Author: Cody J., Inflow Software Engineer
Encryption is an important part of an information security posture, arguably the most important. Often, it is the last resort to preventing data theft, as in the case of a stolen laptop or a hacker breaking into a server.
At its most basic, encryption is pretty simple: You take some information, use a “key” to encode it, and out comes gibberish. The Greeks used a wooden rod as the key, wrapping paper or other media around the rod in a spiral and then writing along the length of it. When unraveled, the writing would be meaningless; only with a rod of the same diameter could the message be read “in the clear”.
With the advent of computers, the mechanism has changed but the principle is the same. A computer encrypts data using a key and a key is needed to decrypt it. There are two main forms of encryption nowadays: symmetric key and asymmetric key. Symmetric key encryption uses the same key for both encryption and decryption, while asymmetric key encryption uses two different keys (one public and one private); this is why asymmetric encryption is sometimes called “public key encryption”.
In addition, encryption can be performed with streaming data, e.g. network connections, where the data is encrypted one byte at a time or it can be done with static data, e.g. on a hard drive, where the data is encrypted in blocks composed of a certain number of bits.
When a key is applied to data, the data is changed in a specific way, but, unlike hashing algorithms, the data can be recovered by re-applying the key in the reverse direction. Hashing algorithms work like encryption, i.e. the data is gibberish after the conversion, but hashed data cannot be recovered in a reverse fashion.
In symmetric encryption, the same key is used on both ends. This means the encryption/decryption process is very fast but it also means if someone unauthorized gains the key, they can encrypt/decrypt data just as easily. Not only will the intruder know all the secrets that were encrypted, but they can make their own encrypted data and pretend they are an authorized user.
An early example of symmetric encryption is known as Caesar's Cipher. Julius Caesar used it to communicate with his generals and other correspondents. Essentially, a plain-text message was scrambled by shifting the letters a given number of positions. For example, “A” now becomes “E”, “B” becomes “F”, and so on. As long as the person receiving the message knows the direction and number of positions to shift, the message can be decoded.
Asymmetric encryption uses two different keys, a public and a private. The private key is kept secret by one party but the public key is given to everyone. Encryption and decryption can still occur but both keys are required. The private key can encrypt a message but only the public key can decrypt it and vice versa. This allows a user to send and receive encrypted information with anyone who has the public key.
Probably the best example of this is with encrypted email. A sender can use the recipient’s public key to encrypt an email; only the recipient will be able to decrypt it and read the contents. If the recipient wants to send a reply, the email is encrypted with the private key and the receiver uses the sender’s public key to decrypt it.
Digital certificates are based on public key encryption. They are hosted by an independent third-party (a certificate authority, or CA) to organizations for use with computer systems, such as web servers. The CA acts as a trusted clearinghouse for digital certificates; the CA issues a company a public key certificate, while end users have a CA-issued certificate in their browser. When the user attempts to connect to the company, the user’s computer compares the CA certificate on the server with the one in the browser. If they match, then an encrypted session is started; otherwise, the user is notified that the certificates don’t match and the session won’t be encrypted.
Digital certificates essentially say that an organization is trusted by the certificate authority to be legitimate, as the organization had to prove itself to the certificate authority. The CA acts as a middleman between the organization and a user, providing the public key necessary to establish a secure, encrypted connection between the two.
This prevents individuals from having to set up their own database of certificates whenever they want to have an encrypted session with a company. Web browsers are provided with a large number of CA certificates built-in; without the CA’s, each user would have to maintain the public keys for every entity they wanted to have an encrypted session with.
In essence, the CA provides the user with the public key for a company and the company holds the private key. If the public key changes, like it expired, the CA certificate is the only one that is changed. Users will receive the new key when they initiate a new encrypted session. The company doesn’t have to send out new keys to every single user every time.
A similar process occurs with digital signatures. An electronic device is associated with an individual, often a smart card, and that person has to prove their identity to the card’s issuer. The issuer creates a variety of digital certificates on the card (for public key encryption), as well as another certificate that is used as a digital signature.
Essentially, when a document or email is digitally signed, the file is hashed with the individual’s digital signature certificate, creating a unique hash value. Upon receipt, the receiver can confirm whether the signature certificate used to “sign” the file is legitimate or not. This provides authentication (knowing who the sender is), non-repudiation (only the legitimate sender could sign it), and integrity (any modifications to the file or digital signature certificate would invalidate the unique hash).
In summary, encryption is a vital part of computing nowadays. Like a phone, it can be used for good things as well as bad things. However, just like a phone, the odds of encryption being used for bad things are incredibly low compared to the number of transactions occurring each day.
Encryption should be used whenever possible, as it provides a measure of safety in case the bad guys get through your other security measures. That said, encryption keys need to be safeguarded; having an encrypted iPhone is worthless if someone knows your PIN to unlock it.
At Inflow we solve complex terror and criminal issues for the United States Government and their partners, by providing high quality and innovative solutions at the right price through the cultivation of a corporate culture dedicated to being #1 in employee and customer engagement. We Make it Matter, by putting people first! If you are interested in working for Inflow or partnering with us on future projects, contact us here.