Encryption Basics: How It Works & Why You Need It
What is encryption and how does it work?
While IT security seeks to protect our physical assetsโnetworked computers, databases, servers, etc.โencryption protects the data that lives on and between those assets. Itโs one of the most powerful ways to keep your data safe, and while it isnโt impenetrable, itโs a major deterrent to hackers. Even if data does end up getting stolen, it will be unreadable and nearly useless if itโs encrypted.
How does it work? Encryptionโbased on the ancient art of cryptographyโuses computers and algorithms to turn plain text into unreadable, jumbled code. To decrypt that ciphertext into plaintext, you need an encryption key, a series of bits that decode the text. The key is something only you or the intended recipient has in their possession. Computers are capable of breaking encrypted code by guessing an encryption key, but for very sophisticated algorithms like an elliptic curve algorithm, this could take a very, very long time.
Hereโs a very simple example. Say you want to encrypt this sentence: โProtect your data with encryption.โ If you use a 39-bit encryption key, the encrypted sentence would look like this:
โEnCt210a37f599cb5b5c0db6cd47a6da0dc9b728e2f8c10a37f599cb5b5c0db6cd47asQK8W/ikwIb97tVolfr9/Jbq5NU42GJGFEU/N5j9UEuWPCZUyVAsZQisvMxl9h9IwEmS.โ
You can send that encrypted message to someone, separately share the key, then theyโre able to decrypt it and read the original sentence.
If you send an encrypted email, only the person with the encryption key can read it. If youโre using an encrypted internet connection to shop online, your information and credit card number are hidden from unauthorized users, like hackers, illegal surveillance, or identity thieves. If you encrypt data before syncing it with the cloud, the cloudโor anyone breaking into itโcanโt read that data. Even iPhones are encrypted to protect their data if theyโre lost or stolenโsomething that has made headlines when organizations like the FBI or the NSA need access to them for investigations.
But encryption can be used for bad, too. Ransomware attacks are becoming more prevalent, also called denial of service (DOS) attacks that use encryption software to lock users out of their computers until they pay a fee.
Encrypting Data โIn Transitโ vs. Data โAt Restโ
Basically, the data we encrypt is always either:
- In transit, meaning itโs moving via email, in apps, or through browsers and other web connections
- At rest, when data is stored in databases, the cloud, computer hard drives, or mobile devices
Encrypting this data is achieved mainly through:
- Full disk encryption (FDE): the primary way to protect computer hard drives and the at-rest data on them. Any files saved to the disk (or an external hard drive) are automatically encrypted. There are intermediate options for disk encryption, as wellโfolder encryption, volume encryption, etc.โthat arenโt quite full-disk encryption, but in between.
- File encryption: a way to encrypt at-rest data on a file-by-file basis so it cannot be read if intercepted. This isnโt automatic, but itโs beneficial because that data will stay encrypted after itโs left its place of origin.
- End-to-end (E2E) encryption: obscures any content of messages so only senders and receivers can read it, like the early Pretty Good Privacy (PGP) email encryption software. The idea with E2E encryption is that it tackles all the vulnerabilities on the communication chain: the middle (intercepting a message during delivery), and both ends (sender and receiver). This is not just a niche offering anymore, eitherโplatforms like Facebook Messenger and Appleโs iMessage have E2E encryption now, too.
- Encrypted web connections: via HTTPS, encrypted web connections use a Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. With secure internet connections, weโre able to have better protected communications on the web. These arenโt impenetrable, but thereโs less risk of exploitation. How it works: HTTPS uses SSL and TLS certificates when a browser and server communicate over the web. These are encryption keys, and when both browser and server have them, theyโre authorized to access the encrypted data thatโs passed between them. Itโs a very basic, but very important, security measure when connecting to the web. If youโve ever seen โhttpsโ instead of โhttp,โ or noticed a lock in the URL bar of your browser, youโre accessing a secure site.
- Encrypted email servers: S/MIME (Secure/Multipurpose Internet Mail Extensions) public key encryption essentially gives SMTP (simple mail transfer protocol) email servers a leg up by allowing them to send and receive encrypted messages, not just simple text messages.
- Pre-encrypting data thatโs synced with the cloud: thereโs plenty of software available that can pre-encrypt data before it even gets to the cloud, making it unreadable by the cloud or anyone who hacks into it. Note that any files still stored on the local machine arenโt encrypted and are still vulnerable. This accounts only for files sent to the cloud encrypting tech.
Encryption can be simple, like secret-key, or incredibly complex, like the Advanced Encryption Standard (AES), depending on the algorithm and the length of the key. The longer the key, the more protection, but also the more processing power required to handle the encrypting and decrypting process.
A few types of encryption to know include:
- Secret-key algorithms: Also known as symmetric algorithms, or private-key, this algorithm uses the same key for encryption and decryption. This is a touch more vulnerable because anyone who gets a hold of that one key can read anything you encrypt. Also, passing that secret key over internet or network connections makes it more vulnerable to theft.
- Public-key algorithms: These are also known as asymmetric algorithms. With public-key encryption, there are two different, related encryption keysโone for encryption, and one for decryption. The public key is how the information is sent to you, and the private key decodes it (much like having a secure lock box on your front porch that a delivery person can put a package in, then only you can access that package with your private key). The benefit here is the key isnโt subject to being sent over insecure networks, but it does require more computer processing power so itโs a bit slower.
- Block ciphers: Like the Triple Data Encryption Standard (DES), or 3DES, these encrypt data a block at a time. Triple DES uses three keys and is a pretty great encryption option for financial institutions that need to protect sensitive information.
- Stream ciphers: A symmetric algorithm, it uses a keystream, a series of randomized numbers, to encrypt plaintext one character at a time. Rabbit, W7, and RC4 are popular stream ciphers.
- Elliptic curve cryptography: A form of public-key encryption, it can be practically unbreakable for normal computers, or โhard.โ This is security industry speak for technology thatโs not completely unbreakable, but is generally accepted to be up to best standards.
- Blockchain cryptography: Blockchain technology is essentially a type of distributed database, best known as the basis for Bitcoin, that uses cryptography to safely store data about financial transactions. Blockchain cryptography is a form of โcryptocurrency,โ using public-key encryption, and itโs valuable in its ability to provide direct, trustworthy and fraud-proof transactions between users on a peer-to-peer network. Because blockchain databases are distributed, theyโre more resilient in the face of a DOS attack, so more companies are exploring this.
A few popular algorithms include:
- Advanced Encryption Standard (AES): A block cipher, this is pretty much the gold standard, per the U.S. Government. It offers 128-, 192-, and 256-bit encryption, the last two reserved for instances that require extra-strength protection.
- RSA: This asymmetric algorithm uses paired keys and is pretty standard for encrypting information sent over the internet, although itโs been through some issues of getting broken, which have then been resolved.
- IDEA (International Data Encryption Algorithm): This block cipher with a 128-bit key has a great track record for not being broken.
- Signal Protocol: This open-source encryption protocol is used for asynchronous messaging, like email.
- Blowfish and Twofish: Both of these block ciphers are free to use and popular among e-commerce platforms for protecting payment information. They were created by the same person and offer symmetric encryption with keys varying in bit length. Twofish is the successor and offers longer encryption keys.
- Ring Learning With Errors or Ring-LWE: This protocol ramps up elliptic curves by adding in a new type of encryption that might be unbreakable by quantum computers.
What is key management and why is it important?
Key management is another important aspect of encryption. Keys are how all of that encrypted data becomes readable, so how you handle them is just as sensitive as the data itself.
Many businesses worry about this aspect of encryptionโafter all, if you lose an encryption key, you lose access to your data, too. Thatโs why key management dictates how keys are stored (and shared) so prying eyes canโt get a hold of them, making your entire encryption schema moot.
- Diffie-Hellman key exchange: This secure way for people to create a key allows them to share secure information. This method is also touted as โperfect forward secrecy,โ meaning that theoretically, at no point in the future can messages get encrypted with a Diffie-Hellman key be decrypted.
- Double Ratchet algorithm: Based on the above, the Double Ratchet algorithm is a key management algorithm used in end-to-end encryption of instant messaging, like the Signal messaging app.
This article just scratches the surface of the art and science of encryption, but hopefully, it gives you enough basic understanding of this important security technology. If youโre considering enlisting the help of a data security expert, youโre in luck: there are plenty of IT services and IT security freelancers (as well as cyber security consultants) on Upwork with expertise in encryption who are able to consult with you on an encryption strategy thatโs best for you and your data.