-*- restructuredtext -*-

Symmetric cryptography
======================
Basic information about symmetric key cryptography for that can be chosen a
correct algorithm with its values.

Explanation about AES
---------------------
Strictly speaking, `AES`_ is not precisely Rijndael (although in practice they are
used interchangeably) as Rijndael supports a larger range of block and key
sizes; AES has a fixed block size of 128 bits and a key size of 128, 192, or
256 bits, whereas Rijndael can be specified with key and block sizes in any
multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.

Block size
----------
Only use a block cipher with `block size`_ of 64 bits (8 bytes) if is used one
key for the encryption of a few hundred megabytes, else would start to leak
information about the message contents.

As example, Blowfish has a block size of 64 bits while it is of 128 bits for AES.

Key size
--------
Read the `Entropy and bit strength`_ section to choose a correct key size.

Modes of operation
------------------
Information about `modes of operation`_.

The stream ciphers are used in applications where plaintext comes in quantities
of unknowable length, as into a secure wireless connection.

The mode must be at least as secure and as efficient as the underlying cipher.

Block cipher
............

*ECB* (electronic codebook)
	Is suitable for ``random data``, such as encrypting other keys.

	Since data there is short and random, the disadvantages of *ECB* have a
	favorable negative effect.

*CBC* (cipher block chaining)
	Is especially suitable for encrypting ``files`` where the security is
	increased over *ECB* significantly.

*CFB* (cipher feedback)
	Is the best mode for encrypting ``strings or byte streams`` where single
	bytes must be encrypted.

*OFB* (output feedback, in 8bit)
	Is comparable to *CFB* but can be used in applications where error
	propagation cannot be tolerated.

	It is intended for use in ``noisy lines``, because corrupted ciphertext
	blocks do not corrupt the plaintext blocks that follow.

	``It's insecure`` (because it operates in 8bit mode) so it is not recommended
	to use it.

Stream cipher from block cipher
...............................
These modes turn a block cipher into a stream cipher, and they operate in
streams.

*nOFB* (output feedback, in nbit)
	Is comparable to *OFB*, but more secure because it operates on the block
	size of the algorithm.

*nCFB* (cipher feedback, in nbit)
	Is comparable to *CFB*, but it operates on the block size of the algorithm.

*CTR* (counter)
	Has similar characteristics to *OFB*, but also allows a random access
	property during decryption, and is believed to be as secure as the block
	cipher being used.

Stream cipher
.............

*STREAM*
	Is an extra mode to use with stream algorithms.

Error recovery
..............
If bytes are removed or lost from the file or stream in *ECB*, *CTR*, *CBC* and
*OFB* modes, are impossible to recover, although *CFB* and *nCFB* modes will
recover. If some bytes are altered then a full block of plaintext is affected
in *ECB*, *nOFB* and *CTR* modes, two blocks in *CBC*, *nCFB* and *CFB* modes,
but only the corresponding byte in *OFB* mode.

Initialization vector (IV)
..........................
All these modes (except *ECB*) require an `initialization vector`_.

There is no need for the *IV* to be secret, in most cases, but it is important
that it is never reused with the same key. For *CBC* and *CFB*, reusing an *IV*
leaks some information about the first block of plaintext, and about any common
prefix shared by the two messages. For *OFB* and *CTR*, reusing an *IV*
completely destroys security. In *CBC* mode, the *IV* must, in addition, be
randomly generated at encryption time.


.. _AES: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
.. _block size: http://en.wikipedia.org/wiki/Block_size_(cryptography)
.. _modes of operation: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
.. _initialization vector: http://en.wikipedia.org/wiki/Initialization_vector


Entropy and bit strength
========================
Information about `bit strength`_.

The following list summarizes the requirements and recommendations regarding
symmetric encryption algorithms according to `NIST`_. There are five pre-deﬁned
security levels (80, 112, 128, 192, and 256 bits) for data protection lifetimes:

	1. Up to 2010: security level 80, 112, 128, 192 or 256 bits.
	2. Up to 2030: security level 112, 128, 192, or 256 bits.
	3. Beyond 2030: security level 128, 192, or 256 bits.

A domain of 94 possible values per character (for ASCII visible character sets)
is equivalent to 6.5 bits [1]_ of entropy per character. This imposes a certain
cost on attackers using brute force attacks. If the password is eight
characters long, the bits-per-character is multiplied by the overall length
(6.5 x 8) to produce a total bit-strength of 52 bits.

So to achieve the security levels recommended by NIST, with a set of ASCII
characters, we must to use the next number of characters according to the
security level chosen::

	80 / log_2(94) ~= 12.21 chars.
	112 / log_2(94) ~= 17.09 chars.
	128 / log_2(94) ~= 19.53 chars.
	192 / log_2(94) ~= 29.29 chars.
	256 / log_2(94) ~= 39.06 chars.

And with a domain of 256 possible values::

	80 / log_2(256) = 10 chars.
	112 / log_2(256) = 14 chars.
	128 / log_2(256) = 16 chars.
	192 / log_2(256) = 24 chars.
	256 / log_2(256) = 32 chars.

Note that 16 bytes is the standard length for an *IV*, so it has 128 bits
strength --if is used a domain of 256 values--.


**Important:** The way you encode the characters (UTF-8 or anything else) doesn't
matter. All that matters is the number of possible characters.


.. _bit strength: http://en.wikipedia.org/wiki/Strong_password#Bit_Strength
.. _NIST: http://www.secg.org/collateral/proposal-for-sec1v2.pdf
.. [1] log_2(94) ~= 6.55
