Encryption Basics: How It Works & Why You Need It
What is encryption and how does it work?
While IT security seeks to protect our physical assets—networked computers, databases, servers, etc.—encryption protects the data that lives on and between those assets. It’s one of the most powerful ways to keep your data safe, and while it isn’t impenetrable, it’s a major deterrent to hackers. Even if data does end up getting stolen, it will be unreadable and nearly useless if it’s encrypted.
How does it work? Encryption—based on the ancient art of cryptography—uses computers and algorithms to turn plain text into unreadable, jumbled code. To decrypt that ciphertext into plaintext, you need an encryption key, a series of bits that decode the text. The key is something only you or the intended recipient has in their possession. Computers are capable of breaking encrypted code by guessing an encryption key, but for very sophisticated algorithms like an elliptic curve algorithm, this could take a very, very long time.
Here’s a very simple example. Say you want to encrypt this sentence: “Protect your data with encryption.” If you use a 39-bit encryption key, the encrypted sentence would look like this:
You can send that encrypted message to someone, separately share the key, then they’re able to decrypt it and read the original sentence.
If you send an encrypted email, only the person with the encryption key can read it. If you’re using an encrypted internet connection to shop online, your information and credit card number are hidden from unauthorized users, like hackers, illegal surveillance, or identity thieves. If you encrypt data before syncing it with the cloud, the cloud—or anyone breaking into it—can’t read that data. Even iPhones are encrypted to protect their data if they’re lost or stolen—something that has made headlines when organizations like the FBI or the NSA need access to them for investigations.
But encryption can be used for bad, too. Ransomware attacks are becoming more prevalent, also called denial of service (DOS) attacks that use encryption software to lock users out of their computers until they pay a fee.
Encrypting Data “In Transit” vs. Data “At Rest”
Basically, the data we encrypt is always either:
- In transit, meaning it’s moving via email, in apps, or through browsers and other web connections
- At rest, when data is stored in databases, the cloud, computer hard drives, or mobile devices
Encrypting this data is achieved mainly through:
- Full disk encryption (FDE): the primary way to protect computer hard drives and the at-rest data on them. Any files saved to the disk (or an external hard drive) are automatically encrypted. There are intermediate options for disk encryption, as well–folder encryption, volume encryption, etc.–that aren’t quite full-disk encryption, but in between.
- File encryption: a way to encrypt at-rest data on a file-by-file basis so it cannot be read if intercepted. This isn’t automatic, but it’s beneficial because that data will stay encrypted after it’s left its place of origin.
- End-to-end (E2E) encryption: obscures any content of messages so only senders and receivers can read it, like the early Pretty Good Privacy (PGP) email encryption software. The idea with E2E encryption is that it tackles all the vulnerabilities on the communication chain: the middle (intercepting a message during delivery), and both ends (sender and receiver). This is not just a niche offering anymore, either—platforms like Facebook Messenger and Apple’s iMessage have E2E encryption now, too.
- Encrypted web connections: via HTTPS, encrypted web connections use a Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. With secure internet connections, we’re able to have better protected communications on the web. These aren’t impenetrable, but there’s less risk of exploitation. How it works: HTTPS uses SSL and TLS certificates when a browser and server communicate over the web. These are encryption keys, and when both browser and server have them, they’re authorized to access the encrypted data that’s passed between them. It’s a very basic, but very important, security measure when connecting to the web. If you’ve ever seen “https” instead of “http,” or noticed a lock in the URL bar of your browser, you’re accessing a secure site.
- Encrypted email servers: S/MIME (Secure/Multipurpose Internet Mail Extensions) public key encryption essentially gives SMTP (simple mail transfer protocol) email servers a leg up by allowing them to send and receive encrypted messages, not just simple text messages.
- Pre-encrypting data that’s synced with the cloud: there’s plenty of software available that can pre-encrypt data before it even gets to the cloud, making it unreadable by the cloud or anyone who hacks into it. Note that any files still stored on the local machine aren’t encrypted and are still vulnerable. This accounts only for files sent to the cloud encrypting tech.
Encryption can be simple, like secret-key, or incredibly complex, like the Advanced Encryption Standard (AES), depending on the algorithm and the length of the key. The longer the key, the more protection, but also the more processing power required to handle the encrypting and decrypting process.
A few types of encryption to know include:
- Secret-key algorithms: Also known as symmetric algorithms, or private-key, this algorithm uses the same key for encryption and decryption. This is a touch more vulnerable because anyone who gets a hold of that one key can read anything you encrypt. Also, passing that secret key over internet or network connections makes it more vulnerable to theft.
- Public-key algorithms: These are also known as asymmetric algorithms. With public-key encryption, there are two different, related encryption keys—one for encryption, and one for decryption. The public key is how the information is sent to you, and the private key decodes it (much like having a secure lock box on your front porch that a delivery person can put a package in, then only you can access that package with your private key). The benefit here is the key isn’t subject to being sent over insecure networks, but it does require more computer processing power so it’s a bit slower.
- Block ciphers: Like the Triple Data Encryption Standard (DES), or 3DES, these encrypt data a block at a time. Triple DES uses three keys and is a pretty great encryption option for financial institutions that need to protect sensitive information.
- Stream ciphers: A symmetric algorithm, it uses a keystream, a series of randomized numbers, to encrypt plaintext one character at a time. Rabbit, W7, and RC4 are popular stream ciphers.
- Elliptic curve cryptography: A form of public-key encryption, it can be practically unbreakable for normal computers, or “hard.” This is security industry speak for technology that’s not completely unbreakable, but is generally accepted to be up to best standards.
- Blockchain cryptography: Blockchain technology is essentially a type of distributed database, best known as the basis for Bitcoin, that uses cryptography to safely store data about financial transactions. Blockchain cryptography is a form of “cryptocurrency,” using public-key encryption, and it’s valuable in its ability to provide direct, trustworthy and fraud-proof transactions between users on a peer-to-peer network. Because blockchain databases are distributed, they’re more resilient in the face of a DOS attack, so more companies are exploring this.
A few popular algorithms include:
- Advanced Encryption Standard (AES): A block cipher, this is pretty much the gold standard, per the U.S. Government. It offers 128-, 192-, and 256-bit encryption, the last two reserved for instances that require extra-strength protection.
- RSA: This asymmetric algorithm uses paired keys and is pretty standard for encrypting information sent over the internet, although it’s been through some issues of getting broken, which have then been resolved.
- IDEA (International Data Encryption Algorithm): This block cipher with a 128-bit key has a great track record for not being broken.
- Signal Protocol: This open-source encryption protocol is used for asynchronous messaging, like email.
- Blowfish and Twofish: Both of these block ciphers are free to use and popular among e-commerce platforms for protecting payment information. They were created by the same person and offer symmetric encryption with keys varying in bit length. Twofish is the successor and offers longer encryption keys.
- Ring Learning With Errors or Ring-LWE: This protocol ramps up elliptic curves by adding in a new type of encryption that might be unbreakable by quantum computers.
What is key management and why is it important?
Key management is another important aspect of encryption. Keys are how all of that encrypted data becomes readable, so how you handle them is just as sensitive as the data itself.
Many businesses worry about this aspect of encryption—after all, if you lose an encryption key, you lose access to your data, too. That’s why key management dictates how keys are stored (and shared) so prying eyes can’t get a hold of them, making your entire encryption schema moot.
- Diffie-Hellman key exchange: This secure way for people to create a key allows them to share secure information. This method is also touted as “perfect forward secrecy,” meaning that theoretically, at no point in the future can messages get encrypted with a Diffie-Hellman key be decrypted.
- Double Ratchet algorithm: Based on the above, the Double Ratchet algorithm is a key management algorithm used in end-to-end encryption of instant messaging, like the Signal messaging app.
This article just scratches the surface of the art and science of encryption, but hopefully, it gives you enough basic understanding of this important security technology. If you’re considering enlisting the help of a data security expert, you’re in luck: there are plenty of IT services and IT security freelancers (as well as cyber security consultants) on Upwork with expertise in encryption who are able to consult with you on an encryption strategy that’s best for you and your data.