round applies four distinct transformations in sequence:

  • SubBytes — a byte-for-byte substitution through a fixed, cryptographically-designed lookup table (the S-box) — conceptually Chapter 2's substitution ciphers, but nonlinear and specifically engineered to resist frequency-style analysis.
  • ShiftRows — cyclically shifts bytes within each row of the block's internal grid — conceptually Chapter 2's transposition ciphers, rearranging position without changing values.
  • MixColumns — a matrix operation that spreads each byte's influence across an entire column, ensuring a single-bit change in the input cascades into a large, unpredictable change in the output (the "avalanche effect," revisited properly in Chapter 7).
  • AddRoundKey — XORs the block with a subkey, freshly derived from the main key for that specific round via a key schedule.
AES is Chapter 2's ideas, engineered properly
Every classical cipher in Chapter 2 used exactly one of substitution or transposition, applied once, with a small, brute-forceable or statistically-leaky key. AES combines both, repeated across 10-14 rounds, with a rigorously designed nonlinear S-box and a 128-256 bit key — the same basic ingredients, but engineered specifically to eliminate the very weaknesses Chapter 2 spent an entire chapter exploiting.

AES Security Today

AES-128's keyspace is roughly 3.4 × 10³⁸ — utterly infeasible to brute-force with any foreseeable computing power, classical or otherwise. AES-256 is sometimes preferred for long-term data or particularly high-value secrets, partly as a margin against future cryptanalytic advances, and partly because of quantum computing: Grover's algorithm can theoretically halve a symmetric cipher's effective key strength, meaning AES-256 still offers roughly AES-128-equivalent (128-bit) security even against a quantum attacker — a topic Chapter 12's post-quantum preview returns to.

Stream Ciphers

A stream cipher takes a key (plus, critically, a nonce — a number used once) and generates a long pseudorandom keystream, then simply XORs that keystream with the plaintext, one bit or byte at a time. Decryption is identical: XOR the same keystream against the ciphertext.

RC4, designed in 1987, was for years the most widely deployed stream cipher — used in early WEP Wi-Fi security and early TLS. Statistical biases discovered in its keystream output, combined with real misuse in WEP's key-scheduling, eventually made it thoroughly broken and deprecated. ChaCha20 is its modern successor — fast, carefully designed, and one of the two cipher families (alongside AES) used throughout TLS 1.3 today.

A stream cipher is Vigenère, done properly
Structurally, a stream cipher is exactly Chapter 2's Vigenère cipher: combine plaintext with a repeating-or-not keystream, letter by letter (or bit by bit). Vigenère's fatal flaw was that its "keystream" — the repeating keyword — was short and predictable, which the Kasiski examination exploited directly. A modern stream cipher's keystream is cryptographically generated, effectively non-repeating for any realistic message length, and never reused — solving Vigenère's exact weakness rather than sidestepping it.
Never roll your own cipher
DES took the combined effort of IBM and NSA review to reach 1970s-adequate security, and still needed replacing within two decades. AES took a multi-year, worldwide public competition to validate. A custom, unreviewed cipher — no matter how clever it feels — has had none of that scrutiny, and history (this entire course, so far) consistently shows that unreviewed cryptographic designs fail in ways their designers never anticipated. Always use a vetted, standard implementation (AES, ChaCha20) rather than inventing a new one.

Hands-On Exercises

Exercise 1

DES's 56-bit key (≈7.2 × 10¹⁶ possibilities) was brute-forced in under a day by 1998. AES-128's key is 128 bits (≈3.4 × 10³⁸ possibilities). Roughly how many times larger is the AES-128 keyspace than DES's, and what does that imply about brute-forcing AES-128 with similar-generation hardware?

📄 View solution
Exercise 2

Explain, in your own words, the structural difference between a block cipher and a stream cipher, and describe one practical scenario where a stream cipher's lack of padding requirement would make it the more natural choice.

📄 View solution
Exercise 3

A developer accidentally reuses the exact same key and nonce to stream-encrypt two different messages. Using Chapter 2's Vigenère weakness as a guide, explain what an attacker who intercepts both ciphertexts could do, and why this happens.

📄 View solution

Chapter 5 Quick Reference

  • Block ciphers process fixed-size chunks and need a mode of operation (Ch.6); stream ciphers generate a keystream and XOR it with data, byte by byte
  • DES (1977, 56-bit key) — brute-forced in under a day by 1998; 3DES — a stopgap, only ~80-bit effective security despite 3x the computation
  • AES (2001, Rijndael) — won an open, public NIST competition; 128/192/256-bit keys, 10/12/14 rounds of SubBytes/ShiftRows/MixColumns/AddRoundKey
  • AES combines Chapter 2's substitution (SubBytes) and transposition (ShiftRows) ideas, engineered to resist the exact weaknesses that broke classical ciphers
  • RC4 — broken, deprecated; ChaCha20 — its modern replacement, used throughout TLS 1.3
  • A stream cipher is structurally Vigenère (Ch.2) with a cryptographically strong, effectively non-repeating keystream — reusing a keystream reintroduces Vigenère's exact weakness
  • Next chapter: Modes of Operation — how block ciphers handle messages longer than one block, and why the choice of mode matters enormously