For many, the word “encryption” probably stirs up James Bond-esque images of a villain with a briefcase handcuffed to his wrist with nuclear launch codes or some other action movie staple. In reality, we all use encryption technology on a daily basis, and while most of us probably don’t understand the “how” or the “why,” we are sure that data security is important, and if encryption helps us to accomplish that, then we’re definitely on board.
Nearly every computing device we interact with on a daily basis utilizes some form of encryption technology. From smartphones (which can often have their data encrypted), to tablets, desktop, laptops or even your trusty Kindle, encryption is everywhere.
But how does it work?
What is Encryption?
Encryption is a modern form of cryptography that allows a user to hide information from others. Encryption uses a complex algorithm called a cipher in order to turn normalized data (plaintext) into a series of seemingly random characters (ciphertext) that is unreadable by those without a special key in which to decrypt it. Those that possess the key can decrypt the data in order to view the plaintext again rather than the random character string of ciphertext.
Two of the most widely used encryption methods are Public key (asymmetric) encryption and Private key (symmetric) encryption. The two are similar in the sense that they both allow a user to encrypt data to hide it from others, and then decrypt it in order to access the original plaintext. They differ, however, in how they handle the steps between encryption and decryption.
Public Key Encryption
Public Key – or asymmetric – encryption uses the recipient’s public key as well as a (mathematically) matching private key.
For example, if Joe and Karen both had keys to a box, with Joe having the public key and Karen having a matching private key, Joe could use his key to unlock the box and put things into it, but he wouldn’t be able to view items already in there, nor would he be able to retrieve anything. Karen, on the other hand, could open the box and view all items inside as well as removing them as she saw fit by using her matching private key. She could not, however, add things to the box without having an additional public key.
In a digital sense, Joe can encrypt plaintext (with his public key), and send it to Karen, but only Karen (and her matching private key) could decrypt the ciphertext back into plaintext. The public key (in this scenario) is used for encrypting ciphertext, while the private key is used to decrypt it back into plaintext. Karen would only need the private key to decrypt Joe’s message, but she’d need access to an additional public key in order to encrypt a message and send it back to Joe. Joe on the other hand couldn’t decrypt the data with his public key, but he could use it to send Karen an encrypted message.
Private Key Encryption
Where Private Key – or symmetric – encryption differs from Public Key encryption is in the purpose of the keys themselves. There are still two keys needed to communicate, but each of these keys is now essentially the same.
For example, Joe and Karen both possess keys to the aforementioned box, but in this scenario the keys do the same thing. Both of them are now able to add or remove things from the box.
Speaking digitally, Joe can now encrypt a message as well as decrypting it with his key. Karen can do the same with hers.
A (Brief) History of Encryption
When talking about encryption, it’s important to make the distinction that all modern encryption technology is derived from cryptography. Cryptography, is – at its core – the act of creating and (attempting to) decipher a code. While electronic encryption is relatively new in the grander scheme of things, cryptography is a science that dates back to ancient Greece.
The Greeks were the first society credited with using cryptography in order to hide sensitive data in the form of written word, from the eyes of their enemies, and the general public. They used a very primitive method of cryptography that relied on use of the scytale as a tool to create a transposition cipher (answer key) to decode encrypted messages. The scytale is a cylinder used to wrap parchment around in order to decipher the code. When the two sides communicating used a cylinder of the same thickness, the parchment would display the message when read left to right. When the parchment was unrolled, it would appear as a long, thin piece of parchment with seemingly random numbers and letters. So, while un-rolled it may seem to be compete gibberish, when rolled on to the scytale it would look more like this:
The Greeks weren’t alone in developing primitive cryptography methods. The Romans followed suit by introducing what came to be known as “Caesar’s cipher,” a substitution cipher that involved substituting a letter for another letter shifted further down the alphabet. For example, if the key involved a right shift of three, the letter A would become D, the letter B would be E, and so on.
Other examples that were considered breakthroughs of their time were:
- The Polybius square: Another cryptographic breakthrough from ancient Greece relies on a 5 x 5 grid that starts with the letter “A” in the top left and “Z” in the bottom right (“I” and “J” share a square). The numbers 1 through 5 appear both horizontally and vertically atop the top row of letters and to the far left. The code relies on giving a number and then locating it on the grid. For example, “Ball” would be 12, 11, 31, 31.
- Enigma machine: The Enigma machine is a WWII technology known as an electro-mechanical rotor cipher machine. This device looked like an oversized typewriter and allowed operators to type in plaintext, while the machine encrypted the message and sent it to another unit. The receiver writes down the random string of encrypted letters after they lit up on the receiving machine and broke the code after setting up the original pattern from the sender on his machine.
- Data Encryption Standard: The Data Encryption Standard (DES) was the first modern symmetric key algorithm used for encryption of digital data. Developed in the 1970s at IBM, DES became the Federal Information Processing Standard for the United States in 1977 and became the foundation for which modern encryption technologies were built.
Modern Encryption Technology
Modern encryption technology uses more sophisticated algorithms as well as larger key sizes in order to better conceal encrypted data. The larger the key size, the more possible combinations that a brute force attack would have to run in order to successfully find decrypt the ciphertext.
As key size continues to improve, the length of time it takes to crack an encryption using a brute force attack skyrockets. For example, while a 56-bit key and a 64-bit key look to be relatively close in value, the 64-bit key is actually 256 times harder to crack than the 56-bit key. Most modern encryptions use a minimum of a 128-bit key, with some using 256-bit keys or greater. To put that into perspective, cracking a 128-bit key would require a brute force attack to test over 339,000,000,000,000,000,000,000,000,000,000,000 possible key combinations. In case you are curious, it would actually take over a million years to guess the correct key using brute force attacks, and that’s using the most powerful supercomputers in existence. In short, it’s theoretically implausible that anyone would even try to break your encryption using 128-bit or higher technology.
3DES
Encryption standards have come a long way since DES was first adopted in 1977. In fact, a new DES technology, known as Triple DES (3DES) is quite popular, and it’s based on a modernized version of the original DES algorithm. While the original DES technology was rather limited with a key size of just 56 bits, the current 3DES key size of 168-bits make it significantly more difficult and time consuming to crack.
AES
The Advanced Encryption Standard is is a symmetric cipher based on the Rijandael block cipher that is currently the United States federal government standard. AES was adopted worldwide as the heir apparent to the now deprecated DES standard of 1977 and although there are published examples of attacks that are faster than brute force, the powerful AES technology is still thought to be computationally infeasible in terms of cracking. In addition, AES offers solid performance on a wide variety of hardware and offers both high speed and low RAM requirements making it a top-notch choice for most applications. If you’re using a Mac, the popular encryption tool FileVault is one of many applications that uses AES.
RSA
RSA is one of the first widely used asymmetric cryptosystems for data transmission. The algorithm was first described in 1977, and relies on a public key based on two large prime numbers and an auxiliary value in order to encrypt a message. Anyone can use the public key in order to encrypt a message but only someone with knowledge of the prime numbers can feasibly attempt to decode the message. RSA opened the doors to several cryptographic protocols such as digital signatures and cryptographic voting methods. It’s also the algorithm behind several open source technologies, such as PGP, which allows you to encrypt digital correspondence.
ECC
Elliptic curve cryptography is among the most powerful and least understood forms of encryption used today. Proponents of the ECC approach cite the same level of security with faster operational times largely due to the same levels of security while utilizing smaller key sizes. The high performance standards are due to the overall efficiency of the elliptic curve, which makes them ideal for small embedded systems such as smart cards. The NSA is the biggest supporter of the technology, and it’s already being billed as the successor to the aforementioned RSA approach.
So, Is Encryption Safe?
Unequivocally, the answer is yes. The amount of time, energy usage and computational cost to crack most modern cryptographic technologies makes the act of attempting to break an encryption (without the key) an expensive exercise that is, relatively speaking, futile. That said, encryption does have vulnerabilities that rest largely outside of the power of the technology.
For example:
Backdoors
No matter how secure the encryption, a backdoor could potentially provide access to the private key. This access provides the means necessary to decrypt the message without ever breaking the encryption.
Private Key Handling
While modern encryption technology is extremely secure, humans aren’t as easy to count on. An error in handling the key such as exposure to outside parties due to a lost or stolen key, or human error in storing the key in insecure locations could give others access to encrypted data.
Increased Computational Power
Using current estimates, modern encryption keys are computationally infeasible to crack. That said, as processing power increases, encryption technology needs to keep pace in order to stay ahead of the curve.
Government Pressure
The legality of this is dependent on your home country, but typically speaking, mandatory decryption laws force the owner of encrypted data to surrender the key to law enforcement personnel (with a warrant / court order) to avoid further prosecution. In some countries, such as Belgium, owners of encrypted data that are concerned with self-incrimination aren’t required to comply, and police are only allowed to request compliance rather than demand it. Let’s not forget, there is also precedent of website owners willfully handing over encryption keys that stored customer data or communications to law enforcement officials in an attempt to remain cooperative.
Encryption isn’t bulletproof, but it protects each and every one of us in just about every aspect of our digital lives. While there is still a (relatively) small demographic that doesn’t trust online banking or making purchases at Amazon or other online retailers, the rest of us are quite a bit safer shopping online (from trusted sources) than we would be from taking that same shopping trip at our local mall.
While your average person is going to remain blissfully unaware of the technologies protecting them while purchasing coffee at Starbucks with their credit card, or logging on to Facebook, that just speaks to the power of the technology. You see, while the tech that we get excited about is decidedly more sexy, it’s those that remain relatively unseen that are doing the greatest good. Encryption falls firmly into this camp.
Do you have any thoughts or questions about encryption? Use the comments box below.
Image Credit: System Lock by Yuri Samoilov via Flickr, Public key encryption via Shutterstock, Public key encryption (Modified) via Shutterstock, Scytale via Wikimedia Commons, Enigma Plugboard via Wikimedia Commons, Padlock, key and personal information via Shutterstock
All encryption software is vulnerable to those who wrote it. If you didn't then you cannot trust it.
This is probably why old-style cipher machines are making a comeback.
The Galaxy Cipher Machine open sourced to all (Crypto World Forums; Ideas and Suggestions), is one example. These are safe, even from the NSA.
Regards,
Russell Lee