{
    "slug": "symmetric_encryption",
    "term": "Symmetric Encryption",
    "category": "cryptography",
    "difficulty": "advanced",
    "short": "Encryption where the same key encrypts and decrypts data — fast and suitable for bulk data, but key distribution is the primary challenge.",
    "long": "Symmetric algorithms (AES, ChaCha20) use one key for both operations. AES-256-GCM is the current gold standard: 256-bit key, Galois/Counter Mode provides both encryption and authentication (AEAD). A unique random IV (nonce) must be used for every encryption with the same key. ChaCha20-Poly1305 is preferred on systems without AES hardware acceleration. The key distribution problem — securely sharing the key — is solved using asymmetric encryption or key exchange protocols.",
    "aliases": [
        "AES",
        "AES-256-GCM",
        "ChaCha20",
        "AEAD"
    ],
    "tags": [
        "cryptography",
        "security",
        "encryption"
    ],
    "misconception": "AES-256 in any mode is secure — AES-256-ECB (Electronic Codebook) encrypts identical blocks identically, leaking data patterns; always use GCM or another authenticated mode.",
    "why_it_matters": "Using the wrong cipher mode (ECB) or reusing an IV turns strong AES into weak or broken encryption — implementation choices matter as much as key length.",
    "common_mistakes": [
        "Using ECB mode — identical plaintext blocks produce identical ciphertext, revealing patterns.",
        "Reusing the same IV with the same key — completely breaks GCM security.",
        "Not using authenticated encryption (GCM) — unauthenticated ciphertext can be silently tampered with.",
        "Storing the IV separately from the ciphertext in an unreliable way — prepend IV to ciphertext for simple management."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "openssl_encrypt",
        "key_management",
        "encryption_at_rest",
        "weak_cryptography"
    ],
    "prerequisites": [
        "block_cipher_modes",
        "encryption_at_rest",
        "entropy"
    ],
    "refs": [
        "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
    ],
    "bad_code": "// AES-256-ECB — insecure mode, no authentication:\n$encrypted = openssl_encrypt($data, 'AES-256-ECB', $key);\n// Identical 16-byte blocks encrypt identically — patterns visible\n// No IV — deterministic, dictionary-attackable\n// No authentication — tampering undetectable",
    "good_code": "// AES-256-GCM — authenticated, random IV:\nfunction encrypt(string $plaintext, string $key): string {\n    $iv = random_bytes(12); // GCM standard IV size\n    $tag = '';\n    $ciphertext = openssl_encrypt(\n        $plaintext, 'AES-256-GCM', $key,\n        OPENSSL_RAW_DATA, $iv, $tag\n    );\n    return base64_encode($iv . $tag . $ciphertext); // IV + auth tag + ciphertext\n}\n\nfunction decrypt(string $encoded, string $key): string {\n    $data = base64_decode($encoded);\n    $iv = substr($data, 0, 12);\n    $tag = substr($data, 12, 16);\n    $ciphertext = substr($data, 28);\n    return openssl_decrypt($ciphertext, 'AES-256-GCM', $key, OPENSSL_RAW_DATA, $iv, $tag);\n}",
    "quick_fix": "Use PHP's Sodium extension (sodium_crypto_secretbox) for authenticated symmetric encryption — it's simpler and safer than OpenSSL's AES-GCM because it handles nonce generation and authentication automatically",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/symmetric_encryption",
        "html_url": "https://codeclaritylab.com/glossary/symmetric_encryption",
        "json_url": "https://codeclaritylab.com/glossary/symmetric_encryption.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Symmetric Encryption](https://codeclaritylab.com/glossary/symmetric_encryption) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/symmetric_encryption"
            }
        }
    }
}