Table of Contents

Companies in every sector must comply with standards and regulations, and one of the best ways to do this is to utilize encryption. Encryption takes data that can be clearly read, also known as plaintext, and runs it through an encryption algorithm. An encryption algorithm uses a key and mathematics to convert the plaintext into ciphertext, which is an undecipherable collection of letters and symbols. The process of encryption can be reversed using the same key, or the other key in a key pair, in a process called decryption. There are two different types of encryption: asymmetric and symmetric encryption.

Asymmetric vs Symmetric Encryption

Symmetric encryption involves the use of one key for both encryption and decryption. The plaintext is read into an encryption algorithm along with a key. The key works with the algorithm to turn the plaintext into ciphertext, thus encrypting the original sensitive data. This works well for data that is being stored and needs to be decrypted at a later date. The use of just one key for both encryption and decryption reveals an issue, as the compromise of the key would lead to a compromise of any data the key has encrypted. This also does not work for data-in-motion, which is where asymmetric encryption comes in.

Asymmetric encryption works with a pair of keys. The beginning of asymmetric encryption involves the creation of a pair of keys, one of which is a public key, and the other which is a private key. The public key is accessible by anyone, while the private key must be kept a secret from everyone but the creator of the key. This is because encryption occurs with the public key, while decryption occurs with the private key. The recipient of the sensitive data will provide the sender with their public key, which will be used to encrypt the data. This ensures that only the recipient can decrypt the data, with their own private key.

Uses for Asymmetric and Symmetric Encryption

Asymmetric and symmetric encryption are each better used for different situations. Symmetric encryption, with its use of a single key, is better used for data-at-rest. Data stored in databases needs to be encrypted to ensure it is not compromised or stolen. This data does not require two keys, just the one provided by symmetric encryption, as it only needs to be safe until it needs to be accessed in the future. Asymmetric encryption, on the other hand, should be used on data sent in emails to other people. If only symmetric encryption were used on data in emails, the attacker could take the key used for encryption and decryption and steal or compromise the data. With asymmetric encryption, the sender and recipient ensure only the recipient of the data can decrypt the data, because their public key was used to encrypt the data. Both types of encryption are used with other processes, like digital signing or compression, to provide even more security to the data.

Common Asymmetric and Symmetric Encryption Algorithms

Symmetric Encryption Algorithms:

Asymmetric Encryption Algorithms:

Comparison Table

 Asymmetric EncryptionSymmetric Encryption
DefinitionA two-way function that takes in plaintext data, and turns it into undecipherable ciphertext. This process utilizes a public key for encryption and a private key for decryption.A two-way function that takes in plaintext data, and turns it into undecipherable ciphertext. This process uses the same key for both encryption and decryption.
Use Cases
  • Digital Signing: Asymmetric encryption is much better for digital signing, compared to symmetric encryption. The use of both a public and private key means the identity of the signer of the data can easily be known. The signer uses their private key for encryption, while the recipient verifies their identity with their public key. As only the public key of the signer can decrypt data encrypted with the signer’s private key, the identity of the signer is verified when the data is decrypted.
  • Blockchain: Again, the identification of the user during cryptocurrency transactions is much easier done with asymmetric encryption.
  • Public Key Infrastructure (PKI): The identity of key owners is proven with certificates in PKI, and thus asymmetric encryption is the better choice in PKIs.
  • Banking: Encrypting sensitive customer data in banks is extremely important, as is decrypting that information as quickly as possible. For this reason, symmetric encryption is the preferred method of encryption in banks, as one key encryption is much swifter than two key encryption.
  • Data Storage: As with banking, data storage services and products tend to use symmetric encryption. This method is much swifter to encrypt and decrypt data needed in a timely manner.
  • The loss of the public key does not result in the compromise of data
  • More secure than symmetric encryption
  • Only the owner of the private key can decrypt the data sent to them
  • Simpler to implement
  • Faster than asymmetric encryption
  • Protects data from compromise
  • Slower than symmetric encryption
  • More complicated to implement than symmetric encryption
  • Loss of a key means any data encrypted with that key can be compromised
  • Less secure than asymmetric encryption
Common AlgorithmsECDSA, RSA, PGPAES, Blowfish, Twofish, RC4

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Table of Contents

Twofish is the successor to Blowfish, and, like its predecessor, uses symmetric encryption, so only one 256-bit key is necessary. This technique is one of the fastest encryption algorithms and is ideal for both hardware and software environments. When it was released, it was a finalist for the National Institute of Technology and Science’s (NIST’s) competition to find a replacement for the Data Encryption Standard (DES) encryption algorithm. In the end, the Rjindael algorithm was selected over the Twofish encryption algorithm. Similar to Blowfish, a block cipher is used in this symmetric encryption algorithm.

Symmetric encryption is a process that uses a single key to both
encrypt and decrypt information. The key is taken in, along with the plaintext information, by the encryption algorithm. This key encrypts the data into ciphertext, which cannot be understood unless it is decrypted. When the encrypted data is sent to the recipient of the data, the symmetric encryption key must also be sent, either with or after the ciphertext has been sent. This key can then be used to decrypt the data.

Is Twofish secure?

A question many organizations ask is: Is Twofish safe, if the NIST did not want to use it to replace DES? The answer is yes, Twofish is extremely safe to use. The reason the NIST did not wish to utilize Twofish is due to it being slower, compared to the Rjindael encryption algorithm. One of the reasons that Twofish is so secure is that it uses a 128-bit key, which is almost impervious to brute force attacks. The amount of processing power and time needed to brute force a 128-bit key encrypted message makes whatever information that is being decrypted unactionable, as it could take decades to decrypt one message.

This does not mean that Twofish is impervious to all attacks, however. Part of Twofish’s encryption algorithm uses pre-computed, key dependent substitution to produce the ciphertext. Precomputing this value makes Twofish vulnerable to side channel attacks, but the dependence of a key with the substitution helps protect it from side channel attacks. Several attacks have been made on Twofish, but the creator of the algorithm, Bruce Schneier, argues these were not true cryptanalysis attacks. This means a practical break of the Twofish algorithm has not occurred yet.

What uses Twofish for encryption?

Though, like the Advanced Encryption Standard (AES), Twofish is not the most commonly used encryption algorithm, it still has many uses seen today. The most well-known products that use Twofish in their encryption methods are:

  • PGP (Pretty Good Privacy)

    PGP is an encryption algorithm that utilizes Twofish to encrypt emails. The data of the email is encrypted, but the sender and subject are not encrypted.

  • GnuPG

    GnuPG is an implementation of OpenPGP that lets users encrypt and send data in communications. GnuPGP uses key management systems and modules to access public key directories. These public key directories provide public keys published by other users on the Internet, so that if they send a message with encrypted with their private key, anyone with access to the public key directory can decrypt that message.

  • TrueCrypt

    TrueCrypt encrypts data on devices, with encryption methods that are transparent to the user. TrueCrypt works locally on the user’s computer, and automatically encrypts data when it leaves the local computer. An example would be a user sending a file from their local computer to an outside database. The file sent to the database would be encrypted as it leaves the local computer.

  • KeePass

    KeePass is a password management software that encrypts passwords that are stored, and creates passwords using Twofish.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Table of Contents

Blowfish is the first symmetric encryption algorithm created by Bruce Schneier in 1993. Symmetric encryption uses a single encryption key to both encrypt and decrypt data. The sensitive data and the symmetric encryption key are utilized within the encryption algorithm to turn the sensitive data into ciphertext. Blowfish, along with its successor Twofish, was in the running to replace the Data Encryption Standard (DES) but failed due to the small size of its block. Blowfish uses a block size of 64, which is considered wholly insecure. Twofish fixed this issue, by implementing a block with a size of 128. Blowfish is much faster than DES, but it trades in its speed for security.

Products that use Blowfish

Though it is not as secure as other symmetric encryption algorithms, many products in many different areas of the Internet utilize Blowfish. Different types of products that Blowfish is a part of are:

  • Password Management

    Password management software and systems protect and create passwords. Blowfish has been used in a variety of password management tools to both create passwords and encrypt saved passwords. Examples of password management tools using Blowfish include:

    • Access Manager
    • Java PasswordSafe
    • Web Confidential
  • File/Disk Encryption

    Software that encrypts files or disks is extremely common today as so many organizations have sensitive data they need to keep secure. This software must be straightforward for use by companies and quick to finish the encryption process. Thus, Blowfish is utilized in these encryption systems often in products such as:

    • GnuPG
    • Bcrypt
    • CryptoForge
  • Backup Tools

    Software that backs up vital infrastructure in an organization must have the ability to encrypt information in those backups. This is in case the backup contains sensitive information. Backup systems that use Blowfish are:

    • Symantec NetBackup
    • Backup for Workgroups
  • Email Encryption

    Encryption for emails is extremely important on any device. Different IOS, Linux, and Windows software all use Blowfish for email encryption. Examples:

    • A-Lock
    • SecuMail
  • Operating System Examples

    • Linux
    • OpenBSD
  • Secure Shell (SSH)

    Secure Shell is used to remotely access computer networks while authenticating the user through the use of encryption methods like Blowfish. Examples:

    • OpenSSH
    • PuTTY

Comparison Table

  • Faster than other encryption algorithms, such as the Data Encryption Standard (DES)
  • Blowfish is unpatented and free to use. This means anyone can take and use Blowfish for whatever they want to
  • The Blowfish algorithm also has a lesser amount of operations to complete compared to other encryption algorithms
  • The key schedule of Blowfish takes a long time, but this can be advantageous, as brute force attacks are more difficult
  • The key schedule of Blowfish takes a long time, equivalent to encrypting 4KBs of data, which can be a disadvantage or an advantage. On the Disadvantage side, it takes a very long time to do
  • The small block size of Blowfish means that Birthday Attacks can occur and compromise the encryption algorithm
  • It is followed by Twofish, which was created to replace Blowfish, as it is better in most ways

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Table of Contents

The Advanced Encryption Standard, or AES, is an encryption algorithm created by the National Institute of Science and Technology (NIST) in 2001. The cipher utilized in AES is a block cipher from the Rjindael cipher family. When AES was created, three different Rjindael block ciphers were selected for use, to make AES even more secure. All three ciphers used were 128 bits, but the keys they each used were of different sizes: 128, 192, and 256 bits. This is considered a symmetric block cipher, as only one key is used in the encryption process.

Symmetric encryption is a form of encryption that uses a single key for both encryption and decryption. Its counterpart, asymmetric encryption, uses two keys during the encryption and decryption process. One key is kept secret from everyone but the key’s creator, while the other key is a public key that can be viewed and utilized by anyone. Initially, AES was only used by the United States, but it has now been adopted worldwide as one of the most secure encryption algorithms.

Why was AES developed?

The Advanced Encryption Standard was created as a replacement for the Data Encryption Standard, or DES. DES was found to be increasingly more vulnerable to brute-force attackers, and thus needed to be phased out. AES’ original creation was to protect sensitive government information, but the security and ease of implementation provided by AES caused the majority of organizations to utilize AES in their encryption processes. Both public and private sector companies use AES now, as it protects against cyber-attacks, like brute force. AES does present an issue when exporting products encrypted with this encryption algorithm.

The Bureau of Industry and Security (BIS) has a number of controls and regulations in place that make it difficult export encryption products encrypted with AES. Commercial encryption products are required by the BIS to gain a license for their product that allows the organization to export their product to several destinations, without needing to acquire a separate license for each destination. Certain embargoed countries cannot receive commercial encryption products from the United States at all. These countries are: Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

Choosing the Rjindael cipher

To create the AES algorithm, a competition was held, which initially had 15 different encryption algorithms in the running. It was eventually narrowed down to just 5 algorithms:

  • MARS
  • Rivest Cipher 6 (RC6)
  • Rjindael
  • Serpent
  • Twofish 

These encryption algorithms were extensively analyzed by both the NIST and the National Security Agency (NSA), to determine the most secure one to use in the Advanced Encryption Standard. After rigorous testing of these algorithms, the Rjindael cipher was selected to be used in AES. The use of a 256 bit key gives the Rjindael cipher strong security, while maintaining its interoperability with existing hardware and software. Stronger ciphers exist, but they do not have the ability to be implemented into existing systems easily, like the Rjindael cipher can.

Understanding AES key size differences

The way a block cipher works is the plaintext of the data being encrypted is broken down into blocks of equal size, which for AES is 128 bits. Using a series of bitwise operations, the blocks of data are encrypted using keys of a specific length as well. AES allows 128, 192, and 256 bit keys for use, and the bigger the key size, the more secure the encryption. If a 128 bit key is used, the encryption on the block is done 10 times. With 192, the encryption is done 12 times, and with 256, 14 times. Thus, 256 bit keys are the most secure, but for most encryption cases, 128 bit keys are sufficient. The higher the security level of the data, however, the higher the size of the key should be.

To give an example on the security of AES, let’s take a look at how long it would take someone to crack one password encrypted with an AES-256 bit key. To break one 16-byte section of data encrypted with an AES-256 bit key, it would take centuries using a brute force method. The total amount of permutations that are possible with a 256 bit key are 2256, which makes cracking an AES-256 encrypted message virtually impossible. Even using a 128 bit key, the smallest size, there are still 2128 different permutations available, which would still take decades to brute force.

Secure your data through Encryption Assessment

Attacks on AES

Researchers continually attempt to break AES with methods that are viable. The reason researchers are attempting to crack AES is to be one step ahead of attackers. If an attacker were to crack AES, and keep it a secret, then the world would continue to use AES believing it is completely secure. So far, a few different, theoretical attacks have been proposed, including:

  • Related-key attack

    A related-key attack involves identifying how a cipher works under different keys. This cryptanalysis technique involves feeding a cipher, used to encrypt data, several different keys with the same plaintext. The process that occurs between the key and cipher can help identify a mathematical relationship between the cipher and key, thus helping identify the actual key’s value. This attack method is, however, not considered a big threat to AES, as it is useless as long as the protocols were implemented correctly.

  • Distinguished key attack

    An attack that used a known key to find out the inner workings of an 8 round AES-128 algorithm was successfully used. As this was done on an 8 round algorithm, as opposed to the official 10 round algorithm, this is an attack that should not cause issues with any official AES algorithms.

  • Side channel attack

    A side channel attack involves the leaking of information from an organization’s infrastructure. The data is leaked through locations, and the attacker listens at in to the sound, timing information, electromagnetic information or the power consumption in order to gather inferences from the algorithm which can then be used to break it. This can be stopped, however, by fixing the source of the leak or ensuring no pattern exists in the leaking information.

  • Key compromise

    Though not a direct attack on the AES algorithm, the compromise of the key used for encryption cripples the entire AES algorithm. This is why proper key management and security are vital to the IT infrastructure of any organization.

  • Quantum computing

    Quantum computing is the successor to classical computing, which we do now, that is still in the process of being created and understood. Though it has not been fully realized yet, the creation of quantum computers will make all classical computing cryptography irrelevant, as quantum computing could crack any classical cryptography algorithm in potentially seconds.

Who and what uses AES?

The majority of products, services, and organizations using symmetric encryption utilize AES. Most agencies and organizations in the United States government, including the NSA, use AES as well. The proven strength of AES and the inability to crack it mean the majority of companies looking for an encryption algorithm will use AES. A number of file transfer methods use AES for encryption as well. HTTPS is just one example of this.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

With cloud adoption soaring to whopping 96% in 2018 according to CIO, it’s no wonder that cloud security is a hot industry topic. In today’s dynamic world, many companies are accelerating their digital transformation by moving data and applications to the cloud; benefiting from scalability and reduced costs at the same time. With cloud becoming an integral part of any enterprise, the questions that many ask include:

How to ensure cloud data security?

Where and how to manage encryption keys in the cloud?

How to ensure your data is securely stored and protected in a multi-cloud  environment?

How to ensure vendor independence in a multi-cloud environment?

Hardware Security Modules (HSMs) have been around for a long time and have over the years become synonymous with “security”. Many organizations that host their data and applications on-premise will use HSMs – physical security units that authenticate, generate and store cryptographic material to protect their most valuable assets. The HSM acts as the centralized Root of Trust providing the ultimate level of security that no software can offer. While this is a great option for on-premise scenarios, it becomes complicated if you’re in a multi-cloud environment.

Say you do decide to go with the Key Management Service (KMS) offered by your Cloud Service Provider (CSP), what happens if your environment is a combination of private, public, hybrid or multi-cloud? The important question to ask would be if your CSP’s KMS supports data and applications hosted outside of their own data environment. Every enterprise has a unique cloud environment and getting locked-in with one vendor in the name of data security is probably not the best option. What you want to be looking for is a solution that is CSP-agnostic meaning supportive of various cloud environments so you can make the most of the benefits and services offered by key providers like Google, Azure, and AWS.

Another consideration regarding your CSP’s KMS is the proximity of your valuable data assets and your encryption keys. Is it safer to keep your house key under the doormat or in a locked vault in a secure storage facility? At the end of the day, KMS is nothing more than software which undoubtedly lacks the stringent security protections of a dedicated unit like an HSM. As a best practice, it’s important to separate your encryption keys from your encrypted  data assets to minimize the risk of a catastrophic data breach.

We are back at where we started. If HSM is the ultimate security solution, then wouldn’t it be ideal to be able to have access to HSM-level security for your cloud applications and workloads without taking on the expense and responsibility of managing your multi-cloud environment HSM? Today, solutions like HSM-as-a-Service or HSM-in-the-Cloud offer the best of both worlds combining the security of an HSM with a flexibility of a KMS. This might be the solution for you if you’re looking for:

Multi-cloud deployments

Migration flexibility – no CSP and cloud lock-in

Reducing your capex

Innovate  in the cloud – place your own firmware and custom code on the HSM

With the right strategy and solution, you can ensure your cloud security is treated like your on-premise security. Get in touch with Utimaco to learn more about CryptoServer Cloud and how you can secure your cloud data without limiting your agility and potential. 

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Let's talk