There’s a lot to know about encryption, and the ins and outs can get confusing. Here’s a rundown of what professionals need to know about this fundamental of modern computing.
Data: It’s everywhere, and it has to be protected.
Professionals are concerned about digital data—confidential emails, budget spreadsheets, private messages, bank records, and a multitude of other types of sensitive information that is stored or transmitted online. The data is protected with encryption.
Knowing that encryption exists and understanding what it is are two different things, and the answer can be complicated. Having a basic knowledge of encryption is important for professionals who deal with private data, even if you don’t deal with the particulars yourself.
What is encryption?
Encryption is far more than just scrambling an email to protect it from prying eyes—it’s a practice that goes back well into the analog days. In essence, anything that is encoded using an algorithm is encrypted.
Most everyone has experience with simple encryption, like substitution ciphers that alter the letters of the alphabet using a particular rule, like A=Z, B=Y, C=X, and so on.
Even a simple cipher like mixing up the letters of the alphabet presents an enormous number of potential solutions because of the factorial nature of encryption. Take the English alphabet, for example, It has 26 letters, which means there are 26 factorial ways to mix it up. Mathematically that means 26 x 25 x 24 x 23 x 22 x 21… x 1 possibilities.
26 factorial, or 26!, means a simple substitution cipher of the English alphabet has 403,291,461,126,605,700,000,000,000 possible solutions. Ideally, this would mean an English substitution cipher would be difficult to solve, but it isn’t, really. All a good cryptanalyst needs to do is look for recurring characters to start making educated guesses to solve the cipher quickly.
The minds behind modern encryption know how easy solving simple ciphers can be, especially given the raw power of modern computers—if a human can crack it with any degree of speed a computer can probably do it faster.
In order to prevent cracking, modern encryption has to be more complicated, use more tricks to scramble data, and make it (practically) computationally impossible for an attacker to break the encryption.
Today the Advanced Encryption Standard (AES) is used worldwide. AES makes multiple encryption passes that scramble an already scrambled chunk of data over and over again, making it more and more difficult to break encryption.
The more bits used to encrypt something with AES the more guesses it will take, and at a certain point, it becomes computationally impossible, at least on a practical level, to break that encryption. 128-bit AES encryption, for example, would take around 500 billion years to crack with brute force.
What is an encryption key?
Anything that is encrypted must have a key to decrypt it.
A key could be the alphabet shifted by a couple of letters, a numerical substitution, or in the case of modern encryption a string of random characters.
Keys are used by the individual encrypting data and by the individual decrypting it, and come in two varieties: Symmetric and asymmetric.
Symmetric keys are easy to explain, and the best analogy to use is a locked box with a single key that can unlock it. As long as you and another person have a copy of that key, you can store objects in the box and pass them securely to one another.
It’s easy to see how insecure symmetric keys are, whether physical or digital: Anyone with a copy of the key can decrypt the data or open the locked box.
Asymmetric keys, on the other hand, are a bit more complex. In this scenario, there are two keys: A private key, known only to the individual doing the encryption, and a public one that is freely available.
Anyone with a copy of a public key can encrypt data that can only be decrypted using the matching private key—that includes the person who knows the private key. Conversely, data that is encrypted using the private key can be decrypted by anyone with the public key.
Neither public nor a private key alone can be used to decrypt data—it takes the opposite key to decode it. In most cases, a public key will be used to encrypt data, as only the person holding the private key can decrypt it.
Private-to-public decryption is used as the basis of digital signatures and other forms of identity verification: If the public key is able to successfully decrypt a chunk of data, it could only have come from the person who knows the private key.
Keep in mind that an encryption key is only secure as long as the person who holds it keeps it secret. If a private or symmetric key is stolen or lost, it’s best to consider it broken immediately. Always keep the keys safe.
Why is encryption so important?
Encryption won’t stop your data from being stolen. There’s no reason a malicious entity couldn’t sniff out your internet traffic or steal data from your hard drive—that’s not encryption’s job. We encrypt data so that if and when it’s stolen it’s useless without the key.
Data at rest and data in transit over the internet are at risk to hijacking. Data breaches are a constant threat faced by individuals and businesses of all sizes.
Using encryption to secure data that is at rest or otherwise not being actively transmitted over the internet is one thing, but protecting it while in transit is a whole other challenge. It’s difficult to protect data in transit, and there isn’t a good way of knowing how much data is stolen while it’s streaming over the internet, in the air over Wi-Fi, or moving between a smartphone and a signal tower.
Data in transmission should always be considered unsecured. Continuing the locked box analogy from above, think of transmitting data like handing a package off to the post office; it’s probably safe, but if that data is sensitive, you need to take extra steps to be sure no one tampers with it between its origin and destination.
It’s critical for organizations and individuals to encrypt everything, no matter how innocuous the content of an email, file, or piece of code. Consider all data—no matter what it is or where it’s stored—to be at risk.
Properly applied, encryption renders stolen data useless: If the thief doesn’t know the key, they’re left with a bunch of junk that will (ideally) take them years to decrypt.
What are the current encryption standards?
As of 2001, the US Department of Commerce’s National Institute for Standards and Technology (NIST) has adopted the Advanced Encryption Standard (AES) as the standard for government encryption (PDF). Since its adoption, AES has become a standard part of cryptography around the world, both in government and civilian applications.
AES is a form of symmetrical encryption and can be used to generate 128-bit keys, 192-bit keys, and 256-bit keys, depending on the number of encryption rounds data is subjected to. AES creates blocks of 16 bytes that are shifted, mixed, and substituted each round, as described in this comic by software developer Jeff Moser.
AES is incredibly secure, so much so that the US government considers AES128 sufficient to secure data classified as secret, and AES192 and AES256 safe for top-secret data. AES is effectively unbreakable, and it’s easy to see why mathematically. 128-bit encryption has 2 128 potential solutions, a 192 bit 2192, and a 256 has 2256 possible solutions. Do a quick calculation, and you’ll see why it would take even the most powerful computers an impossibly long time to crack it.
As for asymmetrical encryption, there’s currently no single standard in place. There is a long list of asymmetric encryption methods, but the most commonly used one by far is RSA. A variety of encryption systems make use of asymmetric encryption, such as DSA, Diffie-Hellman key exchange, ElGamal, YAK, and others.
Does unbreakable encryption exist?
Even when used correctly, the strongest encryption can theoretically be broken, and as computers become faster, unsolvable algorithms will turn into simple challenges.
There is a form of encryption considered unbreakable when applied correctly, and it’s over 100 years old: The one-time pad.
One-time pads are symmetric encryption that has very specific instructions to ensure their encryption is unbreakable. In order to be successful, a one-time pad has to:
- Be made up of completely random numbers;
- Have only two existing copies;
- Be used only once; and
- Be destroyed immediately after use.
One-time pads are impractical for use in the digital encryption world because of the difficulty that comes with a single-use encryption key: It’s hard to keep the key limited to exactly two copies, and destroying it after use is difficult if it’s stored digitally.
While they may not be used for digital encryption, one-time pads do demonstrate an important thing about encryption: Key security is paramount. A strong, computationally impractical to break key may as well be unbreakable unless it’s used improperly or stolen.
What are the popular encryption apps?
Computers and mobile devices all have built-in encryption software that can be enabled by taking a few minutes and following these steps: Windows 10, macOS, iOS, and Android (the Android steps indicate they are for Pixel devices, but they have been tested and work on other non-Pixel Android devices as well).
In cases where the built-in encryption methods aren’t sufficient or aren’t available (some versions of Windows 10 don’t include BitLocker), there are a variety of third-party encryption apps that suit numerous purposes.
VeraCrypt is the gold standard of Windows encryption apps. It offers everything Windows users need to encrypt their hard drives, and even reportedly offers immunity to brute-force attacks.
Signal, a free messaging app for iOS, Android, Windows, and macOS, encrypts text messages, multimedia messages, and phone calls. It’s open source and grant funded, so there are no in-app purchases or hidden fees.
ProtonMail, a free webmail service developed by CERN scientists, is an end-to-end encrypted webmail service that looks and feels like other popular webmail applications. Users of Office 365 and Gmail who don’t want to migrate can enable encryption on both of those services as well.
Be sure to check out TechRepublic sister site Download.com’s list of popular encryption applications for more ways to protect your Windows, macOS, iOS, and Android devices. No matter which route you choose to go, built in or third-party, it’s essential to encrypt your data.