Encryption is the act of encoding data to render it unintelligible to someone who doesn’t have the authorization to access the data. Once data is encrypted, only authorized parties who have a “key” can read it or use it. That is, if the encryption method is effective, it should completely protect data from unauthorized access.
According to The Software Alliance, cybercriminals stole 423 million identities in 2015. In 2018, data breaches exposed five billion records, which was a drop from the 7.9 billion records that were compromised in 2017, but is still no small number. The threats to data security continue to multiply: in 2019, the top cybersecurity concerns include relatively new types of threats, such as formjacking, cross-site scripting XSS attacks, and AI botnets. Consumers aren’t the only losers when data is compromised — companies often lose employee data as well.
Businesses must be well-versed in encryption methods and communications to help protect their own and their customers’ sensitive data. The cyberworld is on pace to create 44 zettabytes (ZB) of data by 2020, which, according to the World Economic Forum, is “40 times more bytes than there are stars in the observable universe.” With that amount of data in play, encryption is an absolute necessity for communicating online with privacy and security.
How Does Encryption Work?
At its most basic level, encryption is fairly simple. The encryptor substitutes letters, numbers, and symbols with other characters to create a cipher. A cipher is the set of characters that are standing in for the original data. Whoever creates the cipher possesses the key to decoding it. The “key” is basically a number that describes the mathematical process by which the cipher was encoded.
You can do this manually — which is quite laborious — or you can use a software solution to scramble the data with an algorithm and create an encryption key. A computer or a human cannot read the real data without the key; if someone without the key were to access the data, it would be meaningless and useless. The intended user can unscramble or “decrypt” (the opposite of encrypting) the data using their generated encryption key.
Today, the various encryption methods fall into one of two main categories: symmetric-key encryption and asymmetric encryption.
Symmetric vs. Asymmetric Encryption
Symmetric encryption is a commonly-used method where the encryption key and the decryption key are the same. It takes very little time and therefore very little money for a computer to create a relatively strong, small key based on the algorithm it uses to encrypt data. Thereafter, the key is transmitted to the end-user, who uses it for decryption.
Asymmetric encryption is a method that generates two different keys: a private key and a public key. These keys are not identical, and you can share the public key with anyone, while the private key is shared only with those who are meant to access the data. You can use either one of the keys to encrypt the data, and the decryption key is the opposite of the encryption key.
There are some vulnerabilities inherent to either of these encryption methods. Here are some of the security issues for symmetric encryption:
- The secret key must remain secure during transmission, which can require you to encrypt the original key and create a separate key to decrypt the original. If the transmission method of the separate key is insecure, this can create an infinite regress of reliance on yet another key.
- If the original key falls into the wrong hands, the hacker can access the encrypted data and create corrupted transmissions that look like they come from the trusted sender.
By its nature, the internet facilitates an insecure connection. Public key cryptography attempts to establish secure connections for web clients and servers, thereby theoretically solving the insecure transmission problem for symmetric cryptography. Asymmetric, public-key encryption also works for applications, such as browsers. You could sum up the security issue for asymmetric encryption in one word: authentication. Users must be certain that the public key is authentic and not generated by a bad actor. However, there’s no way to be absolutely certain.
To maximize certainty, Public Key Infrastructure (PKI) certification authorities issue security certificates to trusted entities, and Pretty Good Protection (PGP) encryption issues a session key with the public key. The end-user’s private key allows them to decrypt the session key, which in turn allows them to decrypt the public key. PGP employs a web of trust, which requires trusted entities to validate digital signatures.
Encryption Algorithms and Methods
As maintaining online security has become more important and security threats have become more aggressive and sophisticated, modern encryption has also grown more complex to keep bad actors from viewing private data. Though there are many types of encryption algorithms — you can even create your own if you want — there are five common algorithms to consider.
Data Encryption Standard (DES)
DES is an older symmetric-key method of encrypting data that was used as a standard method by the United States government. It has since been withdrawn as a security standard, as it is not considered secure enough for many modern applications. However, DES is still in use today because it’s easy to implement, especially when computational power is limited.
A DES key has 64 binary digits (0’s and 1’s, otherwise known as “bits”), 56 of which are randomly generated by the algorithm. The other 8 bits are used for error detection. People who use this standard know the encryption algorithm, but unauthorized entities do not possess the decryption key. DES is insecure because the 56-bit key is too small. In 1999, distributed.net and the Electronic Frontier Foundation (EFF) teamed up to crack a DES key in 22 hours.
Triple DES (also called TDES or 3DES) is the newer, more secure version of DES. There are two kinds of 3DES: two-key and three-key, referring to the number of keys that are generated. Triple DES runs DES three times — the data is encrypted, decrypted, then encrypted once more before it is sent to the receiving party.
This method is slower and, though it is more secure than DES, it is still not as secure as newer algorithms. As more advanced algorithms are created, Triple DES is being phased out of use. The National Institute of Standards and Technology specifies that the two-key encryption is disallowed, while two-key decryption is only approved for legacy use. Three-key TDES encryption is deprecated and will be phased out by 2023.
Named after its creators — Ron Rivest, Adi Shamir, and Len Adelman — RSA is an asymmetric encryption algorithm primarily used to share data over insecure networks. It uses a public key to encrypt data and a private one to decrypt it.
The first user selects a pair of prime numbers as well as an arbitrary integer that is less than the sum of the two prime numbers. The sum of the prime numbers, n, and the arbitrary integer, e, are published as the public key. The private key, d, is known only to the first user. The key size is larger, making this method slower but more secure. If you want to send a secure message to the first user who created the public and private keys, you encode the message using the public key, and the recipient uses the private key to decrypt it.
RSA will likely need to move to an even larger key size to make this method more secure in the future.
Advanced Encryption Standard (AES)
AES encryption is the method currently used as the standard by the US government, as well as many private organizations, and is largely considered to be one of the most secure algorithms today. To crack this algorithm, most attacks would require a level of computational power that is presently not possible to achieve.
AES is a symmetric encryption algorithm that employs keys of 128, 192, and 256 bits to encrypt and decrypt blocks of data that are 128 bits. The lengths of the keys exponentially increases the difficulty of deciphering the code. AES became the standard in 2002, and the NIST reevaluates it every five years in an effort to find flaws and make improvements.
Why Is Encryption Important?
Encryption is a basic, but vital, component of data privacy and security. A great deal of private information is transmitted online — including financial information and Social Security Numbers — and it’s important to keep that information safe.
A great many apps and websites rely on user passwords and password verification software to facilitate access to valuable data. Besides learning how to create a secure password, consumers can’t do a lot to encrypt their passwords besides using a password manager, and a proficient password manager must use high-quality encryption to protect what is essentially a treasure trove of data.
Businesses and government organizations that possess consumer and employee data must use, at minimum, AES encryption, as well as other tools and methods such as two-factor authentication to ensure only authorized users can access this data. Organizations should do all they can to protect consumers’ information online. As the Software Alliance puts it, “Digital security is becoming increasingly important to protect us as we bank, as we shop, and as we communicate. And at the core of that security lies encryption.”
Photo credit: Basil James