Cryptographic Algorithms

This post summarizes common (and some uncommon) encryption algorithms and hashing algorithms.

Some of them have been deprecated over the time. So if you are looking for one to implement, please check this.

Cryptographic Systems

The cryptographic systems that are checked in this post are:

  • Symmetric Key Cryptographic Systems
  • Asymmetric Key Cryptographic Systems
  • One-way Hash/Message Digest Algorithms

Symmetric Key Cryptographic Systems

Symmetric Key Cryptographic Systems:

  • Data Encryption Standard (DES)
  • Triple DES (3DES)
  • Advanced Encryption Standard (AES)
  • Rivest Ciphers (RC) family
    • RC4
    • RC5
    • RC6
  • Blowfish
  • Twofish
  • International Data Encryption Algorithm (IDEA)
  • Skipjack
  • CAST family
    • CAST-128
    • CAST-256
  • Serpent
  • IDEA
  • Salsa20 / ChaCha
  • Grain 128a
  • Camellia
  • Kuznyechik

As of 2021, NIST recommends AES.

Data Encryption Standard (DES)

DEPRECATED

It is vulnerable to brute-force attacks due to its limited key length (56-bit).

Withdrawn by NIST.

Triple DES (3DES)

DEPRECATED

Proposed extension of DES standard that retains backward compatibility. It applies the DES cipher algorithm three times to each data block.

It is vulnerable to the Sweet32 attack SP 800-67 Rev2.

3DES is deprecated. It was deprecated by NIST in 2017 through the document .

Advanced Encryption Standard (AES)

It was originally known as Rijndael (pronounced “rain-dahl”), but it was coined as Advanced Encryption Standard (AES) after it won the contest of the same name.

Public algorithm that supports keys of 128, 192 and 256 bits in size.

As of 2024, it is the symmetric algorithm recommended by NIST.

RC Family

RC4

DEPRECATED

Stream-cipher often used in SSL/TLS protocol sessions.

It is used in the WLAN standard WEP.

RC5

It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. The key size is 128-bits.

RC6

RC6 is a symmetric key block cipher derived from RC5 with two additional features.

Blowfish

Blowfish is a type of symmetric block cipher algorithm, designed to replace DES or IDEA algorithms.

Developed by Bruce Schneier.

Twofish

Developed by Bruce Schneier, the same as Blowfish.

It was finalist in the AES Contest.

The creator of Blowfish recommends Twofish over its own cypher.

Skipjack

Skijack was approved by U.S. government as the Escrowed Encryption Standard (EES). It required escrow procedures within the U.S. Government.

CAST family

It comes in two forms:

  • CAST-128
  • CAST-256

CAST-128

CAST-128 uses a maximum of key size of 128 bits.

CAST-256

CAST-256 uses a maximum of key size of 256 bits.

Serpent

It was finalist in the AES Contest.

International Data Encryption Algorithm (IDEA)

IDEA was intended as a replacement for DES.

It is incorporated in Pretty Good Privacy (PGP) v2.

It is less common than the others.

Salsa20 / ChaCha

ChaCha is an improvement of Salsa20.

Grain 128a

Grain 128a was proposed in 2011.

Camellia

Less common than the others.

Included in VeraCrypt software.

Kuznyechik

Less common than the others.

Included in VeraCrypt software.

Asymmetric Key Cryptographic Systems

Asymmetric Key Cryptographic Systems

  • Rivest-Shamir-Adleman (RSA)
  • Merkle-Hellman Knapsack
  • Elliptic Curve Cryptography (ECC)
  • Diffie-Hellman
  • ElGamal
  • Digital Signature Algorithm (DSA)
  • Fortezza

RSA is the most popular asymmetric algorithm.

Rivest-Shamir-Adleman (RSA)

The most popular asymmetric algorithm, and currently a worldwide standard.

Proposed in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman.

The main drawback lies in the length of the keys (between 1024 and 4096 bits) and the complexity of calculations for encoding and decoding.

RSA started with a patent on its algorithm, but it was released into the public domain in 2000.

Merkle-Hellman Knapsack

DEPRECATED

It was published soon after RSA.

It was broken in 1984.

Elliptic Curve Cryptography (ECC)

Published in 1985 independently by mathematicians Neal Koblitz (University of Washington, USA) and Victor Miller (IBM, USA).

It has higher speed at encrypting/decrypting with significantly shorter keys than other algorithms (between 256 and 512 bits). Providing the same level of protection, ECC keys are 12 times shorter than RSA.

Providing the same level of protection ECC double size of symmetric encryption keys.

Because of its lighter processing demands, it is used on mobile phones.

ECC depends on the elliptic curve discrete logarithm problem.

A variant is Elliptic Curve Digital Standard Algorithm (ECDSA), specified in ANSI X9.62. This algorithm is listed in Digital Signature Standard (DSS) by NIST.

RSA was released to the public domain in 2000.

Diffie-Hellman

One of the earliest practical examples of public key exchanges.

ElGamal

Published in 1985 by Egyptian Dr. Taher Elgamal, who worked then for Netscape.

It is an extension of Diffe-Hellman algorithm.

It did not obtain a patent, so it has always been in the public domain. Because of this, it was an patent-free alternative to RSA until 2000, when RSA was released into the public domain.

The ciphertext encrypted with this algorithm doubles the size of the plain text; this is considered one of its drawbacks.

Digital Signature Algorithm (DSA)

It is specified by NIST in Federal Information Processing Standards (FIPS) 186-4, also known as Digital Signature Standard (DSS).

It is a variant of an algorithm by Taher Elgamal.

Fortezza

Used by US Government.

One-way Hash Functions

One-way hash or message digest algorithms:

  • MD family
    • MD2
    • MD4
    • MD5
  • Secure Hash Algorithm (SHA) Family
    • SHA-1
    • SHA-2
      • SHA-256
      • SHA-384
      • SHA-512
    • SHA-3
  • Whirlpool
  • Streboog
  • RIPEMD
  • Hash of Variable Length (HAVAL)
  • Hash Message Authentication Code (HMAC)
  • PANAMA
  • TIGER
  • ADLER32
  • CRC32

SHA-2 is the standard, though SHA-3 is more secure but more difficult to implement.

Ways to manage collision:

  • Open Addressing
  • Separate Chaining

MD Family

MD2

DEPRECATED

MD4

DEPRECATED

MD5

DEPRECATED

SHA Family

They are supported by NIST through the publication of Secure Hash Standard (SHS), also known as FIPS 180.

SHA-1

DEPRECATED

Developed by NSA. It has been substituted by its successor SHA-2.

SHA-2

SHA-2 contain different has functions, like SHA-256 (one of the most popular), SHA-384 and SHA-512.

Validated by NESSIE project and NSA.

SHA-3

SHA-3 has been announced by NIST in the event a successful attack is developed against SHA-2.

SHA-3 uses the sponge construction in which message blocks are XORed into the initial bits of the state, which is then invertibly permuted

Whirlpool

Validated by NESSIE project and ISO.

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

RACE Integrity Primitives Evaluation Message Digest (RIPEMD) is a 160-bit hash algorithm developed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. There exist 128, 256 and 320-bit versions of this algorithm, called RIPEMD-128, RIPEMD-256, and RIPEMD-320, respectively. These all replace the original RIPEMD, which was found to have collision issue. It does not follow any standard security policies or guidelines.

It is used on cryptocurrencies like BitCoin.

Hash of Variable Length (HAVAL)

DEPRECATED

Hash of Variable Length (HAVAL) is a modification of MD5.

HAVAL was broken in 2004.

Hash Message Authentication Code (HMAC)

Hash message authentication code (HMAC) is used in HMAC-based One-Time Password (HOTP) standard to create one-time passwords.

PANAMA

No info about this.

TIGER

No info about this.

ADLER32

No info about this.

CRC32

No info about this.

Encryption Standards

NIST’s Digital Signature Standard (DSA)

Digital Signature algorithms included in Digital Signature Standard (DSA), issued by NIST:

  1. Digital Signature Standard (DSA)
  2. Elliptic Curve Digital Signature Standard (ECDSA)
  3. RSA

SP 800-56A has the title “Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography”.

SP 800-56B has the title “Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography”.

SP 800-56C hast the title “Recommendation for Key-Derivation Methods in Key-Establishment Schemes”.

Federal Information Processing Standard (FIPS)

Within the NIST, there is the Computer Security Resource Center (CSRC).

There is a series of publications issued by NIST CSRC that is called Federal Information Processing Standard (FIPS). You can check the full list of FIPS series publications on this link.

FIPS 140 series has the title “Security Requirements for Cryptographic Modules”. There are different version of this publication; as of October 2022, the latest is FIPS 140-3, that supersedes FIPS 140-2.

There are validation certificates for FIPS 140.

FIPS 186 series has the title “Digital Signature Standards”. As of 2023, its latest version is FIPS 186-5, and it can be read on this external link.

You might be also interested in…

External References

  • VeraCrypt application
  • HashCalc application; SlavaSoft
  • “CISSP Official Study Guide Ninth Edition”, Mike Chaple, James Michael Stewart, Darril Gibson; Sybex; 2021; Chapter 6 “Cryptography and Symmetric Key Algorithms”, pp. 247-252
  • “CISSP Official Study Guide Ninth Edition”, Mike Chaple, James Michael Stewart, Darril Gibson; Sybex; 2021; Chapter 7 “PKI and Cryptographic Applications”, pp. 264-271
  • “CISSP Official Study Guide Ninth Edition”, Mike Chaple, James Michael Stewart, Darril Gibson; Sybex; 2021; Chapter 7 “PKI and Cryptographic Applications”, pp. 271-274

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *