Operating SystemsSecurity Fundamentals

Cryptography Basics

LevelIntermediate

Duration90 mins

TopicSecurity Fundamentals

1 / 5

Symmetric Encryption

The Science of Shared Secrets

When Julius Caesar sent military orders across the Roman Empire, he employed a simple cipher—shifting each letter three positions in the alphabet. This technique, now known as the Caesar cipher, represents humanity's earliest systematic approach to hiding information. Two millennia later, the mathematical descendants of this simple idea protect trillions of dollars in financial transactions, safeguard the communications of billions of devices, and form the cryptographic bedrock upon which operating system security rests.

Symmetric encryption—also called secret-key cryptography or shared-key cryptography—is the most direct evolution of Caesar's insight. The core concept is elegantly simple: use the same key to both scramble (encrypt) and unscramble (decrypt) data. Yet within this simplicity lies extraordinary mathematical depth, and understanding symmetric encryption is essential for any engineer working on secure systems.

What You Will Learn

By the end of this page, you will understand the mathematical foundations of symmetric encryption, distinguish between stream and block ciphers, comprehend the internal workings of AES (the gold standard), master cipher modes of operation, and recognize where symmetric encryption appears in operating systems—from disk encryption to secure boot chains.

Fundamental Concepts

At its mathematical core, symmetric encryption is a pair of functions:

Encryption function E: Takes a key K and plaintext P, produces ciphertext C = E(K, P)
Decryption function D: Takes a key K and ciphertext C, produces plaintext P = D(K, C)

The defining property is symmetry: the same key K works for both operations. This seems almost too simple—and therein lies both the elegance and the challenge.

The Kerckhoffs Principle:

A secure cryptographic system must remain secure even if everything about the system, except the key, is public knowledge. Named after 19th-century Dutch cryptographer Auguste Kerckhoffs, this principle fundamentally shaped modern cryptography. We don't rely on secret algorithms—we assume attackers know exactly how AES works. Security depends entirely on the secrecy of the key.

This is why symmetric encryption systems focus on making keys:

Long enough that brute-force attacks are computationally infeasible
Random enough that patterns cannot be exploited
Properly managed so they remain secret throughout their lifetime

Essential Symmetric Encryption Terminology
Term	Definition	Example
Plaintext (P)	The original unencrypted data	Confidential document, user password
Ciphertext (C)	The encrypted (scrambled) output	Random-appearing bytes after encryption
Key (K)	Secret value controlling encryption/decryption	256-bit random number
Key Space	Set of all possible keys	2^256 possible keys for AES-256
Block Size	Fixed-size data units processed by block ciphers	128 bits for AES
Initialization Vector (IV)	Random value ensuring same plaintext encrypts differently	128-bit random nonce for AES-CBC

The Key Distribution Problem

Symmetric encryption's greatest strength—using one key for both operations—is also its greatest challenge. Before any secure communication can occur, both parties must possess the same secret key. How do you securely share a secret before you can communicate securely? This chicken-and-egg problem drove the development of asymmetric cryptography, which we'll explore in the next page.

Stream Ciphers

Stream ciphers represent the most direct approach to symmetric encryption: generate a pseudorandom stream of bits (called the keystream) and combine it with the plaintext using XOR. This elegant approach provides several important properties:

How Stream Ciphers Work:

Keystream:    K₁ K₂ K₃ K₄ K₅ K₆ K₇ K₈ ...
Plaintext:    P₁ P₂ P₃ P₄ P₅ P₆ P₇ P₈ ...
Ciphertext:   C₁ C₂ C₃ C₄ C₅ C₆ C₇ C₈ ...

Where: Cᵢ = Pᵢ ⊕ Kᵢ (XOR operation)

Decryption works identically—XOR the ciphertext with the same keystream to recover plaintext. The security of a stream cipher depends entirely on the quality of its keystream generator.

Critical Properties of Keystream Generators:

Unpredictability: Given any portion of the keystream, an attacker cannot predict other portions
Long period: The keystream should not repeat for astronomically long sequences
Statistical randomness: The keystream should pass all statistical tests for randomness
Determinism: Given the same key and IV, the same keystream must be regenerated (for decryption)

Notable Stream Ciphers
Cipher	Key Size	Status	Notable Usage
RC4	40-2048 bits	Deprecated (broken)	Historical: WEP, early TLS
ChaCha20	256 bits	Modern, secure	TLS 1.3, WireGuard VPN, Android encryption
Salsa20	256 bits	Modern, secure	Predecessor to ChaCha20
A5/1, A5/2	64 bits	Broken	GSM cellular encryption (legacy)
Trivium	80 bits	Secure (limited key)	Hardware applications

The Catastrophic Nonce Reuse Problem

Never reuse a nonce (IV) with the same key in a stream cipher! If you encrypt two different plaintexts P₁ and P₂ with the same keystream K: C₁ = P₁ ⊕ K and C₂ = P₂ ⊕ K. An attacker can compute C₁ ⊕ C₂ = P₁ ⊕ P₂, completely eliminating the key and enabling cryptanalysis. This vulnerability destroyed WEP wireless security and has compromised countless systems.

ChaCha20: The Modern Standard

Developed by Daniel J. Bernstein, ChaCha20 has become the preferred stream cipher for modern systems. It offers:

256-bit keys: Enormous key space (2^256 possible keys)
96-bit nonce: Large enough for random generation without collision
32-bit counter: Supports encryption of 2^32 × 64 bytes ≈ 256 GB per nonce
Software efficiency: Designed for fast implementation without specialized hardware
Timing attack resistance: Operations are constant-time, preventing side-channel attacks

ChaCha20 operates on 16 32-bit words organized in a 4×4 matrix, applying a series of "quarter round" functions that mix the state through addition, XOR, and rotation (ARX operations). After 20 rounds, the resulting state is added to the original state to produce 64 bytes of keystream.

chacha20_quarter_round.pseudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// ChaCha20 Quarter Round Function
// Operates on four 32-bit words: a, b, c, d
 
function QUARTERROUND(a, b, c, d):
    a = a + b    // 32-bit addition (mod 2^32)
    d = d ^ a    // XOR
    d = ROTL(d, 16)  // Rotate left 16 bits
    
    c = c + d
    b = b ^ c
    b = ROTL(b, 12)
    
    a = a + b
    d = d ^ a
    d = ROTL(d, 8)
    
    c = c + d
    b = b ^ c
    b = ROTL(b, 7)
    
    return (a, b, c, d)
 
// The 4x4 state matrix:
// [constant, constant, constant, constant]
// [key,      key,      key,      key     ]
// [key,      key,      key,      key     ]
// [counter,  nonce,    nonce,    nonce   ]

Block Ciphers

Block ciphers operate on fixed-size blocks of data, typically 64 or 128 bits. Unlike stream ciphers, which process data bit-by-bit, block ciphers treat data as discrete chunks, applying complex transformations that thoroughly mix the input.

The Ideal Block Cipher (Pseudorandom Permutation):

Mathematically, an ideal block cipher is a pseudorandom permutation (PRP). For a block size of n bits:

The cipher is a bijective function (one-to-one and onto)
For each key, there are 2^n possible input blocks and 2^n possible output blocks
Each key selects one permutation from the astronomically large space of all possible permutations (2^n)!
The permutation should be indistinguishable from a random permutation to any efficient adversary

Confusion and Diffusion:

Claude Shannon, the father of information theory, identified two essential properties for secure ciphers in his 1949 paper:

Confusion: The relationship between ciphertext and key should be as complex as possible. Each bit of ciphertext should depend on many bits of the key in a complicated way.
Diffusion: The statistical structure of plaintext should be dissipated across the ciphertext. Each bit of plaintext should influence many bits of ciphertext.

Modern block ciphers achieve these properties through multiple rounds of substitution and permutation operations.

Major Block Cipher Algorithms
Cipher	Block Size	Key Sizes	Rounds	Status
DES	64 bits	56 bits	16	Obsolete (key too short)
3DES	64 bits	112/168 bits	48	Deprecated (slow, 64-bit block)
AES-128	128 bits	128 bits	10	Current standard
AES-192	128 bits	192 bits	12	Current standard
AES-256	128 bits	256 bits	14	Current standard, highest security
Blowfish	64 bits	32-448 bits	16	Legacy (64-bit block problematic)
Twofish	128 bits	128/192/256 bits	16	AES finalist, secure alternative

Why AES Won

In 2001, NIST selected Rijndael (designed by Joan Daemen and Vincent Rijmen) as the Advanced Encryption Standard after a rigorous multi-year competition. AES won because it offered the best combination of security margin, performance on diverse platforms (from 8-bit microcontrollers to 64-bit servers), simplicity of design (enabling thorough cryptanalysis), and resistance to all known attack techniques.

Inside AES: The Gold Standard

The Advanced Encryption Standard (AES) is the most widely deployed symmetric cipher in the world. Understanding its internal structure reveals elegant mathematical design and illustrates how confusion and diffusion are achieved in practice.

AES operates on a 4×4 matrix of bytes called the state. The 128-bit input block is arranged column-by-column into this matrix. The algorithm then applies a series of transformations across multiple rounds:

AES-128: 10 rounds
AES-192: 12 rounds
AES-256: 14 rounds

Each round (except the final round) consists of four operations:

AES Round Operations

•SubBytes (Substitution) — Each byte is replaced using a fixed substitution table (S-box) derived from the multiplicative inverse in GF(2⁸) followed by an affine transformation. This provides non-linearity and confusion.
•ShiftRows (Permutation) — Bytes in each row are cyclically shifted: row 0 unchanged, row 1 shifted left by 1, row 2 by 2, row 3 by 3. This spreads bytes across columns for diffusion.
•MixColumns (Diffusion) — Each column is treated as a polynomial over GF(2⁸) and multiplied by a fixed polynomial. This causes each output byte to depend on all four input bytes in the column.
•AddRoundKey (Key Mixing) — The round key (derived from the master key via key expansion) is XORed with the state. This is the only operation that incorporates key material.

aes_structure.pseudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// AES Encryption Process (Simplified)
 
function AES_ENCRYPT(plaintext, key):
    state = bytes_to_state_matrix(plaintext)
    round_keys = key_expansion(key)  // Generate 11/13/15 round keys
    
    // Initial round (just key addition)
    state = ADD_ROUND_KEY(state, round_keys[0])
    
    // Main rounds (Nr-1 full rounds)
    for round = 1 to Nr - 1:
        state = SUB_BYTES(state)      // Substitution: confusion
        state = SHIFT_ROWS(state)     // Permutation: diffusion start
        state = MIX_COLUMNS(state)    // Linear mixing: diffusion complete
        state = ADD_ROUND_KEY(state, round_keys[round])
    
    // Final round (no MixColumns)
    state = SUB_BYTES(state)
    state = SHIFT_ROWS(state)
    state = ADD_ROUND_KEY(state, round_keys[Nr])
    
    return state_matrix_to_bytes(state)
 
// The S-box provides the crucial non-linear component
// It's mathematically defined as:
// 1. Compute multiplicative inverse in GF(2^8)
// 2. Apply affine transformation over GF(2)

Why This Design Works:

The genius of AES lies in how these operations interact:

SubBytes provides non-linearity. Without this, the entire cipher would be a linear transformation that could be broken with simple algebra.
ShiftRows and MixColumns together ensure that after just a few rounds, every bit of the output depends on every bit of the input and key. This is called the avalanche effect: changing one input bit changes approximately half the output bits.
AddRoundKey ensures that without the key, even knowing the algorithm provides no advantage. The key is woven throughout the computation.

The S-box is particularly elegant. Taking the multiplicative inverse in GF(2⁸) provides excellent non-linear properties, and the subsequent affine transformation prevents patterns that would otherwise arise from the algebraic structure.

Hardware Acceleration

Modern processors include dedicated AES instructions (AES-NI on Intel/AMD, ARM Cryptographic Extensions). These instructions can execute entire AES rounds in single clock cycles, achieving throughputs exceeding 10 GB/s. This hardware acceleration makes AES not just the most secure but often the fastest option for symmetric encryption.

Modes of Operation

Block ciphers operate on fixed-size blocks, but real data rarely fits neatly into 128-bit chunks. Modes of operation define how block ciphers process arbitrary-length messages while maintaining security properties. The choice of mode profoundly affects security—a secure block cipher used incorrectly provides no protection.

The Essential Problem:

Naively encrypting each block independently with the same key (called Electronic Codebook Mode or ECB) reveals patterns in the plaintext. Identical plaintext blocks produce identical ciphertext blocks, leaking information catastrophically.

ECB Mode (Never Use!)

•Each block encrypted independently
•Identical plaintext → identical ciphertext
•Patterns in plaintext visible in ciphertext
•Famous example: ECB-encrypted penguin shows image outline
•Blocks can be rearranged, deleted, duplicated without detection

Secure Modes

•Use IVs/nonces to ensure uniqueness
•Identical plaintext → different ciphertext
•No visible patterns in ciphertext
•Semantic security: cannot distinguish between encryptions
•Often include authentication (AEAD modes)

Common Block Cipher Modes
Mode	Type	Parallelizable	Error Propagation	Security Notes
ECB	Basic	Yes (enc/dec)	None (one block)	NEVER USE - deterministic, leaks patterns
CBC	Chaining	Dec only	Two blocks	Secure with random IV; vulnerable to padding oracle
CTR	Stream	Yes (enc/dec)	One block	Turns block cipher into stream cipher; fast, parallelizable
GCM	AEAD	Yes (enc/dec)	Authentication fails	Recommended: encryption + authentication; hardware accelerated
XTS	Tweakable	Yes	One block	Standard for disk encryption (no authentication)

CBC (Cipher Block Chaining):

CBC chains blocks together by XORing each plaintext block with the previous ciphertext block before encryption:

C₀ = E(K, IV ⊕ P₀)
C₁ = E(K, C₀ ⊕ P₁)
C₂ = E(K, C₁ ⊕ P₂)
...

This ensures identical plaintext blocks produce different ciphertext (depending on position and IV). However, CBC has limitations: encryption cannot be parallelized, and it's vulnerable to padding oracle attacks if the padding is validated before authentication.

CTR (Counter Mode):

CTR mode transforms a block cipher into a stream cipher. A counter value is encrypted to produce keystream blocks, which are XORed with plaintext:

Keystream₀ = E(K, Nonce || Counter=0)
Keystream₁ = E(K, Nonce || Counter=1)
...
Cᵢ = Pᵢ ⊕ Keystreamᵢ

This is fully parallelizable, enables random access to encrypted data, and avoids padding requirements entirely.

GCM (Galois/Counter Mode):

GCM combines CTR mode encryption with GHASH authentication, providing Authenticated Encryption with Associated Data (AEAD). It encrypts data AND produces an authentication tag, ensuring both confidentiality and integrity. This is the recommended mode for network protocols and is ubiquitous in TLS 1.3.

Modern Best Practice: AEAD

Always prefer Authenticated Encryption with Associated Data (AEAD) modes like AES-GCM or ChaCha20-Poly1305. These modes provide both confidentiality (encryption) and integrity (authentication) in a single primitive, preventing entire classes of attacks that affect encryption-only modes. If you're choosing a mode today, choose an AEAD mode.

Symmetric Encryption in Operating Systems

Symmetric encryption is deeply embedded in operating system security, protecting data at rest, in transit, and during processing. Understanding these applications reveals why cryptographic fundamentals matter for systems programming.

Key OS Applications

•Full Disk Encryption (FDE) — BitLocker (Windows), FileVault (macOS), LUKS (Linux) use AES-XTS to encrypt entire disk volumes. The XTS mode provides tweakable encryption suitable for disk sectors, where each sector is encrypted with a tweak derived from its position, preventing block swapping attacks.
•File System Encryption — EFS (Windows), fscrypt (Linux ext4/f2fs) encrypt individual files or directories. Per-file keys wrapped by user credentials enable granular access control while maintaining efficiency through key caching.
•Swap Space Encryption — Sensitive data in RAM may be swapped to disk. Operating systems encrypt swap partitions to prevent cold boot attacks and forensic recovery of secrets from disk.
•Secure Boot and Measured Boot — Boot components are signed and/or encrypted to ensure integrity. Symmetric encryption protects firmware update payloads and configuration data.
•Memory Encryption — AMD SEV (Secure Encrypted Virtualization) and Intel TME (Total Memory Encryption) use AES to encrypt RAM contents, protecting against physical memory attacks and malicious hypervisors.
•Network Stack — IPsec — The kernel's IPsec implementation uses symmetric encryption (typically AES-GCM) for VPN tunnels, encrypting network packets transparently to applications.

linux_disk_encryption_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Setting up LUKS encrypted volume on Linux
# LUKS uses AES-XTS-plain64 by default (AES-256, XTS mode)
 
# Create encrypted container
sudo cryptsetup luksFormat /dev/sdb1
# Enter passphrase when prompted
 
# Open (decrypt) the container
sudo cryptsetup luksOpen /dev/sdb1 encrypted_volume
# Creates /dev/mapper/encrypted_volume
 
# Create filesystem on decrypted device
sudo mkfs.ext4 /dev/mapper/encrypted_volume
 
# Mount and use
sudo mount /dev/mapper/encrypted_volume /mnt/secure
 
# When done, close (locks the volume)
sudo umount /mnt/secure
sudo cryptsetup luksClose encrypted_volume
 
# View encryption details
sudo cryptsetup luksDump /dev/sdb1
# Shows: cipher: aes-xts-plain64, key size: 512 bits (256 for AES + 256 for XTS tweak)

Performance Considerations

Modern hardware AES instructions make encryption overhead negligible for most workloads. AES-NI provides throughput exceeding 10 GB/s on modern CPUs—faster than most storage devices. However, encryption does consume CPU cycles and may impact battery life on mobile devices. Operating systems often allow encryption settings to be tuned for security/performance trade-offs.

Security Considerations and Attacks

Even with mathematically secure algorithms, implementation and deployment vulnerabilities can compromise symmetric encryption. Understanding these attack vectors is essential for building secure systems.

Common Vulnerabilities

•Side-Channel Attacks — Timing differences, power consumption, electromagnetic emissions, and cache access patterns can leak key bits. Constant-time implementations are essential; AES-NI provides timing attack resistance by design.
•Padding Oracle Attacks — If a system reveals whether decrypted padding is valid, attackers can decrypt ciphertext byte-by-byte. This destroyed CBC mode in many protocols (BEAST, POODLE attacks). Prevention: always authenticate before decrypting (AEAD modes).
•Key Reuse with Nonce Reuse — Reusing an IV/nonce with the same key in CTR or GCM mode is catastrophic. In CTR mode, the keystream repeats, enabling XOR attacks. In GCM, the authentication key can be recovered. Generate random nonces or use deterministic counters carefully.
•Weak Key Derivation — Deriving encryption keys from user passwords with weak functions (simple hashing) enables brute-force attacks. Use proper KDFs (PBKDF2, Argon2, scrypt) with high iteration counts.
•Related-Key Attacks — Some ciphers (including AES with enough related keys) may be vulnerable when attackers can observe encryptions with related keys. Key derivation should ensure keys are independent.

Don't Roll Your Own Crypto

This principle cannot be overstated. Cryptography is notorious for looking correct while being subtly broken. Use well-vetted libraries (OpenSSL, libsodium, Windows CNG) with standard configurations. Protocol design is equally treacherous—prefer established protocols (TLS, Signal Protocol) over custom designs. Cryptographic bugs often go undetected for years, exposing data silently.

Historical Cryptographic Failures in Symmetric Encryption
Failure	Cause	Impact	Lesson
WEP (WiFi)	IV reuse, weak RC4 usage	Complete WiFi encryption broken	Proper nonce management is critical
PlayStation 3 signing	ECDSA nonce reuse	Private signing key recovered	Randomness in crypto is essential
OpenSSL Heartbleed	Buffer over-read	Server memory leaked	Memory safety matters for crypto code
Padding Oracle in TLS	CBC padding validated before MAC	BEAST, POODLE attacks	Authenticate then decrypt (AEAD)

Summary: Symmetric Encryption

We've covered the essential foundations of symmetric encryption—from stream ciphers to block ciphers, from AES internals to modes of operation, and from theoretical security to practical deployment in operating systems.

Key Takeaways

•Symmetric encryption uses one key for both encryption and decryption — This is efficient but creates key distribution challenges solved by asymmetric cryptography.
•Stream ciphers (ChaCha20) generate keystream XORed with plaintext — Fast and simple, but nonce reuse is catastrophic. Use random or counter-based nonces.
•Block ciphers (AES) process fixed-size blocks with confusion and diffusion — Multiple rounds of substitution and permutation create the avalanche effect.
•Modes of operation determine how block ciphers handle arbitrary data — ECB is broken; use CBC with care; prefer AEAD modes like GCM.
•AEAD modes (AES-GCM, ChaCha20-Poly1305) provide encryption + authentication — This is the modern standard; prevents padding oracles and tampering.
•Operating systems use symmetric encryption everywhere — Disk encryption, file encryption, swap protection, secure boot, network stack.
•Implementation matters as much as algorithm choice — Side channels, nonce reuse, weak key derivation, and padding oracles can break otherwise secure systems.

Looking Ahead:

Symmetric encryption provides confidentiality efficiently, but it cannot solve the key distribution problem—how do two parties agree on a shared secret without prior communication? The next page explores asymmetric encryption, which uses mathematically related key pairs to enable secure communication with strangers, digital signatures, and the infrastructure of trust that underpins modern security.

Page Complete

You now understand the foundations of symmetric encryption—the mathematical principles, algorithmic structures, operational modes, and real-world applications that protect data in modern operating systems. This knowledge is essential for understanding disk encryption, secure protocols, and the cryptographic infrastructure that secures computing.

1 / 5

Loading learning content...

Operating SystemsSecurity Fundamentals

Cryptography Basics

LevelIntermediate

Duration90 mins

TopicSecurity Fundamentals

1 / 5

Symmetric Encryption

The Science of Shared Secrets

What You Will Learn

Fundamental Concepts

At its mathematical core, symmetric encryption is a pair of functions:

Encryption function E: Takes a key K and plaintext P, produces ciphertext C = E(K, P)
Decryption function D: Takes a key K and ciphertext C, produces plaintext P = D(K, C)

The defining property is symmetry: the same key K works for both operations. This seems almost too simple—and therein lies both the elegance and the challenge.

The Kerckhoffs Principle:

This is why symmetric encryption systems focus on making keys:

Long enough that brute-force attacks are computationally infeasible
Random enough that patterns cannot be exploited
Properly managed so they remain secret throughout their lifetime

Essential Symmetric Encryption Terminology
Term	Definition	Example
Plaintext (P)	The original unencrypted data	Confidential document, user password
Ciphertext (C)	The encrypted (scrambled) output	Random-appearing bytes after encryption
Key (K)	Secret value controlling encryption/decryption	256-bit random number
Key Space	Set of all possible keys	2^256 possible keys for AES-256
Block Size	Fixed-size data units processed by block ciphers	128 bits for AES
Initialization Vector (IV)	Random value ensuring same plaintext encrypts differently	128-bit random nonce for AES-CBC

The Key Distribution Problem

Stream Ciphers

How Stream Ciphers Work:

Keystream:    K₁ K₂ K₃ K₄ K₅ K₆ K₇ K₈ ...
Plaintext:    P₁ P₂ P₃ P₄ P₅ P₆ P₇ P₈ ...
Ciphertext:   C₁ C₂ C₃ C₄ C₅ C₆ C₇ C₈ ...

Where: Cᵢ = Pᵢ ⊕ Kᵢ (XOR operation)

Decryption works identically—XOR the ciphertext with the same keystream to recover plaintext. The security of a stream cipher depends entirely on the quality of its keystream generator.

Critical Properties of Keystream Generators:

Unpredictability: Given any portion of the keystream, an attacker cannot predict other portions
Long period: The keystream should not repeat for astronomically long sequences
Statistical randomness: The keystream should pass all statistical tests for randomness
Determinism: Given the same key and IV, the same keystream must be regenerated (for decryption)

Notable Stream Ciphers
Cipher	Key Size	Status	Notable Usage
RC4	40-2048 bits	Deprecated (broken)	Historical: WEP, early TLS
ChaCha20	256 bits	Modern, secure	TLS 1.3, WireGuard VPN, Android encryption
Salsa20	256 bits	Modern, secure	Predecessor to ChaCha20
A5/1, A5/2	64 bits	Broken	GSM cellular encryption (legacy)
Trivium	80 bits	Secure (limited key)	Hardware applications

The Catastrophic Nonce Reuse Problem

ChaCha20: The Modern Standard

Developed by Daniel J. Bernstein, ChaCha20 has become the preferred stream cipher for modern systems. It offers:

256-bit keys: Enormous key space (2^256 possible keys)
96-bit nonce: Large enough for random generation without collision
32-bit counter: Supports encryption of 2^32 × 64 bytes ≈ 256 GB per nonce
Software efficiency: Designed for fast implementation without specialized hardware
Timing attack resistance: Operations are constant-time, preventing side-channel attacks

chacha20_quarter_round.pseudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// ChaCha20 Quarter Round Function
// Operates on four 32-bit words: a, b, c, d
 
function QUARTERROUND(a, b, c, d):
    a = a + b    // 32-bit addition (mod 2^32)
    d = d ^ a    // XOR
    d = ROTL(d, 16)  // Rotate left 16 bits
    
    c = c + d
    b = b ^ c
    b = ROTL(b, 12)
    
    a = a + b
    d = d ^ a
    d = ROTL(d, 8)
    
    c = c + d
    b = b ^ c
    b = ROTL(b, 7)
    
    return (a, b, c, d)
 
// The 4x4 state matrix:
// [constant, constant, constant, constant]
// [key,      key,      key,      key     ]
// [key,      key,      key,      key     ]
// [counter,  nonce,    nonce,    nonce   ]

Block Ciphers

The Ideal Block Cipher (Pseudorandom Permutation):

Mathematically, an ideal block cipher is a pseudorandom permutation (PRP). For a block size of n bits:

The cipher is a bijective function (one-to-one and onto)
For each key, there are 2^n possible input blocks and 2^n possible output blocks
Each key selects one permutation from the astronomically large space of all possible permutations (2^n)!
The permutation should be indistinguishable from a random permutation to any efficient adversary

Confusion and Diffusion:

Claude Shannon, the father of information theory, identified two essential properties for secure ciphers in his 1949 paper:

Confusion: The relationship between ciphertext and key should be as complex as possible. Each bit of ciphertext should depend on many bits of the key in a complicated way.
Diffusion: The statistical structure of plaintext should be dissipated across the ciphertext. Each bit of plaintext should influence many bits of ciphertext.

Modern block ciphers achieve these properties through multiple rounds of substitution and permutation operations.

Major Block Cipher Algorithms
Cipher	Block Size	Key Sizes	Rounds	Status
DES	64 bits	56 bits	16	Obsolete (key too short)
3DES	64 bits	112/168 bits	48	Deprecated (slow, 64-bit block)
AES-128	128 bits	128 bits	10	Current standard
AES-192	128 bits	192 bits	12	Current standard
AES-256	128 bits	256 bits	14	Current standard, highest security
Blowfish	64 bits	32-448 bits	16	Legacy (64-bit block problematic)
Twofish	128 bits	128/192/256 bits	16	AES finalist, secure alternative

Why AES Won

Inside AES: The Gold Standard

AES-128: 10 rounds
AES-192: 12 rounds
AES-256: 14 rounds

Each round (except the final round) consists of four operations:

AES Round Operations

•SubBytes (Substitution) — Each byte is replaced using a fixed substitution table (S-box) derived from the multiplicative inverse in GF(2⁸) followed by an affine transformation. This provides non-linearity and confusion.
•ShiftRows (Permutation) — Bytes in each row are cyclically shifted: row 0 unchanged, row 1 shifted left by 1, row 2 by 2, row 3 by 3. This spreads bytes across columns for diffusion.
•MixColumns (Diffusion) — Each column is treated as a polynomial over GF(2⁸) and multiplied by a fixed polynomial. This causes each output byte to depend on all four input bytes in the column.
•AddRoundKey (Key Mixing) — The round key (derived from the master key via key expansion) is XORed with the state. This is the only operation that incorporates key material.

aes_structure.pseudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// AES Encryption Process (Simplified)
 
function AES_ENCRYPT(plaintext, key):
    state = bytes_to_state_matrix(plaintext)
    round_keys = key_expansion(key)  // Generate 11/13/15 round keys
    
    // Initial round (just key addition)
    state = ADD_ROUND_KEY(state, round_keys[0])
    
    // Main rounds (Nr-1 full rounds)
    for round = 1 to Nr - 1:
        state = SUB_BYTES(state)      // Substitution: confusion
        state = SHIFT_ROWS(state)     // Permutation: diffusion start
        state = MIX_COLUMNS(state)    // Linear mixing: diffusion complete
        state = ADD_ROUND_KEY(state, round_keys[round])
    
    // Final round (no MixColumns)
    state = SUB_BYTES(state)
    state = SHIFT_ROWS(state)
    state = ADD_ROUND_KEY(state, round_keys[Nr])
    
    return state_matrix_to_bytes(state)
 
// The S-box provides the crucial non-linear component
// It's mathematically defined as:
// 1. Compute multiplicative inverse in GF(2^8)
// 2. Apply affine transformation over GF(2)

Why This Design Works:

The genius of AES lies in how these operations interact:

SubBytes provides non-linearity. Without this, the entire cipher would be a linear transformation that could be broken with simple algebra.
ShiftRows and MixColumns together ensure that after just a few rounds, every bit of the output depends on every bit of the input and key. This is called the avalanche effect: changing one input bit changes approximately half the output bits.
AddRoundKey ensures that without the key, even knowing the algorithm provides no advantage. The key is woven throughout the computation.

Hardware Acceleration

Modes of Operation

The Essential Problem:

ECB Mode (Never Use!)

•Each block encrypted independently
•Identical plaintext → identical ciphertext
•Patterns in plaintext visible in ciphertext
•Famous example: ECB-encrypted penguin shows image outline
•Blocks can be rearranged, deleted, duplicated without detection

Secure Modes

•Use IVs/nonces to ensure uniqueness
•Identical plaintext → different ciphertext
•No visible patterns in ciphertext
•Semantic security: cannot distinguish between encryptions
•Often include authentication (AEAD modes)

Common Block Cipher Modes
Mode	Type	Parallelizable	Error Propagation	Security Notes
ECB	Basic	Yes (enc/dec)	None (one block)	NEVER USE - deterministic, leaks patterns
CBC	Chaining	Dec only	Two blocks	Secure with random IV; vulnerable to padding oracle
CTR	Stream	Yes (enc/dec)	One block	Turns block cipher into stream cipher; fast, parallelizable
GCM	AEAD	Yes (enc/dec)	Authentication fails	Recommended: encryption + authentication; hardware accelerated
XTS	Tweakable	Yes	One block	Standard for disk encryption (no authentication)

CBC (Cipher Block Chaining):

CBC chains blocks together by XORing each plaintext block with the previous ciphertext block before encryption:

C₀ = E(K, IV ⊕ P₀)
C₁ = E(K, C₀ ⊕ P₁)
C₂ = E(K, C₁ ⊕ P₂)
...

CTR (Counter Mode):

CTR mode transforms a block cipher into a stream cipher. A counter value is encrypted to produce keystream blocks, which are XORed with plaintext:

Keystream₀ = E(K, Nonce || Counter=0)
Keystream₁ = E(K, Nonce || Counter=1)
...
Cᵢ = Pᵢ ⊕ Keystreamᵢ

This is fully parallelizable, enables random access to encrypted data, and avoids padding requirements entirely.

GCM (Galois/Counter Mode):

Modern Best Practice: AEAD

Symmetric Encryption in Operating Systems

Key OS Applications

•Full Disk Encryption (FDE) — BitLocker (Windows), FileVault (macOS), LUKS (Linux) use AES-XTS to encrypt entire disk volumes. The XTS mode provides tweakable encryption suitable for disk sectors, where each sector is encrypted with a tweak derived from its position, preventing block swapping attacks.
•File System Encryption — EFS (Windows), fscrypt (Linux ext4/f2fs) encrypt individual files or directories. Per-file keys wrapped by user credentials enable granular access control while maintaining efficiency through key caching.
•Swap Space Encryption — Sensitive data in RAM may be swapped to disk. Operating systems encrypt swap partitions to prevent cold boot attacks and forensic recovery of secrets from disk.
•Secure Boot and Measured Boot — Boot components are signed and/or encrypted to ensure integrity. Symmetric encryption protects firmware update payloads and configuration data.
•Memory Encryption — AMD SEV (Secure Encrypted Virtualization) and Intel TME (Total Memory Encryption) use AES to encrypt RAM contents, protecting against physical memory attacks and malicious hypervisors.
•Network Stack — IPsec — The kernel's IPsec implementation uses symmetric encryption (typically AES-GCM) for VPN tunnels, encrypting network packets transparently to applications.

linux_disk_encryption_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Setting up LUKS encrypted volume on Linux
# LUKS uses AES-XTS-plain64 by default (AES-256, XTS mode)
 
# Create encrypted container
sudo cryptsetup luksFormat /dev/sdb1
# Enter passphrase when prompted
 
# Open (decrypt) the container
sudo cryptsetup luksOpen /dev/sdb1 encrypted_volume
# Creates /dev/mapper/encrypted_volume
 
# Create filesystem on decrypted device
sudo mkfs.ext4 /dev/mapper/encrypted_volume
 
# Mount and use
sudo mount /dev/mapper/encrypted_volume /mnt/secure
 
# When done, close (locks the volume)
sudo umount /mnt/secure
sudo cryptsetup luksClose encrypted_volume
 
# View encryption details
sudo cryptsetup luksDump /dev/sdb1
# Shows: cipher: aes-xts-plain64, key size: 512 bits (256 for AES + 256 for XTS tweak)

Performance Considerations

Security Considerations and Attacks

Common Vulnerabilities

•Side-Channel Attacks — Timing differences, power consumption, electromagnetic emissions, and cache access patterns can leak key bits. Constant-time implementations are essential; AES-NI provides timing attack resistance by design.
•Padding Oracle Attacks — If a system reveals whether decrypted padding is valid, attackers can decrypt ciphertext byte-by-byte. This destroyed CBC mode in many protocols (BEAST, POODLE attacks). Prevention: always authenticate before decrypting (AEAD modes).
•Key Reuse with Nonce Reuse — Reusing an IV/nonce with the same key in CTR or GCM mode is catastrophic. In CTR mode, the keystream repeats, enabling XOR attacks. In GCM, the authentication key can be recovered. Generate random nonces or use deterministic counters carefully.
•Weak Key Derivation — Deriving encryption keys from user passwords with weak functions (simple hashing) enables brute-force attacks. Use proper KDFs (PBKDF2, Argon2, scrypt) with high iteration counts.
•Related-Key Attacks — Some ciphers (including AES with enough related keys) may be vulnerable when attackers can observe encryptions with related keys. Key derivation should ensure keys are independent.

Don't Roll Your Own Crypto

Historical Cryptographic Failures in Symmetric Encryption
Failure	Cause	Impact	Lesson
WEP (WiFi)	IV reuse, weak RC4 usage	Complete WiFi encryption broken	Proper nonce management is critical
PlayStation 3 signing	ECDSA nonce reuse	Private signing key recovered	Randomness in crypto is essential
OpenSSL Heartbleed	Buffer over-read	Server memory leaked	Memory safety matters for crypto code
Padding Oracle in TLS	CBC padding validated before MAC	BEAST, POODLE attacks	Authenticate then decrypt (AEAD)

Summary: Symmetric Encryption

Key Takeaways

•Symmetric encryption uses one key for both encryption and decryption — This is efficient but creates key distribution challenges solved by asymmetric cryptography.
•Stream ciphers (ChaCha20) generate keystream XORed with plaintext — Fast and simple, but nonce reuse is catastrophic. Use random or counter-based nonces.
•Block ciphers (AES) process fixed-size blocks with confusion and diffusion — Multiple rounds of substitution and permutation create the avalanche effect.
•Modes of operation determine how block ciphers handle arbitrary data — ECB is broken; use CBC with care; prefer AEAD modes like GCM.
•AEAD modes (AES-GCM, ChaCha20-Poly1305) provide encryption + authentication — This is the modern standard; prevents padding oracles and tampering.
•Operating systems use symmetric encryption everywhere — Disk encryption, file encryption, swap protection, secure boot, network stack.
•Implementation matters as much as algorithm choice — Side channels, nonce reuse, weak key derivation, and padding oracles can break otherwise secure systems.

Looking Ahead:

Page Complete

1 / 5