Published: 5 August 2024
Contributors: Annie Badman, Matthew Kosinski
Symmetric encryption is an encryption method that uses a single key to encrypt and decrypt data. Though generally less secure than asymmetric encryption, it’s often considered more efficient because it requires less processing power.
Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive data from unauthorized users. According to the IBM Cost of a Data Breach Report, organizations that use encryption can reduce the financial impact of a data breach by over USD 240,000.
Almost everything people do on their computers, phones and IoT devices relies on encryption to protect data and secure communications. It can protect data at rest, in transit and while being processed, making it critical to almost every organization’s cybersecurity posture.
Symmetric encryption, also known as symmetric key cryptography or secret-key encryption, is one of 2 main methods of encryption alongside asymmetric encryption. Symmetric encryption works by creating a single shared key to encrypt and decrypt sensitive data. The main advantage of symmetric encryption is that it’s generally simple and efficient in securing data.
However, symmetric encryption is often considered less secure than asymmetric encryption, largely because it relies on secure key exchange and meticulous key management. Anyone who intercepts or obtains the symmetric key can access the data.
For this reason, organizations and messaging apps increasingly rely on a hybrid encryption method that uses asymmetric encryption for secure key distribution and symmetric encryption for subsequent data exchanges.
Also, as advancements in artificial intelligence (AI) and quantum computing threaten to undo traditional encryption methods, many organizations are relying on integrated encryption solutions to protect sensitive data.
The two types of encryption have distinct characteristics and use cases. Asymmetric encryption uses two keys—a public key and a private key—to encrypt and decrypt data, whereas symmetric encryption only uses one.
Having two different keys generally makes asymmetric encryption (also known as public key cryptography and public key encryption) more secure and versatile.
Asymmetric key cryptography can facilitate the creation of digital signatures and ensure core information security principles such as integrity, authentication and nonrepudiation. Integrity confirms that unauthorized parties do not tamper with data, authentication verifies data origins and nonrepudiation prevents users from denying legitimate activity.
However, the downside of asymmetric encryption is that it often requires more processing power to operate, making it relatively infeasible for large amounts of data.
For this reason, organizations generally choose symmetric encryption when efficiency is critical, such as encrypting large volumes of data or securing internal communications within a closed system. They choose asymmetric encryption when security is paramount, such as encrypting sensitive data or securing communication within an open system.
Learn the common causes and effects of breaches, how breaches are identified and how organizations can prevent and mitigate the cyberthreats responsible.
Symmetric encryption starts with key generation, which creates a single secret key that all parties involved must keep confidential.
During the encryption process, the system feeds plaintext (original data) and the secret key into a data encryption algorithm. This process uses mathematical operations to transform the plaintext into ciphertext (encrypted data). Without a decryption key, deciphering encrypted messages becomes virtually impossible.
The system then transmits the ciphertext to the recipient, who uses the same secret key to decrypt the ciphertext back into plaintext, reversing the encryption process.
Symmetric encryption involves two main types of symmetric ciphers: block ciphers and stream ciphers.
- Block ciphers, such as Advanced Encryption Standard (AES), encrypt data in fixed-size blocks.
- Stream ciphers, like RC4, encrypt data one bit or byte at a time, making them suitable for real-time data processing.
Users frequently choose block ciphers to ensure data integrity and security for large amounts of data. They choose stream ciphers to encrypt smaller, continuous data streams efficiently, such as real-time communications.
Organizations are increasingly combining symmetric and asymmetric encryption for security and efficiency. This hybrid process begins with a secure key exchange, where asymmetric encryption is used to securely exchange the symmetric key.
For example, web browsers and web servers establish secure communications through an SSL/TLS handshake. This process involves generating a shared symmetric key, called a session key, and using the server's public key to encrypt and share that session key between both parties.
A trusted third party, known as a certificate authority (CA), confirms the validity of the server's public key and issues a digital certificate, ensuring the server's authenticity and preventing man-in-the-middle attacks.
Once shared, the symmetric key efficiently handles all data encryption and decryption. For instance, a live video streaming service might use asymmetric encryption to secure the key exchange and symmetric stream ciphers for real-time data encryption. This efficient use of the symmetric key is a crucial advantage of this combined encryption approach.
Two common methods used in secure key exchange are Diffie-Hellman and Rivest-Shamir-Adleman (RSA). Diffie-Hellman is an asymmetric algorithm named after its inventors. Both help establish a secure key exchange and ensure that the symmetric key remains confidential.
- Diffie-Hellman allows two parties to generate a shared secret—like a symmetric key—over an insecure channel without having prior shared secrets. This method ensures that even if an attacker intercepts the exchange, they cannot decipher the shared secret without solving a complex mathematical problem.
- RSA, on the other hand, uses a public and private key pair. The sender encrypts the symmetric key with the recipient's public key, which only the recipient can decrypt using their private key. This method ensures that only the intended recipient can access the symmetric key.
Imagine Alice wants to send a confidential document to Bob. In this scenario, symmetric encryption would work as follows:
- Alice and Bob agree on a secret key or use asymmetric encryption for secure key exchange.
- Alice encrypts the document using the secret key, turning it into unreadable ciphertext.
- Alice sends the ciphertext to Bob.
- Upon receiving the encrypted document, Bob uses the same secret key to decrypt it back to its original form, ensuring its confidentiality throughout transmission.
Encryption key management is the process of generating, exchanging and managing cryptographic keys to ensure the security of encrypted data.
Though effective key management is crucial for all encryption methods, it’s especially critical for symmetric encryption, which many experts see as significantly less secure because of its single shared key and the need for secure key exchange.
If the encryption process functions as a safe for sensitive information, then an encryption key is the lock code required to open the safe. If that code falls into the wrong hands or gets intercepted, you risk losing access to your valuables or having them stolen. Similarly, organizations that don’t properly manage their cryptographic keys can lose access to their encrypted data or expose themselves to data breaches.
For example, Microsoft recently disclosed that a China-backed hacking group had stolen a critical cryptographic key from its systems.1 This key allowed hackers to generate legitimate authentication tokens and access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies.
To protect against attacks like these, organizations often invest in key management systems. These services are critical given that organizations frequently manage a complex network of cryptographic keys, and many threat actors know where to look for them.
Encryption key management solutions often include features like:
A centralized management console for encryption and encryption key policies and configurations
Encryption at the file, database and application levels for on-premises and cloud data
Role- and group-based access controls and audit logging to help address compliance
Automated key lifecycle processes
Integration with the latest technologies, such as AI, to improve key management by using analytics and automation
Organizations are increasingly using AI systems to help automate key management processes, including key generation, distribution and rotation.
For instance, AI-driven key management solutions can dynamically generate and distribute encryption keys based on real-time data usage patterns and threat assessments.
By automating key management processes, AI can significantly reduce the risk of human error and ensure that encryption keys are regularly updated and secure. Automated key rotation also makes it harder for threat actors to use keys they manage to steal.
Symmetric encryption is critical for modern data security practices. Its efficiency and simplicity often make it a preferred choice for various applications. Common symmetric encryption uses include:
Data security (particularly for large amounts of data)
Secure communication and web browsing
Database encryption
Data integrity
File, folder and disk encryption
Hardware-based encryption
Symmetric encryption is among the most critical and widespread data security tools. In fact, a recent report by TechTarget found that the primary contributor to data loss was a lack of encryption. 2
By encoding plain text as ciphertext, encryption can help organizations protect data against a range of cyberattacks, including ransomware and other malware.
Notably, the use of infostealer malware that exfiltrates sensitive data is up 266% from 2022, according to the 2024 IBM X-Force Threat Intelligence Index. Encryption helps combat this threat by making data unusable to hackers, defeating the purpose of stealing it.
Symmetric encryption is particularly effective for encrypting large amounts of data because it’s computationally efficient and can process high volumes of data quickly.
Organizations extensively use symmetric encryption to secure communication channels. Protocols like Transport Layer Security (TLS) use symmetric encryption to efficiently protect the integrity and confidentiality of data transmitted over the internet, including emails, instant messaging and web browsing.
During an SSL/TLS handshake, the client obtains the website's public key from its SSL/TSL certificate to establish a secure session key while the website keeps its private key secret.
The initial handshake uses asymmetric encryption to exchange information and establish a secure session key before transitioning to symmetric encryption for more efficient data transmission. This combination ensures that sensitive data remains private and tamper-proof during transmission.
While cloud service providers (CSPs) are responsible for the security of the cloud, customers are responsible for security in the cloud, including the security of any data.
Enterprise-wide data encryption can help organizations protect their sensitive data on-premises and in the cloud, ensuring that stolen data remains inaccessible without the encryption key even if a data breach occurs.
Recent research indicates that today, most organizations employ a hybrid cryptographic infrastructure via both cloud-based and on-premises cryptographic solutions.2
Databases often store vast amounts of sensitive information, from personal details to financial records. Symmetric encryption can help encrypt these databases or specific fields within them, such as credit card and social security numbers.
By encrypting data at rest, organizations can ensure that sensitive data remains protected even if the database is compromised.
Symmetric encryption algorithms not only ensure confidentiality but also data integrity, a critical factor in financial transactions. By generating message authentication codes (MACs), symmetric keys can help confirm that no one altered the data during transmission.
Hash functions also play a significant role in verifying data integrity. Hash functions generate a fixed-size hash value from input data. These "digital fingerprints" can be compared before and after transmission. If the hash has changed, that means someone has tampered with it.
Organizations often use symmetric encryption to secure files stored on local systems, shared drives and removable media.
Encrypting files ensures that sensitive data remains confidential, even if the storage media is lost or stolen. Whole disk encryption extends this protection by encrypting entire storage devices, safeguarding sensitive data on endpoints such as laptops and mobile devices.
For additional protection of sensitive data, especially when software-based encryption may not suffice, organizations often use specialized hardware components like encryption chips or modules. These hardware-based encryption solutions are commonly found in smartphones, laptops and storage devices.
Many industries and jurisdictions have regulatory requirements mandating that organizations use certain kinds of encryption to protect sensitive data. Compliance with these regulations helps organizations avoid legal penalties and maintain customer trust.
For instance, the Federal Information Processing Standards (FIPS) are a set of standards developed by the National Institute of Standards and Technology (NIST) for computer systems used by nonmilitary US government agencies and contractors. They focus on ensuring the security and interoperability of data and cryptographic processes.
The most well-known symmetric key algorithms include:
- Data Encryption Standard (DES) and Triple DES (3DES)
Advanced Encryption Standard (AES)
Twofish
Blowfish
IBM® first introduced DES in the 1970s as the standard encryption algorithm, a role it held for many years. However, its relatively short key length (56 bits) made it vulnerable to brute-force attacks, where threat actors try different keys until one works.
Triple DES, developed as an enhancement, applies the DES algorithm three times to each data block, significantly increasing the key size and overall security.
Eventually, more secure symmetric algorithms replaced both DES and Triple DES.
AES is generally considered the gold standard of symmetric encryption algorithms. It is widely adopted by organizations and governments worldwide, including the US government. AES offers strong security with key lengths of 128, 192 or 256 bits. Longer key lengths are more resistant to cracking.
Specifically, AES-256, which uses a 256-bit key, is known for its high level of security and is often used in highly sensitive situations. AES is also highly efficient in both software and hardware implementations, making it suitable for a wide range of applications.
Twofish is a symmetric key block cipher known for its speed and security. It operates on blocks of data with a block size of 128 bits and supports key lengths of 128, 192 or 256 bits.
Twofish is open source and resistant to cryptanalysis, making it a reliable choice for secure applications. Its flexibility and performance suit software and hardware implementations, particularly where security and performance are critical.
Blowfish is a symmetric key block cipher designed to provide a good encryption rate in software and secure data encryption. It supports key lengths from 32 bits to 448 bits, making it flexible and suitable for various applications.
Blowfish is known for its speed and effectiveness and is particularly popular for software encryption. It's also very popular in applications that need a simple and fast encryption algorithm, although newer algorithms like Twofish and AES have largely replaced it for most use cases.
Protect data, augment privacy and regulatory compliances through cryptography solutions.
Monitor and control data encryption keys throughout the key lifecycle, from a single location.
Securely build, deploy and manage mission-critical applications for the hybrid multicloud with confidential computing on IBM Z® and LinuxONE.
Empower yourself and your business by learning from the challenges and successes experienced by security teams around the world.
Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users.
End-to-end encryption (E2EE) is a secure communication process that prevents third parties from accessing data transferred from one endpoint to another.
Footnotes
All links reside outside ibm.com
1 The Comedy of Errors That Let China-Backed Hackers Steal Microsoft’s Signing Key. Wired. 6 September 2023.
2 Research Report: Operationalizing Encryption and Key Management. Enterprise Strategy Group by TechTarget. 5 April 2024.