In cryptography, encryption is the process of encoding information or sensitive data so only authorized parties can access it. Encryption does not itself prevent interference and man-in-the-middle attacks, but denies intelligible content to the interceptor.
Table of contents
- How does encryption work?
- Why is encryption important?
- How is encryption used?
- What are the limitations of encryption?
- What are the types of encryption algorithm?
- What is the history of encryption?
- How UpGuard can improve your organization's cybersecurity
1. How does encryption work?
In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm (or cipher).
The output is known as ciphertext and can only be read using the decryption key.
In general, encryption algorithms fall into two categories:
- Symmetric-key encryption: In this encryption scheme, the encryption and decryption key are the same. The key is sometimes referred to as a shared secret because the sender or computer system doing the encryption must share the secret key with anyone authorized to decrypt the message. Symmetric-key encryption tends to be faster than asymmetric encryption schemes. The most popular example of symmetric data encryption is the Advanced Encryption Standard (AES), which was designed to protect the government's sensitive information. Symmetric-key encryption is also known as secret key encryption, symmetric ciphers or private-key cryptography.
- Public-key encryption: This type of encryption uses two, logically linked, different keys. The encryption key is published for anyone to use and encrypt messages, while only the receiving party has access to the decryption key to read encrypted messages. Public-key encryption often employs prime numbers to create keys as it is computationally difficult to factor large prime numbers, making it difficult to reverse-engineer the encryption. This type of encryption was first described in a secret document in 1973, prior to this all encryption schemes were symmetric-key algorithms. The Rivest-Shamir-Adleman (RSA) encryption algorithm is the most popular public-key encryption algorithm. WIth RSA, the public and private key can be used to encrypt a message and whichever is not used for encryption becomes the decryption key. Public-key encryption is also known as asymmetric encryption, asymmetric key encryption or public-key cryptography.
In principle, it is possible to decrypt a message without the decryption key, but well-designed encryption schemes require considerable computational resources and skill to do so.
This means that if an unauthorized entity intercepted an encrypted message, they could only gain access if they knew what cipher was used to encrypt the message and the decryption key.
Today, many cryptographic processes employ symmetric algorithms (to encrypt data) and asymmetric algorithms (to securely exchange the secret key). This allows them to take advantage of the speed of symmetric-key encryption while maintaining the additional secrecy of public-key encryption.
The three major components of any encryption systems are:
- The data to be protected
- The encryption algorithm
- The key management process
2. Why is encryption important?
Encryption is important because it allows you to protect data from unauthorized access. Encryption is foundational to cybersecurity, data security, information security and network security, due to its ability to provide:
- Confidentiality: By encoding the message, only the intended audience can access the encrypted data.
- Integrity: Encrypting messages proves that the message has not been changed since it was sent.
- Authentication: Encryption methods allow you to verify the origin of the message.
- Non repudiation: Once sent, the sender cannot deny they sent the encrypted message.
Using encryption can prevent data breaches, data leaks, corporate espionage, brute force attacks and other cyber attacks. And depending on your industry, regulatory compliance may depend on data protection using encryption and other security measures.
- In the United States: the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and their business associates implement security features to secure protected health information (PHI).
- In the European Union: GDPR requires that personally identifiable information (PII) be protected by appropriate technical and organizational methods.
- In Australia: APRA 234 requires APRA-regulated entities to take necessary measures to close attack vectors and to maintain the confidentiality, integrity and availability (CIA triad) of information assets and data, even those managed by third-party vendors highlighting increased regulatory focus on third-party risk, fourth-party risk and related data breaches.
3. How is encryption used?
Encryption has long been used by militaries and governments to facilitate secret communications.
Today, it is increasingly common in civilian systems to protect data in transit and at rest.
Every time you swipe your credit card or buy something online, you are relying on encryption to protect your payment information.
Outside of payments and ecommerce, organizations are increasingly relying on encryption to protect applications, trade secrets and customer information.
The increasing cost of data breaches, averaging $3.92 million globally and $8.19 million in the United States, highlights the need to protect the confidentiality, integrity and authenticity of sensitive data when other security measures fail. Not to mention regulatory and reputational damages.
Encryption is also be used to protect data in transit to prevent man-in-the-middle attacks and eavesdropping. For example, data that is being transferred via the Internet, smartphones, Bluetooth or ATMs.
Beyond securing data and communications, encryption can be used for secure data destruction.
Conventional methods for permanently deleting data from a hard drive rely on overwriting the device's content with zeros, ones or other patterns. This process can take time depending on the capacity and type of storage. Cryptography offerst a method of almost instantaneous erasure via crypto-shredding.
4. What are the limitations of encryption?
While encryption is an important tool, it is not sufficient to ensure the confidentiality, integrity or availability of sensitive information.
Most encryption software only encrypts information at rest or in transit, leaving sensitive data in plaintext and potentially vulnerable to exposure during processing, such as in a cloud service.
There are encryption processes that can compute on encrypted data (homomorphic encryption and secure multi-party computation), but these incur high computational and communication costs.
In response to encryption at rest, cyber criminals have developed new types of cyber attacks including cryptographic attacks, stolen ciphertext attacks, cryptanalysis, attacks on encryption keys, insider attacks, data integrity attacks, data destruction attacks and ransomware attacks.
Data fragmentation and data protection technologies attempt to counter these attacks by distributing, moving or mutating ciphertext so it is more difficult to identify, steal, corrupt or destroy.
Even with these technologies, the quality of your encryption doesn't matter if your third-party vendors and their vendors aren't using the same encryption standards as your organization.
This is why more organizations are investing in vendor risk management and cyber security ratings tools that can help them automatically monitor and assess first, third and fourth-party security postures.
These tools will allow your vendor risk team to focus on the most high risk, high impact remediations first and exponentially increase the number of third-party vendors one person can manage.
If your organization lacks vendor risk management expertise, consider investing in a tool that can automate vendor risk management, providing vendor risk assessment questionnaire templates and a third-party risk management framework.
Outside of vendor risk management, look for a tool to continuously scan for data exposures related to your business.
The other big limitation of encryption is key management because the keys to decrypt ciphertext have to exist somewhere and attackers often know where to look. There are plenty of best practices for key management, but it adds an extra layer of complexity to incident response planning and can increase the time it takes to start the disaster recovery process.
5. What are the types of encryption algorithms?
- Advanced Encryption Standard (AES): A symmetric block cipher established by the National Institute of Standards and Technology (NIST) that was chosen by the U.S. government to protect classified information and is implemented in software and hardware throughout the world to encrypt sensitive data.
- Data Encryption Standard (DES): A symmetric-key algorithm used to encrypt data. DES's short key length of 56 bits was criticized from the beginning, due to its vulnerability to brute force attacks.
- Triple DES (3DES): An improvement on the original DES algorithm. In essence, 3DES performs the DES algorithm three consecutive times during encryption and decryption, making it far more robust against brute force attacks albeit slower.
- Diffie-Hellman key exchange: also known as exponential key exchange, a method of securely exchanging cryptographic keys over a public channel by using numbers to a specific power to produce decryption keys.
- Elliptical curve cryptography (ECC): An approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The resulting cryptographic algorithms are faster and more efficient while producing a comparable level of security with shorter keys. This makes ECC a good choice for devices with limited computing resources.
- Quantum key distribution (QKD): A proposed method for encryption where encryption keys are generated using a pair of entangled photons that are then transmitted separately to the message. Quantum entanglement enables the sender and receiver to know whether the encryption key has been intercepted or changed before the transmission is received. This is because the very act of observing transmitted information changes it in the quantum realm. Once encryption is determined secure and not intercepted, permission is given to transmit the encrypted message.
- Rivest-Shamir-Adleman (RSA): One of the first public-key cryptosystems that is widely used for secure data transmission. Many protocols like Secure Shell (SSH), Pretty Good Privacy (PGP), Secure Sockets Layer (SSL) and Transport Layer Security (TLS) rely on RSA and digital signatures.
6. What is the history of encryption?
Encryption is one of the oldest forms of science.
From prehistoric times to modern times, there has always been a basic human desire to disguise, masquerade or protect sensitive information from unintended eyes.
The funny thing is despite advances in encryption algorithms and technology, the central problem of encryption remains the same.
The problem was and still is how to exchange keys securely and secretly. It all comes down to key management.
In 1900 BC, an Egyptian nobleman used a simple hieroglyphic substitution in the tomb of Khnumhotep, altering one symbol for another. A very simple form of encryption which could be figured out in a relatively short period of time.
By 700 BC, Sparta was using a new form of encryption called the scytale transposition cipher. This form of encryption changes the position of the letters in the document rather than changing the letters themselves.
The concept seems simple compared to modern encryption algorithms, but was very complicated at the time.
It consisted of a thin piece of papyrus wrapped around a round staff, the encryptor would then write their message down the length of the staff. When finished, they would wrap the papyrus.
To any observer the message was unreadable and looked like scribble. However, the recipient of the message would have an identical stick to the writer of the message and rewrap the papyrus, revealing the message.
Recall that very few people could write and read at the time, making this encryption method robust.
Fast forward to 1917 when the British intercepted an encrypted German transmission, the telegram now known as the "Zimmerman Telegram" was written by German Foreign Minister Arthur Zimmerman to the German Minister of Mexico, offering United States territory to Mexico if it joined Germany efforts.
This telegram was shown to the US by Britain, acting as a catalyst for the US to declare war on Germany and its allies on April 6, 1917.
During WWII, the Germans developed a machine known as Enigma that was a small wooden box small enough to be carried by a single soldier. When opened, the box revealed a small typewriter style keyboard. The encryption was completed by a set of three rotors, each could be set to any letter of the alphabet, forming the decryption key.
The three sets of rotors formed a much stronger and more complicated encryption algorithm than simple substitution. In addition, there were actually five standard rotors but only three could be used at a time, creating 60 different possible combinations.
The Germans would change the rotors and their starting positions every two days.
Alan Turning, a young mathematician working for the British government eventually build a machine called the Turing bombe to decipher the enigma.
It wasn't until 1976 that encryption began to be used outside of military settings with the introduction of IBM's Data Encryption Standard (DES) and a paper published by Whitfield Diffie and Martin Hellman titled New Directions in Cryptography.
The paper laid the groundwork to solve one of the fundamental issues of encryption schemes, how to distribute the encryption key in a safe and secure manner.
Today, encryption is widely used in and outside of the military.
7. How UpGuard can improve your organization's cybersecurity
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.