Security

Cheat Sheet: Encryption

We've got the whole thing cracked...

Encryption? Isn't that something to do with the Enigma machine and secret service shenanigans? Yes and no. Encryption is a well-used method for protecting information but it takes on a whole new role in the modern computer age.

How does encryption work? Well, by changing or scrambling the order of letters and words, encryption can protect communications while they are being transmitted through a hostile environment.

In the past, this might have included encrypted letters containing top secret military information travelling across the battlefield which could only be deciphered if the recipient has a 'key' which explains how to reorganise the words and letters to make sense.

An example of this is the work that went on at Bletchley Park to decipher Nazi messages during World War II and one of Bletchley's machines from that era recently came back to life (click here for Bletchley photos) to start cracking codes again.

But that's the encryption of yesteryear - how's it used in the digital age? Well, it's based on the same principles of past encryption methods - where a key is needed to decipher a message or piece of information.

Software is used to encrypt all sorts of data to stop unscrupulous sorts getting that information, from credit card details passing over the internet to emails and company databases. Another modern day example of where you can see encryption at work is on the likes of DRM protection for music, where the music is coded so it cannot be played on unauthorised machines.

Most computer encryption systems belong in one of two categories - symmetric-key encryption or public-key encryption.

What's the difference? In symmetric-key encryption, each computer has a secret key that it can use to encrypt a packet of information before it is sent over the network to another computer.

Both the sending and receiving computers need the same key to decrypt the messages passing between them.

But public-key encryption uses a combination of a private and a public key. The private key is known only to your computer, while the public key is given by your computer to any other computer it wants to communicate with.

To decode the encrypted message, a computer must use the public key and its own private key.

But how's public-key encryption going to work on a larger scale? That's a lot of keys... Fair point and this is where digital certificates come in. Say two computers want to communicate via a web server, the digital certificate is basically a rubber stamp that says the web server is trusted by an independent source known as a certification authority.

So what does the certification authority do? It acts as a middleman which both computers can trust and confirm each computer is who it says it is and then provides the public keys of each computer to the other.

But how can you trust a computer is who it says it is? Authentication works hand in hand with encryption to make the system work. There are several ways to authenticate a person or information on a computer such as the use of a password, digital signatures or even biometrics or voice recognition tech.

So why should businesses bother with encryption? Well, one big reason is data breach notifications. In the US, the majority of states have notification legislation so that if, say, a laptop or mobile is lost with customers' information on it - those customers must be informed their data is at risk.

But, if the lost device is encrypted - the company is not legally obliged to tell its customers, saving it face and potentially lost earnings. Although there are no data breach notification laws in the UK at the moment, HM Revenue & Customs is probably kicking itself over not encrypting the two CDs containing the details of 25 million child benefit recipients that got lost in the post.

But the main reason for businesses to use it is encryption is traditionally seen as the most secure way to transport data.

So encryption is safer than just using password protection? Well - weak passwords using combinations of letters and numbers can be cracked in seconds but finding the key to decipher well encrypted data could take a lot longer, maybe even years.

And it all comes down to key length. In encryption the key is made up of a series of numbers and the length of that key is a factor in determining how difficult it will be to decrypt the text in a given message.

So I should be using longer keys to properly protect my encrypted data? Basically, yes. As an example, the US ditched a 56-bit key-sized cipher called the Data Encryption Standard (DES) as its official encryption standard a few years ago in favour of the longer-keyed Advanced Encryption Standard (AES).

What are the downsides of encryption? It's not just used by the good guys, for one thing. One set of cyber criminals have used encryption within so-called 'ransomware Trojans' which infect a PC, encrypt some data and then display an alert telling the victim to send money to get the decryption key to access their data again.

So is encryption here to stay? Some argue just as antivirus and firewalls are now commonplace, so encryption will be to - and used by everyone from blue chip companies to SMEs and consumers.

Editor's Picks

Free Newsletters, In your Inbox