Symmetric Keys

Introduction: Encryption is critical to protect data such as personally identifiable information. Symmetric key encryption allows the same key to be used both for encryption as well as decryption. Compare this to public key-private key encryption that is more ubiquitous and involves an encryption with the public key and decryption with the private key.  The difference between them is that the symmetric key needs to exist at both source and destination while the private key for decryption is needed only with the party that decrypts. Since the transfer of key is avoided, the public key, private key becomes more popular while symmetric keys are used for faster and light-weight encryption.

Once the symmetric keys are created, they can be treated as passwords or adhoc secrets. KeyVaults and secret management stores can come in helpful to allow multiple parties to access it safely. The use of symmetric keys goes hand in hand with KeyVaults in many production systems.

Symmetric encryption algorithms are of two types:

1.       Block algorithms: A set length of bits are encrypted in blocks of electronic data with the use of a specific secret key. The data is retained in memory as the system encrypts and waits for complete blocks.

2.       Stream algorithms: This does away with the retaining and continuously encrypts the data as it streams.

Examples include AES, DES, IDEA, BlowFish, RC4, RC5, RC6

The keys can be generated in code as simply as the following example in C#:

using System.Security.Cryptography; 

AesCryptoServiceProvider Aes = new AesCryptoServiceProvider(); 

Aes.GenerateIV(); 

Aes.GenerateKey();

Or in SQL as follows:

CREATE SYMMETRIC KEY SampleKey01  

WITH ALGORITHM = AES_256 

ENCRYPTION BY CERTIFICATE Certificate01; 

GO

A sample usage of symmetric key is cited as

Encrypt(UserID  + ClientID) = Token

where UserID is a large integer and and Client ID is a regular integer. The original text can be 16 and 8 characters in length which gives us 24 characters. We used fixed length for both UserID and ClientID and pad left. If we want to keep the size of the encrypted text to be the same as the original string, we could choose AES stream encryption. If we were to use stronger algorithms the size would bloat. And when we use hex or base64 encode, the text could double in size.