## Overview
Encryption process that uses the same *encryption key* for encryptiona and decryption. To perform encryption, we:
- select an appropriate encryption method (a *cipher*)
- generate an encryption key
- generate an *initialization vector*
- select a cipher *operation mode*
- select a *padding type*
- perform encryption using the previou items

Some tools just need a password to encrypt - such a tool derives an encryption key using password and generates all the above prerequisites in the background.

Symmetric encryption provides:
- **Confidentiality:** Only the holders of the encryption key can decrypt and view the original data.
- **Efficiency:** Suitable for encrypting large data volumes quickly.
- **Simplicity:** Single key for both encryption and decryption.

It does not provide:
- **Integrity:** does not ensure that the ciphertext has not been altered. If an attacker modifies the ciphertext, the decryption might still work, but it could produce altered or invalid data.
- **Authentication:** does not inherently authenticate the sender or verify that the message came from a legitimate source.
- **Non-Repudiation:** Non-repudiation ensures that a sender cannot deny having sent a message. Symmetric encryption does not provide this, as both the sender and receiver have access to the same key and can produce the same ciphertext.

Symmetric Encryption can be:
- **Block cipher**
- **Stream cipher**

## Block Ciphers
Operate on blocks of data. For example, if the *block size* is 128 bits, then 128 bits of data is encrypted at a time. If the amount of data is larger than the block size, then the data is broken into multiple chunks. If plaintext is not multiple of block size, the last block is padded using the selected *padding type*.

<img src="images/symm_enc.png" />

Encryption algorithms are often measured in terms of *security bits*. If an attacker needs to perform $2^{256}$ computational
operations to break a cipher, then the *cipher security* is 256 bits. In a brute force attack, all possible keys are tried, therefore if an encryption key is 256 bits long, it will $2^{256}$ possible combinations that needs to be tried - representing the $2^{256}$ computations mentioned earlier.

Longer keys need more computational power to encrypt/decrypt, however the difference is not big for symmetric encryption. Not all ciphers are as strong as the encryption key length.

### Cipher Operation Modes
Block ciphers can operate in different *encryption modes*, also known as *modes of operation*. Examples listed below:

**Electronic Code Book mode (ECB):** each block is encrypted using just the encryption key and then concatenated. Initialization vector is not used. The same plaintext results in same ciphertext, therefore patterns in data is not obscured. The diagram shown earlier corresponds to ECB mode.

Image encrypted using ECB mode:  
<img src="images/ECB_mode.png" width="600" height="auto"/>

**Cipher Block Chaining mode (CBC):** in this mode the ciphertext of the current block depends on the ciphertext of the previous block. The plaintext of the current block is XOR'd with the ciphertext of the previous block before being encrypted. The first block is XOR'd with the initialisation vector. In many modes, including CBC, the IV is usually generated randomly and is the same size as the cipher block size. The IV is usually not kept secret and is stored together with the ciphertext because it is needed for decryption. In almost any encryption mode, including CBC, an IV must only be used for one message encrypted with the given encryption key and must not be reused for another message. Therefore, we can say that an IV is usually a *nonce*. 

<img src="images/CBC_mode_flow.png" width="700" height="auto"/>

Same image encrypted using CBC mode:  
<img src="images/CBC_mode.png" width="600" height="auto"/>

**Other Modes:** includes CTR, GCM (recommended), PCBC, CFB, etc.

### Padding Types
**Public Key Cryptographic Standard #7 (PKCS7):** works by appending $N$ bytes with the value of $chr(N)$, where $N$ is the number of bytes required to make the final block of data the same size as the block size. 

<img src="images/PKCS7.png" />

PKCS7 padding has the advantage that it encodes the length of padding, thus indirectly encoding the length of the useful plaintext data in the last block. Hence, the exact length of the whole plaintext data does not need to be transmitted along with the data. If the plaintext is multiple of block size, an additional block of just padding is added to the plaintext and then encoded. Thus, after decryption the last byte is read and $N$ number of bytes are considered padding.

### Comparison
| **Algorithm** | **Block Size** | **Key Lengths**        | **Supported Modes**                            | **Speed**                  | **Security Strength**                                |
|---------------|----------------|------------------------|------------------------------------------------|----------------------------|------------------------------------------------------|
| **AES**       | 128 bits        | 128, 192, 256 bits     | ECB, CBC, CFB, OFB, CTR, GCM, CCM              | Fast (hardware optimized)  | Very strong (widely used, AES-256 recommended)      |
| **DES**       | 64 bits         | 56 bits                | ECB, CBC, CFB, OFB                             | Moderate                   | Weak (vulnerable to brute force attacks)            |
| **3DES**      | 64 bits         | 112 or 168 bits         | ECB, CBC, CFB, OFB                             | Slower (compared to AES)   | Stronger than DES but less secure than AES          |
| **Blowfish**   | 64 bits         | 32-448 bits (variable)  | ECB, CBC, CFB, OFB, CTR                        | Fast (but slower than AES) | Strong, though not as widely used today             |
| **Twofish**    | 128 bits        | 128, 192, 256 bits     | ECB, CBC, CFB, OFB, CTR                        | Fast (comparable to AES)   | Very strong, considered secure for the foreseeable future |
| **IDEA**       | 64 bits         | 128 bits               | ECB, CBC, CFB, OFB                             | Moderate to fast           | Strong, but less common than AES                    |

**Note:** AES-256 refers to variant with 256 bits encryption key length.

## Stream Cipher
Operate on single bytes or even bits of data. This means that stream ciphers do not need padding. They also do not have operating modes, although some researchers are trying to introduce operation modes for stream ciphers too. Stream ciphers are generally considered to be less secure than block ciphers.

Internally, a stream cipher generates a pseudo random cipher digit stream (*keystream* - infinite stream of seemingly random bits) using the encryption key and initialization vector. Then, usually the keystream and plaintext streams are XOR'd.

<img src="images/stream_cipher.png" />

### Comparison of Stream Ciphers

| **Algorithm** | **Key Lengths**        | **Speed**                  | **Security Strength**                                | **Standardization**         | **Patent Status**        | **Flexibility**         | **Performance on Different Architectures** | **Resistance to Known Attacks**                |
|---------------|------------------------|----------------------------|------------------------------------------------------|-----------------------------|--------------------------|--------------------------|-------------------------------------------|------------------------------------------------|
| **RC4**        | 40-2048 bits (variable)| Fast (but with some vulnerabilities) | Weak (vulnerable to several attacks)                | Deprecated by many standards | Patented (expired)       | Variable (stream cipher) | Very fast but deprecated due to vulnerabilities | Vulnerable to several attacks including key recovery attacks |
| **ChaCha20**   | 256 bits                | Very fast                 | Very strong (used in modern protocols like TLS)    | IETF RFC 8439                | Unpatented               | High (stream cipher)     | Excellent performance across various architectures | Resistant to known cryptanalysis attacks |
| **Salsa20**    | 128, 256 bits           | Fast                       | Strong (often used in similar contexts as ChaCha20) | IETF RFC 7539                | Unpatented               | High (stream cipher)     | Excellent performance across various architectures | Resistant to known cryptanalysis attacks |
| **HC-128**     | 128 bits                | Very fast                 | Strong (specifically designed for speed and security) | Not standardized             | Unpatented               | High (stream cipher)     | Excellent performance on modern hardware       | Resistant to various known attacks             |
| **Rabbit**     | 128 bits                | Fast                       | Strong (designed to be efficient and secure)        | Not standardized             | Unpatented               | High (stream cipher)     | Good performance across various architectures   | Resistant to known attacks, but less widely analyzed |
| **Grain**      | 80 bits                 | Fast                       | Strong (designed for hardware efficiency)           | Not standardized             | Unpatented               | High (stream cipher)     | Good performance in constrained environments    | Resistant to several known attacks             |


## OpenSSL
Commands related to symmetric encryption:

**Generate encryption key:** 256 bits encryption key using `rand` command
```bash
$ openssl rand -hex 32
8a753416907c3999e3cf78bac0a384ff276f9ee20f3072277cf561b0127d6e3b
$ openssl rand -base64 32
2Epe0ZoYrCWY8IIqDy9ioivJNy8/MADAdS6GPXWPzJE=
```

**Generate IV:** 128 bits IV using `rand` command. Length of IV is equal to block size
```bash
$ openssl rand -hex 16
664f22a336b8daf99391213c551acf46
```

**Encrypt file:** using AES-256 and CBC mode using previously generated key and IV. Note that in the example below IV is not stored with cipher text.
```bash
$ openssl enc -aes-256-cbc -K 8a753416907c3999e3cf78bac0a384ff276f9ee20f3072277cf561b0127d6e3b -iv 664f22a336b8daf99391213c551acf46 -e -in plaintext.txt -out plaintext.enc
$ ls -ltr
-rw-r--r-- 1 root root   13 Sep 16 03:43 plaintext.txt
-rw-r--r-- 1 root root   16 Sep 16 03:45 plaintext.txt.enc
```
Encrypted text is bigger than plaintext indicating padding was used.

**Decrypt file:** using the same encryption key and IV and `enc` command:
```bash
$ openssl enc -aes-256-cbc -K 8a753416907c3999e3cf78bac0a384ff276f9ee20f3072277cf561b0127d6e3b -iv 664f22a336b8daf99391213c551acf46 -d -in plaintext.txt.enc -out plaintext.txt.dec
$ ls -ltr
-rw-r--r-- 1 root root   13 Sep 16 03:43 plaintext.txt
-rw-r--r-- 1 root root   16 Sep 16 03:45 plaintext.txt.enc
-rw-r--r-- 1 root root   13 Sep 16 03:47 plaintext.txt.dec
```

OpenSSL by default uses PKCS\#7 padding. The decrypt command removes padding upon decryption.

## Java
Using Java Crypto

In [None]:
/**
 * Generate an encryption key of given size
 *
 * @param keySize length of the encryption key, should conform to valid values for AES encryption
 * @return object representing key
 * @throws NoSuchAlgorithmException if invalid algorithm is passed
 */
public static SecretKey generateSecretKey(int keySize) throws NoSuchAlgorithmException {
    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
    keyGen.init(keySize);

    return keyGen.generateKey();
}

/**
 * Performs an AES 256 encryption in CBC mode
 *
 * @param plainText input to the encryption
 * @param secretKey encryption key
 * @return array with IV and ciphertext
 */
public static byte[][] encryptAES_CBC(byte[] plainText, SecretKey secretKey) throws NoSuchAlgorithmException, NoSuchPaddingException,
        InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
    // Generate IV (128 bits for AES)
    SecureRandom secureRandom = new SecureRandom();
    byte[] iv = new byte[16];
    secureRandom.nextBytes(iv);

    SecretKeySpec keySpec = new SecretKeySpec(secretKey.getEncoded(), "AES");
    IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);

    // Initialise cipher
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivParameterSpec);

    return new byte[][]{iv, cipher.doFinal(plainText)};
}

/**
 * @param ciphertext encrypted payload
 * @param secretKey  encryption key
 * @param iv         initialization vector
 * @return plaintext
 */
public static byte[] decryptAES_CBC(byte[] ciphertext, SecretKey secretKey, byte[] iv) throws NoSuchPaddingException,
        NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException,
        BadPaddingException {
    SecretKeySpec keySpec = new SecretKeySpec(secretKey.getEncoded(), "AES");
    IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);

    // Initialise cipher
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);

    return cipher.doFinal(ciphertext);
}