Chances are that you’re familiar with the word encryption. You’ve probably heard about how important it is, as well as how vital it is for keeping so much of our hyper-networked lives secure.
Use WhatsApp? You’re using encryption. Log into online banking? Same again. Have to ask the barista for a Wi-Fi code? That’s because you’re connecting to a network using encryption—the password is the key.
But even though we use encryption in our day-to-day lives, a lot of terminology remains mysterious. Here’s a list of eight essential encryption terms you need to understand.
Let’s start with the most basic term to know, which is simple but just as important as the others: plaintext is a readable, plain message that anyone can read.
Ciphertext is the result of the encryption process. The encrypted plaintext appears as apparently random strings of characters, rendering them useless. A cipher is another way of referring to the encryption algorithm that transforms the plaintext, hence the term ciphertext.
Encryption is the process of applying a mathematical function to a file that renders its contents unreadable and inaccessible—unless you have the decryption key.
For instance, let’s say you have Microsoft Word document. You apply a password using Microsoft Office’s inbuilt encryption function. The file is now unreadable and inaccessible to anyone without the password. You can even encrypt your entire hard drive for security.
If encryption locks the file, then decryption reverses the process, turning ciphertext back to plaintext. Decryption requires two elements: the correct password and the corresponding decryption algorithm.
The encryption process requires a cryptographic key that tells the algorithm how to transform the plaintext into ciphertext. Kerckhoffs’s principle states that “only secrecy of the key provides security,” while Shannon’s maxim continues “the enemy knows the system.”
These two statement influence the role of encryption, and keys within that.
Keeping the details of an entire encryption algorithm secret is extremely difficult; keeping a much smaller key secret is easier. The key locks and unlocks the algorithm, allowing the encryption or decryption process to function.
Is a Key a Password?
No. Well, at least not entirely. Key creation is a result of using an algorithm, whereas a password is usually a user choice. The confusion arises as we rarely specifically interact with a cryptographic key, whereas passwords are part of daily life.
Passwords are at times part of the key creation process. A user enters their super strong password using all manner of characters and symbols, and the algorithm generates a key using their input.
So when a website encrypts your password, it uses an encryption algorithm to convert your plaintext password to a hash. A hash is different from encryption in that once the data is hashed, it cannot be unhashed. Or rather, it is extremely difficult.
Hashing is really useful when you need to verify something’s authenticity, but not have it read back. In this, password hashing offers some protection against brute-force attacks (where the attacker tries every possible password combination).
You might have even heard of some of the common hashing algorithms, such as MD5, SHA, SHA-1, and SHA-2. Some are stronger than others, while some, such as MD5, are outright vulnerable. For instance, if you head to the site MD5 Online, you’ll note they have 123,255,542,234 words in their MD5 hash database. Go ahead, give it a try.
- Select MD5 Encrypt from the top menu.
- Type your password, hit Encrypt, and view the MD5 hash.
- Select the hash, press Ctrl + C to copy the hash, and select MD5 Decrypt from the top menu.
- Select the box and press Ctrl + V to paste the hash, complete the CAPTCHA, and press Decrypt.
As you see, a hashed password doesn’t automatically mean it is secure (depending on the password you chose, of course). But there are additional encryption functions that boost security.
When passwords are part of key creation, the encryption process requires additional security steps. One of those steps is salting the passwords. At a basic level, a salt adds random data to a one-way hash function. Let’s examine what that means using an example.
There are two users with the exact same password: hunter2.
We run hunter2 through an SHA256 hash generator and receive f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7.
Someone hacks the password database and they check this hash; each account with the corresponding hash is immediately vulnerable.
This time, we use an individual salt, adding a random data value to each user password:
- Salt example #1: hunter2 + sausage: 3436d420e833d662c480ff64fce63c7d27ddabfb1b6a423f2ea45caa169fb157
- Salt example #2: hunter2 + bacon: 728963c70b8a570e2501fa618c975509215bd0ff5cddaf405abf06234b20602c
Quickly compare the hashes for the same passwords with and without the (extremely basic) salt:
- Without salt: f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7
- Salt example #1: 3436d420e833d662c480ff64fce63c7d27ddabfb1b6a423f2ea45caa169fb157
- Salt example #2: 728963c70b8a570e2501fa618c975509215bd0ff5cddaf405abf06234b20602c
You see that the addition of the salt sufficiently randomizes the hash value that your password remains (almost) completely safe during a breach. And better yet, the password still links to your username so there is no database confusion when you sign into the site or service.
7. Symmetric and Asymmetric Algorithms
In modern computing, there are two primary encryption algorithm types: symmetric and asymmetric. They both encrypt data, but function in a slightly different manner.
- Symmetric algorithm: Use the same key for both encryption and decryption. Both parties must agree on the algorithm key before commencing communication.
- Asymmetric algorithm: Use two different keys: a public key and a private key. This enables secure encryption while communicating without previously establishing a mutual algorithm. This is also known as public key cryptology (see the following section).
The overwhelming majority of online services we use in our daily lives implement some form of public key cryptology.
8. Public and Private Keys
Now we understand more about the function of keys in the encryption process, we can look at public and private keys.
An asymmetric algorithm uses two keys: a public key and a private key. The public key can be sent to other people, while the private key is only known by the owner. What’s the purpose of this?
Well, anyone with the intended recipient’s public key can encrypt a private message for them, while the recipient can only read the contents of that message provided they have access to the paired private key. Check out the below image for more clarity.
Public and private keys also play an essential role in digital signatures, whereby a sender can sign their message with their private encryption key. Those with the public key can then verify the message, safe in the knowledge that the original message came from the sender’s private key.
A key pair is the mathematically linked public and private key generated by an encryption algorithm.
HTTPS (HTTP Secure) is a now widely implemented security upgrade for the HTTP application protocol that is a foundation of the internet as we know it. When using a HTTPS connection, your data is encrypted using Transport Layer Security (TLS), protecting your data while in transit.
HTTPS generates long-term private and public keys that in turn are used to create a short-term session key. The session key is a single-use symmetric key that the connection destroys once you leave the HTTPS site (closing the connection and ending its encryption). However, when you revisit the site, you will receive another single-use session key to secure your communication.
A site must completely adhere to HTTPS to offer users complete security. Indeed, 2018 was the first year the majority of sites online began offering HTTPS connections over standard HTTP.
10. End-to-End Encryption
One of the biggest encryption buzzwords is that of end-to-end encryption. Social messaging platform service WhatsApp began offering its users end to end encryption (E2EE) in 2016, making sure their messages are private at all times.
In the context of a messaging service, EE2E means that once you hit the send button, the encryption remains in place until the recipient receives the messages. What is happening here? Well, this means that the private key used for encoding and decoding your messages never leaves your device, in turn ensuring that no one but you can send messages using your moniker.
WhatsApp isn’t the first, or even the only messaging service to offer end to end encryption. It did, however, move the idea of mobile message encryption further into the mainstream—much to the ire of myriad government agencies around the world.
Encryption Until the End
Unfortunately, there are a lot of governments and other organizations that really dislike encryption. They hate it for the very same reasons we think it is fantastic—it keeps your communication private and, in no small part, helps the internet function.
Without it, the internet would become an extremely dangerous place. You certainly wouldn’t complete your online banking, purchase new slippers from Amazon, or tell your doctor what’s wrong with you.
On the surface, encryption seems daunting. I won’t lie; the mathematical underpinnings of encryption are at times complicated. But you can still appreciate encryption without the numbers, and that alone is really useful.