Same key encrypts and decrypts. This is the oldest and most intuitive form of cryptography — and it remains the workhorse of every secure system in use today.
Alice and Bob both have copies of the same key. Alice locks the message in a box, sends it over an insecure channel, and Bob unlocks it with his identical key. Simple. Fast. The entire security of the system rests on one assumption: nobody else has a copy of that key.
This is symmetric cryptography in a sentence. And it immediately surfaces the fundamental problem: how do Alice and Bob get the same key in the first place without an eavesdropper intercepting it? This is the key distribution problem, and solving it is what drove the invention of public-key cryptography.
It might seem that public-key cryptography would replace symmetric crypto entirely. It doesn’t. Asymmetric operations are orders of magnitude slower — RSA encryption is roughly 1000x slower than AES. In practice, every secure channel uses asymmetric crypto to exchange a symmetric key, then switches to symmetric crypto for the actual data. TLS, SSH, Signal — all follow this pattern. Symmetric crypto is the engine; asymmetric crypto is the ignition.
A block cipher encrypts fixed-size chunks of data — typically 128 bits — using a secret key. AES (Advanced Encryption Standard) is the dominant block cipher, selected by NIST in 2001 after a multi-year public competition. AES operates on 128-bit blocks with key sizes of 128, 192, or 256 bits.
But raw AES encrypts exactly one 128-bit block. Real messages are longer than 16 bytes. The way multiple blocks are handled is called the mode of operation, and choosing the wrong mode is a catastrophic mistake.
ECB (Electronic Codebook): encrypts each block independently with the same key. Identical plaintext blocks produce identical ciphertext blocks. This preserves patterns — the famous ECB penguin image demonstrates that the outline of an image remains visible through its ECB encryption. Never use ECB.
CBC (Cipher Block Chaining): XORs each plaintext block with the previous ciphertext block before encrypting. Hides patterns, but is sequential (can’t parallelize encryption) and vulnerable to padding oracle attacks if implemented carelessly.
CTR (Counter): turns the block cipher into a stream cipher by encrypting a counter, then XORing the output with plaintext. Parallelizable. No padding needed.
GCM (Galois/Counter Mode): CTR mode plus a built-in authentication tag. Encryption and integrity verification in one operation. This is the mode to use. AES-256-GCM is the gold standard for symmetric encryption.
Instead of encrypting blocks, a stream cipher generates a pseudorandom keystream and XORs it with the plaintext byte by byte. The keystream is produced from the key and a nonce (number used once).
ChaCha20: designed by Daniel Bernstein, widely adopted as an alternative to AES in software implementations. ChaCha20 is faster than AES on platforms without hardware AES acceleration (most ARM devices until recently). It is the cipher behind ChaCha20-Poly1305, the AEAD construction used in TLS 1.3, WireGuard, and SSH.
Both CTR mode and stream ciphers have a critical constraint: never reuse a nonce with the same key. When two different messages are encrypted with the same key and nonce, an attacker can XOR the two ciphertexts together, canceling out the keystream and recovering the XOR of the two plaintexts. From there, recovery of both plaintexts is often straightforward using frequency analysis.
This is not a theoretical concern. Real-world systems have been broken by nonce reuse, including WPA2 (the KRACK attack).
When choosing a symmetric cipher to encrypt data, AES-256-GCM is the default choice unless there is a specific, well-understood reason not to use it. It provides:
The alternative for software-only environments is ChaCha20-Poly1305, which provides the same guarantees with better performance on platforms lacking AES hardware instructions.
Every HTTPS connection uses symmetric encryption for bulk data transfer. TLS negotiates a symmetric key during the handshake, then encrypts all application data with AES-GCM or ChaCha20-Poly1305. Database encryption at rest is AES. Full-disk encryption (FileVault, LUKS, BitLocker) is AES.
The key exchange — how two parties agree on a symmetric key without an attacker learning it — is the hard part. That is what asymmetric crypto and Diffie-Hellman solve. But once the key is established, symmetric crypto does all the heavy lifting.
The cryptographic algorithm is almost never the weakest link. Key management is. How are keys generated? Where are they stored? Who has access? How are they rotated? How are they revoked? A system using AES-256-GCM with keys stored in plaintext in environment variables is weaker than a system using AES-128-GCM with keys in a hardware security module. The algorithm is the easy part. The operational discipline around keys is where systems fail.
This lesson establishes:
Next: Hash Functions