Symmetric Cryptosystems: DES, AES, RC4 and Blowfish

Your journey to becoming a forensic professional starts here.

Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.

Start Free Mock Test Create Your Account

Symmetric Cryptosystems: DES, AES, RC4 and Blowfish | ForensicSpot

Every byte of bulk-encrypted data an Indian forensic examiner deals with passes through a symmetric cipher. WhatsApp's message database, Aadhaar's UIDAI authentication payloads, UPI's pay leg, BitLocker volumes seized in cybercrime raids, and ransomware-encrypted hospital records all use AES under the hood. Understanding which symmetric cipher, in which mode, with what IV handling, with what key derivation, with what authentication, decides whether the report will hold up under cross-examination or fall apart on the second question from the defence.

This topic covers the symmetric half of the digital forensics cryptography block: the block-versus-stream split, the seven modes of operation (ECB, CBC, CTR, GCM, XTS, plus OFB and CFB for completeness), the DES family from its 1977 publication to Triple-DES's 2023 NIST deprecation, AES internals through the SubBytes/ShiftRows/MixColumns/AddRoundKey round structure, why RC4 was buried in 2015, Blowfish and its successor Twofish, ChaCha20-Poly1305 as the modern mobile-friendly alternative, and the strength-comparison arithmetic that makes AES-256 the default for Indian regulated systems. It assumes the vocabulary from Cryptography Fundamentals: Symmetric vs Asymmetric, Substitution and Transposition. The companion topic on Asymmetric Cryptosystems, Hashing, PKI and Digital Signatures covers the other half, and the attack catalogue in Cryptanalysis, Cryptographic Attacks and Diffie-Hellman closes the loop on the breaks that target the modes and key-management layers below.

Key terms

Block cipher: A symmetric cipher that operates on fixed-size blocks (typically 64 or 128 bits) under a key. AES is a 128-bit-block cipher; DES and Blowfish are 64-bit. Modes of operation define how to handle messages longer than one block.
Stream cipher: A symmetric cipher that produces a pseudo-random keystream which is XORed bit-by-bit or byte-by-byte with the plaintext. RC4 (legacy), ChaCha20 (current). Stream ciphers can also be built from block ciphers via CTR mode.
Mode of operation: The wrapping protocol that defines how a block cipher handles arbitrary-length data, what IV or nonce is used, and whether integrity is included. The same block cipher under ECB and GCM has very different security properties.
AEAD: Authenticated Encryption with Associated Data. Combines confidentiality and integrity in one primitive. AES-GCM and ChaCha20-Poly1305 are the two modern standards. TLS 1.3 allows only AEAD modes.
AES-NI: AES New Instructions: hardware AES acceleration introduced on Intel Westmere (2010) and AMD Bulldozer (2011) and now ubiquitous. Single-cycle round operations make AES-128-GCM run at multiple GB/s per CPU core and produce constant-time, side-channel-resistant code.
Constant-time crypto: An implementation whose execution time, memory access pattern and power profile do not depend on the secret key or plaintext. The defence against timing, cache and power side channels. AES-NI is constant-time by hardware design; software AES with T-tables is not.

Block ciphers vs stream ciphers

Two structural families. Pick by data shape, not by intuition.

A symmetric cipher is one of two structural families. Both can be made arbitrarily secure with the right design; they differ in how they handle data shape.

A block cipher operates on a fixed-size block of plaintext, typically 64 bits (DES, Blowfish, 3DES) or 128 bits (AES, Twofish, Camellia, ARIA). Encrypt and decrypt are bijections on the block space, parametrised by the key. Messages longer than one block need a mode of operation that defines how to split, chain or otherwise process the data. Messages shorter than one block need padding (PKCS#7 is the standard) or a streaming mode that avoids padding entirely.

A stream cipher produces a pseudo-random keystream from the key (and usually a nonce). Plaintext is XORed with the keystream byte-by-byte or bit-by-bit. There is no block alignment, no padding, and the same key with two different nonces produces independent ciphertexts. RC4 is the historical example; ChaCha20 and Salsa20 are the current ones. Block ciphers in CTR or OFB mode behave as stream ciphers, which is why "stream cipher" today often means "any cipher used in a streaming way."

Property	Block cipher (raw)	Stream cipher
Granularity	Fixed block (64 or 128 bits)	Bit or byte
Padding	Required for non-block-aligned input	Not required
State	Stateless (key only)	Stateful keystream (key + nonce + position)

Modes of operation: ECB, CBC, CTR, GCM, XTS

The block cipher is the engine. The mode is the protocol. Most failures live in the mode, not the engine.

A block cipher on its own encrypts 16 bytes at a time. Real messages are longer. The mode of operation defines what happens between the blocks.

ECB (Electronic Codebook). Each plaintext block encrypts independently under the same key. Deterministic: the same plaintext block always produces the same ciphertext block. Catastrophic in practice because plaintext patterns leak through. The "ECB penguin" image (encrypt a bitmap of Tux the penguin in ECB and you can still see the penguin) is the canonical demonstration. Forensic flag: an "encrypted" file whose ciphertext shows visibly repeating 16-byte patterns where the plaintext had repeating structure is almost always ECB-mode.
CBC (Cipher Block Chaining). Each plaintext block is XORed with the previous ciphertext block before encryption. The first block uses a random IV (initialisation vector). Deterministic patterns are destroyed. Requires padding for non-aligned input. Vulnerable to padding-oracle attacks if no MAC is applied: an attacker who can submit ciphertexts and learn whether the padding parses successfully can decrypt arbitrary ciphertexts byte-by-byte. The 2010 ASP.NET vuln, the 2013 Lucky 13 TLS attack and the 2014 POODLE attack all turned on CBC without proper authentication.
CTR (Counter). Encrypt a counter (nonce concatenated with a sequence number) under the key and XOR the output with the plaintext. Turns the block cipher into a stream cipher. No padding needed. Random access for free (decrypt block N by encrypting counter N). Requires a unique nonce per message per key, forever, or security collapses (two messages with the same nonce yield XOR of plaintexts on inspection).
GCM (Galois/Counter Mode). CTR mode for confidentiality plus a Galois-field MAC for integrity. The result is an AEAD: one primitive provides confidentiality and integrity together. TLS 1.3 default cipher suite is TLS_AES_128_GCM_SHA256 (or AES_256_GCM_SHA384). Per-message nonce is 12 bytes; per-key nonce reuse breaks both confidentiality and authentication.
XTS (XEX-based Tweaked-codebook with ciphertext Stealing). Designed for full-disk encryption. Each sector is encrypted with a tweak derived from the sector number, so identical plaintext sectors at different positions produce different ciphertexts. Two AES keys are used (key1 for data, key2 for tweak). BitLocker (Windows 10+), FileVault 2 (macOS), LUKS2 (Linux default since 2018) and dm-crypt all use AES-XTS-128 or AES-XTS-256. The forensic workflow for recovering these volumes (key extraction from RAM, hibernation files, escrow, hashcat brute force) is in .

DES, Triple-DES and the Feistel network

The 1977 standard. Broken by 1998. Triple-DES bought 25 years; NIST retired it in 2023.

The Data Encryption Standard (DES) was published as FIPS 46 in 1977, the first cipher to be openly standardised by the US National Bureau of Standards (now NIST) for non-military use. It defined the symmetric-encryption landscape for two decades.

Structural facts an examiner needs:

64-bit block size, 56-bit effective key length. The key is specified as 64 bits but every eighth bit is a parity bit; the actual entropy is 56 bits.
Feistel network with 16 rounds. Each round splits the 64-bit block into 32-bit halves, applies a key-dependent function to one half, XORs it into the other, and swaps. Feistel structure means encryption and decryption use the same circuitry (just with the round subkeys applied in reverse order), which was a hardware-cost advantage in 1977.
Eight 6-by-4 S-boxes provide the nonlinear element. The S-box design was contributed by IBM with input from the NSA; for years the cryptographic community suspected backdoors, but Eli Biham and Adi Shamir's 1990 paper on differential cryptanalysis revealed that the S-boxes had been specifically tuned to resist exactly that attack, which IBM and NSA had known about 15 years before academia rediscovered it.

DES's fate was sealed by Moore's law. The EFF DES Cracker ("Deep Crack"), built in 1998 for under $250,000, brute-forced a DES key in 56 hours; a follow-up effort with distributed.net got it to 22 hours. By 2010 a moderate cluster could do it in minutes. DES is dead.

Triple-DES (3DES, TDEA) keeps the DES engine but applies it three times with three different 56-bit keys: ciphertext = E_k3(D_k2(E_k1(plaintext))). The encrypt-decrypt-encrypt structure preserves backward compatibility (set k1 = k2 = k3 and you have plain DES). The effective key length is 112 bits, not 168, because of the meet-in-the-middle attack that lets an attacker trade memory for time and break two-key-equivalent constructions in roughly 2^112 work. 3DES survived in legacy banking systems through the 2010s. NIST SP 800-131A formally deprecated 3DES after December 2023; it is now forbidden for new federal cryptographic deployments. Indian banks running legacy PIN-block protection have been migrating to AES under RBI guidance since 2020.

AES: the Rijndael that won the contest

The 2001 winner. 25 years of attack and still standing. The default for everything that matters.

The Advanced Encryption Standard (AES) was published as FIPS 197 in November 2001, capping a four-year open NIST competition (1997 to 2000) that received 15 submissions, narrowed to 5 finalists (MARS, RC6, Rijndael, Serpent, Twofish) and selected Rijndael by Belgian cryptographers Joan Daemen and Vincent Rijmen.

AES's structural facts:

128-bit block size, fixed. The original Rijndael supported 128, 192 and 256-bit blocks; AES standardised only 128.
Three key sizes: 128, 192, 256 bits. Corresponding round counts: 10, 12, 14.
Substitution-Permutation Network (SPN), not Feistel. Encryption and decryption use different operations (S-box vs inverse S-box; MixColumns vs inverse MixColumns), which costs more silicon but gives sharper diffusion per round.
Per-round operations: SubBytes, ShiftRows, MixColumns, AddRoundKey. The final round skips MixColumns (a quirk of the design to make decryption symmetric).

The four operations, in detail:

Operation	What it does	What property it provides
SubBytes	Replaces each byte in the 4x4 state matrix via a fixed 8-bit S-box (multiplicative inverse in GF(2^8) followed by an affine transform)	Nonlinearity (confusion)
ShiftRows	Cyclically shifts row i of the state by i positions to the left	Inter-column diffusion
MixColumns

RC4, Blowfish and the also-rans

One dead, one retired but still in bcrypt, several still around for legacy reasons.

RC4 (Rivest Cipher 4, 1987). A stream cipher designed by Ron Rivest at RSA Security. Internally it maintains a 256-byte state permutation S and two indices i and j. The Key Scheduling Algorithm (KSA) seeds S from the key; the Pseudo-Random Generation Algorithm (PRGA) outputs one keystream byte per step. Variable-length key from 40 to 2048 bits. RC4's selling points were speed (the simplest stream cipher to implement) and minimal memory footprint. It powered SSL 3.0 / TLS 1.0 / TLS 1.1 web traffic, WEP, WPA-TKIP and countless proprietary protocols.

RC4's death was slow but inevitable:

1995: Wagner and Goldberg showed weak keys in RC4's KSA.
2001: Fluhrer, Mantin and Shamir published the FMS attack, exploiting the first-byte bias to recover WEP keys with a few million captured packets.
2005: Klein's attack reduced the WEP break to under a minute on a typical home router.
2013: Microsoft, Mozilla and Google began deprecating RC4 in browsers.
2015: RFC 7465 formally prohibited RC4 in TLS.

RC4 is dead. The only encounter an examiner has with RC4 in 2026 is on legacy hardware (very old Cisco gear, ancient Windows DC traffic, MS Office 97-2003 password protection on .doc files), in malware that uses RC4 as a configuration-decryption layer, and in WEP-secured IoT devices that should be replaced.

Blowfish (Bruce Schneier, 1993). A 64-bit block, Feistel-style cipher with 16 rounds and a variable key length of 32 to 448 bits. Public domain (unpatented and free for any use), which made it the symmetric cipher of choice for open-source projects in the 1990s. It is fast on 32-bit CPUs but the 64-bit block makes it vulnerable to Sweet32 birthday attacks for long sessions (after roughly 32 GB on one key, ciphertext collisions become probable, leaking plaintext via XOR). Blowfish is not recommended for new bulk-encryption applications.

The one place Blowfish survives in mainstream production is bcrypt, the password-hashing function based on a deliberately expensive Blowfish key schedule. Niels Provos and David Mazieres designed bcrypt in 1999; it is still the default password hash in PostgreSQL, OpenBSD, and many Rails / Laravel / Django stacks. bcrypt's strength is the tunable cost factor (work parameter from 4 to 31), which lets defenders make password cracking deliberately slow.

Twofish (1998). Schneier's successor to Blowfish, an AES finalist with a 128-bit block and 128/192/256-bit keys. Lost to Rijndael in the AES competition but is still used in some VeraCrypt installations (selectable as an alternative cipher) and in older PGP versions. No serious cryptanalytic break is known.

Strength comparison, hardware vs software, and the Indian regulated stack

AES-256 at the top, 3DES retired, RC4 dead. The numbers behind the recommendation.

The strength of a symmetric cipher is dominated by its key length and by any known attack that reduces the effective key length below the brute-force bound.

Cipher	Key length	Brute-force bound	Effective security	2026 status
DES	56 bits	2^56	2^56 (broken in 22 hours by 1998 EFF cracker)	Forbidden
3DES (3-key)	168 bits stored	2^168	2^112 due to meet-in-the-middle	NIST deprecated post-2023
Blowfish	32 to 448 bits	2^N for N-bit key	Practically 2^N; Sweet32 limits sessions to ~32 GB	Not recommended for new bulk encryption
AES-128	128 bits	2^128

Practice

Question 1 of 5· 0 answered

A captured ciphertext file is exactly 1,048,592 bytes long (1 MB plus 16 bytes). The plaintext is suspected to be a Word document. Which mode of operation is most consistent with this size profile?

Frequently asked questions

What is the practical difference between AES-128 and AES-256 in a 2026 deployment?

Both are believed secure against all known classical attacks. AES-128 has a 2^128 brute-force bound; AES-256 has 2^256. The gap matters for two reasons: long-life data confidentiality (an Aadhaar record encrypted today should still be secret in 2070) and post-quantum margin (Grover's algorithm on a future cryptographically relevant quantum computer would halve the effective key length, so AES-128 becomes 2^64 quantum-secure, which is marginal; AES-256 becomes 2^128, which is still safe). Performance difference is negligible on AES-NI hardware (AES-256 uses 14 rounds instead of 10, about 35% more work per block, which is unnoticeable in practice). For Indian regulated systems handling biometric or financial data, AES-256 is the default.

Why was AES selected over the other four AES competition finalists?

Rijndael won on a combination of factors. It was faster than Serpent and MARS on every reference platform tested. It was simpler to analyse than RC6 and Twofish. It had a more elegant algebraic structure (operations over GF(2^8) with clean diffusion properties) that made it easier to argue security mathematically. It was implementable in constrained environments (smartcards) where Serpent's larger state was awkward. The NIST report also noted that Rijndael's algebraic structure was a slight concern (some worried it could enable algebraic attacks), but a decade of post-AES cryptanalysis has not produced any such attack. AES is now the most-attacked, most-deployed symmetric cipher in history and it is holding up.

Is RC4 ever safe to use today?

No. RFC 7465 formally prohibits RC4 in TLS as of 2015. Browsers (Chrome, Firefox, Safari, Edge) removed RC4 support around 2016. The FMS, Klein, Mantin and many subsequent attacks against RC4's keystream biases make it unsuitable for any new deployment. The only places RC4 still appears in 2026 are in legacy hardware that cannot be replaced (very old SCADA, ancient embedded routers), in malware using RC4 as a configuration-obfuscation layer (which the examiner needs to recognise and reverse), and in MS Office 97-2003 password protection (which falls to hashcat in minutes). For new work, AES-GCM or ChaCha20-Poly1305 are the two acceptable choices.