The main takeaway from the buildup of developments in the cybersecurity landscape is that privacy is becoming a commodity. The CIA is spying on your phone. Hackers are breaking into your home. Your documents, emails, messages, can be intercepted. And Congress is empowering ISPs to pry into your communications.
Long story short, nothing remains secret.
Under such circumstances, encryption becomes your best friend, your last line of defense in protecting your information.
In case you don’t already know encryption is the technology that makes sure only intended parties can use certain data. Humans have been using cryptography, the science—and art—behind encryption, to protect secrets for thousands of years. If implemented correctly, encryption will make your data undecipherable to unwanted parties.
Nowadays, many applications use encryption. Browsers use encryption to create secure channels to web servers. Messaging and email apps encrypt messages before sending them to recipients. Operating systems encrypt files when storing them on disk.
Encryption is everywhere. But not all encryption is made equal. Here’s all you need to know about encryption.
Encryption algorithms
At the heart of every encrypted application is the algorithm, the math that scrambles and unscrambles data. In a nutshell, an encryption algorithm is a function which takes a string of data bytes and returns a new dataset containing unintelligible content.
The same algorithm is used to decrypt data, which means encrypted data goes in from one side and the original data comes out the other.
Algorithms are as strong as the math behind them and how much computational power it takes to break them. The most preliminary form of encryption, dating back to hundreds of years ago, involves substituting each letter of the alphabet for another one. With today’s computational power, such an algorithm could be broken in a subsecond timeframe.
More advanced algorithms use sophisticated methods and long keys.
Some of the more popular encryption algorithms include the following:
- 3DES
- RSA
- AES
- Blowfish
Encryption keys
No matter how strong an encryption algorithm is, if it’s constant, it can be reverse-engineered and broken. That’s why algorithms are designed to use keys, or variable strings of bytes combined with input data when performing encryption and decryption.
A string of characters encrypted with two separate keys will yield different results. This way, only a person who possesses the proper key can decrypt a given cipher, hence the name.
The benefit of key-based encryption is that it allows for transparency. This means you can publish the code and mathematics behind your algorithm, because the security of your tool does not rely on hiding its mechanics but in protecting the key.
However the use of keys puts the burden of storing and protecting them on the user. Anyone who manages to gain access to your key will be able to decipher your communications. Also, by distributing copies of an encryption key among users, you’ll make it harder to protect the key.
Symmetric vs asymmetric encryption
Symmetric encryption algorithms use the same key for encrypting and decrypting data. As stated in the previous section the problem this scheme causes is that it makes it hard to control the distribution and protection of keys.
In contrast, asymmetric encryption algorithms use separate keys for the encryption and decryption of data. Asymmetric keys pairs are also known as public and private keys. Users create their key pair and publish the public key where everyone can access it. The private key they keep to themselves.
Anyone who wants to send a message to a certain user encrypts that message with the recipient’s public key. The message can only be decrypted with the private key. This solves the problem of key distribution and ensures that your communications are secure as long as you keep your private key secret.
Popular tools such as PGP (pretty good privacy) use asymmetric encryption.
Encryption protocols
As the name implies, an encryption protocol defines a set of rules and procedures to establish and maintain encrypted communications.
An unreliable encryption protocol is prone to compromise, such as man-in-the-middle attacks. MitM attacks happen when a malicious user manages to intercept encrypted communications and perform eavesdropping or more evil activities.
Protocols define steps such as initial handshakes, authentication and verification of identities, key exchange, etc. Encryption protocols include the use of one or more encryption algorithms.
For instance, a protocol might use public/private encryption to establish the initial communication between two nodes. Afterwards it negotiates a symmetric encryption key to use for the session’s length. This process enables an application to take advantage of the security of asymmetric encryption and efficiency of symmetric encryption.
Some renowned encryption algorithms include the following:
- Kerberos
- IPSec
- TLS
- HTTPS
- Signal Protocol
Where do you encrypt your data?
Aside from the how, the where of encryption is also an important factor in determining an application’s level of security.
Some applications only encrypt data in transition. Such applications encrypt data while it travels the network, but store it in open format on database and disk. Such practice will not protect you against hackers if the computer or server containing the data is compromised.
In contrast, if you encrypt data in storage but not in transition, eavesdroppers will be able to intercept your data. That’s why you have to encrypt your data both in transition and storage.
End-to-end encryption
Key storage and protection policies are equally important. Some online services store encryption keys on their servers. This can make their encryption reversible if a hacker breaks into their server and gains access to their keys.
Secure messaging apps such as Signal and storage applications such as Tresorit use end-to-end encryption (E2EE) to ensure the security and privacy of client data. E2EE stores the encryption keys exclusively on user devices. This ensures that only the involved parties can decrypt the data. Not even the service provider will be able to look into client data when its application uses end-to-end encryption.
End-to-end encryption is so far the most secure type of encryption available. It has been at the heart of several heated debates between tech firms and government agencies.
On hashes and salts
Hashing is a technique that creates a sequence of bytes by performing cryptographic calculations on a block of data.
Hashes are constant in size and do not expand or contract based on the content of the input data.
Also, hashes are one-way functions, which means they can’t be reversed. When a block of data is hashed, it can’t be decrypted and returned to its original state.
Applications use hash functions to protect sensitive information such as passwords.
Hash functions do not employ keys. Consequently identical inputs will always yield the same result. This effectively makes them vulnerable to brute force attacks. In order to reverse a hash, hackers can start hashing random sequences until the function returns the hash in question.
Malicious actors use rainbow tables, or long lists of computed hashes, to lookup the original value of a hash. The workaround is the use of salts. Salts are token strings or sequences of bytes that application add to the input of a hash function in order to change the output and make it harder to brute-force the value.
Some of the more popular hash functions include the following: