This post summarizes common (and some uncommon) encryption algorithms and hashing algorithms.
Some of them have been deprecated over the time. So if you are looking for one to implement, please check this.
Cryptographic Systems
The cryptographic systems that are checked in this post are:
- Symmetric Key Cryptographic Systems
- Asymmetric Key Cryptographic Systems
- One-way Hash/Message Digest Algorithms
Symmetric Key Cryptographic Systems
The number of keys needed in a symmetric key system can be calculated as:
n * (n-1) / 2
where n is the number of users that want to exchange information to each other.
Symmetric Key Cryptographic Systems:
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advanced Encryption Standard (AES)
- Rivest Ciphers (RC) family
- RC4
- RC5
- RC6
- Blowfish
- Twofish
- International Data Encryption Algorithm (IDEA)
- Skipjack
- CAST family
- CAST-128
- CAST-256
- Serpent
- IDEA
- Salsa20 / ChaCha
- Grain 128a
- Camellia
- Kuznyechik
As of 2021, NIST recommends AES.
Data Encryption Standard (DES)
DEPRECATED
It is vulnerable to brute-force attacks due to its limited key length (56-bit).
Withdrawn by NIST.
Triple DES (3DES)
DEPRECATED
Proposed extension of DES standard that retains backward compatibility. It applies the DES cipher algorithm three times to each data block.
It is vulnerable to the Sweet32 attack SP 800-67 Rev2.
3DES is deprecated. It was deprecated by NIST in 2017 through the document .
Advanced Encryption Standard (AES)
It was originally known as Rijndael (pronounced “rain-dahl”), but it was coined as Advanced Encryption Standard (AES) after it won the contest of the same name.
Public algorithm that supports keys of 128, 192 and 256 bits in size.
As of 2024, it is the symmetric algorithm recommended by NIST.
RC Family
RC4
DEPRECATED
Stream-cipher often used in SSL/TLS protocol sessions.
It is used in the WLAN standard WEP.
RC5
It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. The key size is 128-bits.
RC6
RC6 is a symmetric key block cipher derived from RC5 with two additional features.
Blowfish
DEPRECATED
Blowfish is a type of symmetric block cipher algorithm, designed to replace DES or IDEA algorithms.
It has vulnerabilities, including the birthday attack.
Developed by Bruce Schneier.
Twofish
Developed by Bruce Schneier, the same as Blowfish.
It was finalist in the AES Contest.
The creator of Blowfish recommends Twofish over its own cypher.
Skipjack
Skijack was approved by U.S. government as the Escrowed Encryption Standard (EES). It required escrow procedures within the U.S. Government.
CAST family
It comes in two forms:
- CAST-128
- CAST-256
CAST-128
CAST-128 uses a maximum of key size of 128 bits.
CAST-256
CAST-256 uses a maximum of key size of 256 bits.
Serpent
It was finalist in the AES Contest.
International Data Encryption Algorithm (IDEA)
IDEA was intended as a replacement for DES.
It is incorporated in Pretty Good Privacy (PGP) v2.
It is less common than the others.
Salsa20 / ChaCha
ChaCha is an improvement of Salsa20.
Grain 128a
Grain 128a was proposed in 2011.
Camellia
Less common than the others.
Included in VeraCrypt software.
Kuznyechik
Less common than the others.
Included in VeraCrypt software.
Asymmetric Key Cryptographic Systems
The number of keys needed in a symmetric key system can be calculated as:
n * 2
where n is the number of users that want to exchange information to each other.
This is because you need a private key and a public key for each user within the system.
Asymmetric Key Cryptographic Systems
- Rivest-Shamir-Adleman (RSA)
- Merkle-Hellman Knapsack
- Elliptic Curve Cryptography (ECC)
- Diffie-Hellman
- ElGamal
- Digital Signature Algorithm (DSA)
- Fortezza
RSA is the most popular asymmetric algorithm.
Rivest-Shamir-Adleman (RSA)
The most popular asymmetric algorithm, and currently a worldwide standard.
Proposed in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman.
The main drawback lies in the length of the keys (between 1024 and 4096 bits) and the complexity of calculations for encoding and decoding.
RSA started with a patent on its algorithm, but it was released into the public domain in 2000.
Merkle-Hellman Knapsack
DEPRECATED
It was published soon after RSA.
It was broken in 1984.
Elliptic Curve Cryptography (ECC)
Published in 1985 independently by mathematicians Neal Koblitz (University of Washington, USA) and Victor Miller (IBM, USA).
It has higher speed at encrypting/decrypting with significantly shorter keys than other algorithms (between 256 and 512 bits). Providing the same level of protection, ECC keys are 12 times shorter than RSA.
Providing the same level of protection ECC double size of symmetric encryption keys.
Because of its lighter processing demands, it is used on mobile phones.
ECC depends on the elliptic curve discrete logarithm problem.
A variant is Elliptic Curve Digital Standard Algorithm (ECDSA), specified in ANSI X9.62. This algorithm is listed in Digital Signature Standard (DSS) by NIST.
RSA was released to the public domain in 2000.
Diffie-Hellman
One of the earliest practical examples of public key exchanges.
ElGamal
Published in 1985 by Egyptian Dr. Taher Elgamal, who worked then for Netscape.
It is an extension of Diffe-Hellman algorithm.
It did not obtain a patent, so it has always been in the public domain. Because of this, it was an patent-free alternative to RSA until 2000, when RSA was released into the public domain.
The ciphertext encrypted with this algorithm doubles the size of the plain text; this is considered one of its drawbacks.
Digital Signature Algorithm (DSA)
It is specified by NIST in Federal Information Processing Standards (FIPS) 186-4, also known as Digital Signature Standard (DSS).
It is a variant of an algorithm by Taher Elgamal.
Fortezza
Used by US Government.
One-way Hash Functions
One-way hash or message digest algorithms:
- MD family
- MD2
- MD4
- MD5
- Secure Hash Algorithm (SHA) Family
- SHA-1
- SHA-2
- SHA-256
- SHA-384
- SHA-512
- SHA-3
- Whirlpool
- Streboog
- RIPEMD
- Hash of Variable Length (HAVAL)
- Hash Message Authentication Code (HMAC)
- PANAMA
- TIGER
- ADLER32
- CRC32
SHA-2 is the standard, though SHA-3 is more secure but more difficult to implement.
Ways to manage collision:
- Open Addressing
- Separate Chaining
MD Family
MD2
DEPRECATED
MD4
DEPRECATED
MD5
DEPRECATED
SHA Family
They are supported by NIST through the publication of Secure Hash Standard (SHS), also known as FIPS 180.
SHA-1
DEPRECATED
Developed by NSA. It has been substituted by its successor SHA-2.
SHA-2
SHA-2 contain different has functions, like SHA-256 (one of the most popular), SHA-384 and SHA-512.
Validated by NESSIE project and NSA.
SHA-3
SHA-3 has been announced by NIST in the event a successful attack is developed against SHA-2.
SHA-3 uses the sponge construction in which message blocks are XORed into the initial bits of the state, which is then invertibly permuted
Whirlpool
Validated by NESSIE project and ISO.
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
RACE Integrity Primitives Evaluation Message Digest (RIPEMD) is a 160-bit hash algorithm developed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. There exist 128, 256 and 320-bit versions of this algorithm, called RIPEMD-128, RIPEMD-256, and RIPEMD-320, respectively. These all replace the original RIPEMD, which was found to have collision issue. It does not follow any standard security policies or guidelines.
It is used on cryptocurrencies like BitCoin.
Hash of Variable Length (HAVAL)
DEPRECATED
Hash of Variable Length (HAVAL) is a modification of MD5.
HAVAL was broken in 2004.
Hash Message Authentication Code (HMAC)
Hash message authentication code (HMAC) is used in HMAC-based One-Time Password (HOTP) standard to create one-time passwords.
PANAMA
No info about this.
TIGER
No info about this.
ADLER32
No info about this.
CRC32
No info about this.
Encryption Standards
NIST’s Digital Signature Standard (DSA)
Digital Signature algorithms included in Digital Signature Standard (DSA), issued by NIST:
- Digital Signature Standard (DSA)
- Elliptic Curve Digital Signature Standard (ECDSA)
- RSA
SP 800-56A has the title “Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography”.
SP 800-56B has the title “Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography”.
SP 800-56C hast the title “Recommendation for Key-Derivation Methods in Key-Establishment Schemes”.
Federal Information Processing Standard (FIPS)
Within the NIST, there is the Computer Security Resource Center (CSRC).
There is a series of publications issued by NIST CSRC that is called Federal Information Processing Standard (FIPS). You can check the full list of FIPS series publications on this link.
FIPS 140 series has the title “Security Requirements for Cryptographic Modules”. You can read more, including FIPS 140-2 and FIPS 140-3 on this post about FIPS 140.
FIPS 186 series has the title “Digital Signature Standards”. As of 2023, its latest version is FIPS 186-5, and it can be read on this external link.
H.235
H.235 is a cryptography standard by the international organization ITU-T. It covers security and encryption for H.323 and other H.245 based terminals.
The standard addresses authentication by means of several algorithms, including Diffie-Hellman methods, and privacy. Privacy allows for encryption, also of the media streams.
You might be also interested in…
External References
- VeraCrypt application
- HashCalc application; SlavaSoft
- “CISSP Official Study Guide Ninth Edition”, Mike Chaple, James Michael Stewart, Darril Gibson; Sybex; 2021; Chapter 6 “Cryptography and Symmetric Key Algorithms”, pp. 247-252
- “CISSP Official Study Guide Ninth Edition”, Mike Chaple, James Michael Stewart, Darril Gibson; Sybex; 2021; Chapter 7 “PKI and Cryptographic Applications”, pp. 264-271
- “CISSP Official Study Guide Ninth Edition”, Mike Chaple, James Michael Stewart, Darril Gibson; Sybex; 2021; Chapter 7 “PKI and Cryptographic Applications”, pp. 271-274
[…] Encryption algorithms […]