More than perhaps any other security topic, encryption really seems to perplex a lot of people. So, let’s take a closer look – from basics to best practice.
For a security wonk, frequently getting into conversations with people about security topics is an occupational hazard. And while those conversations usually happen with more gusto and at greater length than are entirely desired by either party, they can often offer a sobering glimpse into people’s real security practices and thought processes.
One thing I have learned is that, more than perhaps any other security topic, encryption really seems to perplex a lot of people. So, let us have a look at what it is, and why it is useful.
Encryption: Not just magical security sauce
“Most people seem to think that encryption is an infinitely complicated thing that only the most superhuman of mathematical geniuses can fully understand.”
Most of the people I talk to, even some who regularly and knowingly use encryption, seem to think encryption is an infinitely complicated thing that only the most superhuman of mathematical geniuses can fully understand. And while it is certainly no small feat to create truly secure encryption algorithms, there are a lot of simple types of encryption that you might even have implemented yourself without knowing it.
Simply put; encryption is the process of encoding something so that it is not easily understood by those not authorized to access it.
Note the word “easily” in that sentence: some people seem to view encryption as some sort of magical security sauce that automatically and unequivocally makes it so that no one but the authorized user can ever view the unencrypted contents. There is a wide variety of types of encryption, not all of which are particularly difficult to crack.
When encryption is child’s play
Most kids have played with a very simple form of encryption at some point: If you have ever had one of those secret decoder rings that came as a prize in a box of cereal, or solved a Cryptogram puzzle, you were playing with encryption. Decoder rings are using one of the simplest methods of encryption, sometimes called a rotational or shift cipher – you “rotate” or shift the alphabet a few letters to get the “encoded” letter.
According to Suetonius, the Roman emperor Julius Caesar sometimes used the shift cipher called the Caesar cipher, where each unencrypted letter is shifted by three letters.
Classic Caesar Cipher (Caesar Word Salad)
Another popular shift cipher is referred to as ROT13, whose name is short for “rotate by 13 places”.
As you can see, this shifts the alphabet by half, which means the same action that is used to encode can be used again to decode. As an encryption method, it does not get much simpler or more insecure than this; it is so commonly used in certain circles that people can read it almost as well as plain text.
Cryptograms (or Word Scrambles) are games where you solve puzzles by substituting one fixed letter for another to decode a phrase. This is also meant to be fairly trivial to crack, lest the game be too hard to be any fun. Because letters can be used in any order, not just in alphabetical order, it is intended to be more complex to decode than a shift cipher.
If you ever had a secret diary as a kid, you might have created your own encryption too. In my own childhood diary, I made a cipher using nonsense symbols as substitutes for letters, so that I could talk freely without worrying about someone snooping. (But then I also wrote out the key at the front of that same diary. Whoops!)
These are very simple methods of encryption that are also simple to undo (especially if you leave the key in plain sight like I did!). But there are other types of encryption that are effectively impossible to undo with today’s computing power. Most types of encryption are like those that you use on a daily basis, which is to say they are somewhere in between these two extremes in terms of complexity; they are very difficult to decrypt by all but the most determined adversary but not so thorough as to make the encryption process take forever and a day.
When do you use encryption?
Generally speaking, there are two contexts when you would use encryption: when it is “in transit” or when it is “at rest”. What “in transit” means in this context is when you send it somewhere else via the web, in email, or any time you want it to be somewhere other than just on your own device. Data is considered “at rest” when it is on the storage media on your device, which could either be an integral part of the device, like a hard drive, or removable, like a thumb drive.
When you encrypt data in transit, you are essentially using encryption to try to dissuade people from eavesdropping on your conversation. One of the most common forms of this is encrypted web traffic. A lot of websites, particularly financial sites, social media sites and email sites, now use this by default. You do not need to do anything special to make this happen. Whenever you see that little padlock icon up at the top, to the left of the website’s name, and if it uses a web address that starts with HTTPS – rather than just HTTP – that means your data is being encrypted. The S in HTTPS stands for “secure” and it means that your data is encrypted, which increases the security of the transmission of data both to and from your computer and this website.
All of the major operating systems, and many popular software applications, give you the option of encrypting files or folders on your device. When you use this option, you must choose a password that allows you (and anyone else you share the password with) to unlock and decrypt those files.
Data in use
Encryption is great for when data is in storage or in transit, but there is one other situation that bears discussion; when your encrypted document is in use. That is to say, when you have opened up that protected document and are looking at it or editing it. This includes any time the encrypted file is open, even if it is minimized or visually covered up in some way.
Unlocking the file means it has been decrypted in your device’s memory. If, for example, someone has opened a backdoor into your machine with malware, they can access that data as long as it is unlocked. This does not mean that encryption is ineffective – in fact, liberally using encryption can really limit the amount of damage someone can do and it can also shrink the window of time in which an attacker has access to your decrypted data. This is why you often hear us say that layered defenses are a good thing: one technology can help bolster the effectiveness of another as each shrinks the opportunity for an attacker to steal data.