Do you know the differences between block and stream ciphers? You should if you plan to take the Security+ exam. This post should help you to have a basic understanding of appropriate encryption methods such as symmetric encryption.
For example, can you answer this question?
Q. An application developer needs to use an encryption protocol to encrypt credit card data within a database used by the application. Which of the following would be the FASTEST, while also providing strong confidentiality?
A. AES-256
B. DES
C. Blowfish
D. SHA-2
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Block Cipher Versus Stream Cipher
Most symmetric algorithms use either a block cipher or a stream cipher. They are both symmetric, so they both use the same key to encrypt or decrypt data. However, they divide data in different ways.
A block cipher encrypts data in specific-sized blocks, such as 64-bit blocks or 128-bit blocks. The block cipher divides large files or messages into these blocks and then encrypts each individual block separately. Stream ciphers encrypt data as a stream of bits or bytes rather than dividing it into blocks.
In general, stream ciphers are more efficient than block ciphers when the size of the data is unknown or sent in a continuous stream, such as when streaming audio and video over a network. Block ciphers are more efficient when the size of the data is known, such as when encrypting a file or a specific-sized database field.
An important principle when using a stream cipher is that encryption keys should never be reused. If a key is reused, it is easier to crack the encryption.
For example, Chapter 4 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide discussed the legacy Wired Equivalent Privacy (WEP) and initialization vector (IV) attacks. Note that WEP is not recommended for use, and part of the reason is due to how it implemented the stream cipher.
WEP uses Rivest Cipher 4 (RC4) stream cipher for symmetric encryption. RC4 is a secure algorithm when it’s implemented correctly, but WEP did not follow the important stream cipher principle of never reusing keys. If wireless systems generate enough traffic, WEP reuses keys for RC4. Attackers discovered they could use packet injection techniques to increase the number of packets on a wireless network, detect the duplicate keys, and crack the encryption.
Remember this
Stream ciphers encrypt data a single bit, or a single byte, at a time in a stream. Block ciphers encrypt data in a specific-sized block such as 64-bit or 128-bit blocks. Stream ciphers are more efficient than block ciphers when encrypting data in a continuous stream.
RC4
Ron Rivest invented several versions of RC, which are sometimes referred to as Ron’s Code or Rivest Cipher. The most commonly used version is RC4 (also called ARC4), which is a symmetric stream cipher and it can use between 40 and 2,048 bits.
It’s worthwhile pointing out that this is the same RC4 used in WEP. WEP’s vulnerabilities weren’t because it used RC4, but instead because it did not follow a basic rule of a stream cipher: Don’t reuse keys.
When implemented correctly, RC4 has enjoyed a long life as a strong cipher. For many years, it has been the recommended encryption mechanism in Secure Sockets Layer (SSL) and Transport Layer Security (TLS). SSL and TLS encrypt Hypertext Transfer Protocol Secure (HTTPS) connections on the Internet.
However, experts have speculated since 2013 that agencies such as the U.S. National Security Agency (NSA) can break RC4, even when implemented correctly such as in TLS. Because of this, companies such as Microsoft recommend disabling RC4 and using AES instead. Even though AES is a block cipher and RC4 is a stream cipher, TLS can implement either one.
Blowfish and Twofish
Blowfish is a strong symmetric block cipher that is still widely used today. It encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits. Bruce Schneier (a widely respected voice in IT security) designed Blowfish as a general-purpose algorithm to replace DES.
Interestingly, Blowfish is actually faster than AES in some instances. This is especially true when comparing Blowfish with AES-256. Part of the reason is that Blowfish encrypts data in smaller 64-bit blocks, whereas AES encrypts data in 128-bit blocks.
Twofish is related to Blowfish, but it encrypts data in 128-bit blocks and it supports 128-, 192-, or 256-bit keys. It was one of the finalist algorithms evaluated by NIST for AES. However, NIST selected another algorithm (Rijndael) as AES.
Remember this
RC4 is a strong symmetric stream cipher. Blowfish is a 64-bit block cipher and Twofish is a 128-bit block cipher. Although NIST recommends AES as the standard, Blowfish is faster than AES-256.
Q. An application developer needs to use an encryption protocol to encrypt credit card data within a database used by the application. Which of the following would be the FASTEST, while also providing strong confidentiality?
A. AES-256
B. DES
C. Blowfish
D. SHA-2
Answer is C. Blowfish would be the fastest in this scenario. Blowfish provides strong encryption so would provide strong confidentiality.
Advanced Encryption Standard-256 (AES-256) is a strong encryption protocol, but Blowfish is faster than AES in some situations such as when comparing it against AES-256.
Data Encryption Standard (DES) is not secure and is not recommended today.
Secure Hash Algorithm version 2 (SHA-2) is a hashing algorithm used for integrity.