A complete guide to data encryption

End-to-end encryption concept image showing a series of locked digitized padlocks on a circuit board.
(Image credit: Getty Images)

The fact that data has immense value in the modern age is no secret and while the phrase “data is the new oil” has been rinsed for all its worth, the fact of the matter is that it's an accurate comparison.

Data is incredibly valuable to businesses especially and, as such, methods to protect said data should be supremely sophisticated and reliable. Whether it's protecting your customers' personal data or sending messages between friends, encryption deserves a place in everyone's daily lives, regardless of how tech-savvy one may be.

People have always found methods to protect what they value the most, whether locking it away in a safe or keeping it with a trusted partner, everyone has their favorite method of securing valuables. But when it comes to protecting data there's no room for preference. Here, encryption is king and it's expected to have a long and powerful rule. When used correctly, it's the digital equivalent of Las Vegas casino's vault; it'll take something truly special and extraordinary to break in a steal it.

Data encryption has a long and fascinating history; it's a complex field of research that's by no means perfect even today. Encryption technology is one of the most resilient defences deployed to protect data and naturally, attackers are consistently devising ways to break the most prized standards.

A brief history of data encryption

The wider concept of cryptography dates back as far as early mathematics but became a pivotal focus for research in large part during the Second World War to break encrypted axis messages. However, pioneering information theorist Claude E. Shannon is usually cited as the founder of modern, mathematically-based cryptography and helped to shepherd it from a government pet project to a more widely accessible field being created by the 1970s. It was this decade that saw the creation of the data encryption standard (DES), and the arrival of public-key encryption.

DES works by dividing a 64-bit block of data into two 32-bit halves, which are processed alternately through 16 stages. A 56-bit portion of a 64-bit numerical key is selected, and this is used in different permutations at each stage to encrypt the data according to a set schedule and series of functions. Decryption involves running this process in reverse, so requires the original 56-bit key that was used during encryption.

Public-key encryption works slightly differently. This uses two mathematically linked but numerically different keys for encryption and decryption, one of which is public, and the other private. The public key is used for encryption, while the private key is used for decryption. Because different keys are used in the two stages, this process is called asymmetric, in contrast to the symmetric system used by DES.

The original DES was soon under concerted threat of breakage, with academics proposing methods to crack it as soon as it had arrived in 1977. However, it wasn't until 1998 that DES was officially broken when the Electronic Frontier Foundation used a $250,000 system to find a key in just over two days. With the help of distributed.net, this was reduced to under a day in 1999. These efforts used a "brute force" attack, where every key is tried until the correct one is found. Systems able to perform this kind of attack have become increasingly cheap.

By 2001, the Advanced Encryption Standard (AES) had been chosen as the successor to DES. This uses symmetric keys of 128-bit, 192-bit, or 256-bit length, with ten, 12, and 14 rounds of encryption respectively. It remains a popular choice for data security, still in use by parties such as the US and UK governments.

Different types of encryption

Today, the most common encryption methods are either symmetric or asymmetric in nature. But how do they work, and what are they used for?

Symmetric encryption, also known as shared key encryption, uses a single key for both ciphering and deciphering data. The sender uses this key to turn plaintext into ciphertext, which the recipient then decrypts with an identical key. Although only authorized parties can access this shared key, it can easily fall into the wrong hands if improperly stored.

As both the sender and recipient access one key, symmetric encryption is typically cheaper, faster, and less complicated than other types of encryption. Therefore, it’s a good choice for sending large volumes of data.

This encryption method is an “essential” component of IT systems that need to secure data at rest and transit stages, such as databases and private network communications, explains ESET global cyber security advisor Jake Moore. But he admits that symmetric encryption is most effective in systems requiring “very little user participation”, like phone locks.

Moore says symmetric encryption can also benefit systems that require high-performance and secure encryption key sharing between the sender and recipient. These include file and server systems. He adds: “It is vital for sensitive data on hard drives and vital to help keep adversaries out.”

On the other hand, asymmetric encryption—which is also called private key encryption—uses a distinct key for encrypting sensitive information and another for decrypting it. The sender’s key is typically a public one that can be shared with an authorized group of people or accessed widely by any internet user.

The recipient uses a private key to access information encrypted by the sender’s public key. If they lose it, deciphering the received information will be impossible, so careful management of private keys is paramount.

The biggest benefit of asymmetric encryption is arguably the extra security it provides, as senders and recipients don’t share the same decryption key. But it’s usually expensive and slower compared to more affordable and agile symmetric encryption techniques.

Asymmetric encryption “plays a key role in cyber security” as it enables “secure key exchange” and “digital authentication”, according to Moore. He points out that this encryption method is commonly used as part of email logins, web communications, as well as digital signatures and certificates. It provides greater data integrity and identity verification, which he argues are “growing in importance” in today’s interconnected and highly digitized world.

While both symmetric and asymmetric encryption are crucial in protecting sensitive information and communications, Moore warns that cyber criminals can “successfully attack or manipulate” either method. With this in mind, he urges people to secure their data “to the highest level” and improve their understanding of cyber security risks.

What about hashing?

Even though hashing isn’t technically a form of encryption, it’s a fundamental concept in cryptography and worth understanding. This term describes the creation of fixed-length hash values that replace the contents or summaries of sensitive data. Unlike encryption, hashes aren’t designed to be deciphered; rather, they serve as a way to verify confidential information, such as passwords stored on a server. Hashing makes it harder for hackers to gain unauthorized access to confidential data.

What are encryption algorithms?

Encryption algorithms encrypt plaintext by turning it into ciphertext, which is then deciphered using a shared or private key, depending on whether symmetric or asymmetric encryption is being deployed.

Many different encryption algorithms are available, with some existing for decades and others being more recent. Here are some of the best examples:

  • DES: The data encryption standard is a symmetric encryption algorithm invented in the 1970s, making it one of the oldest methods on this list. With a key length of 56 bits, it has become outdated over the past years. And cybersecurity experts view it as insecure.
  • TDES: The triple data encryption standard, also known as 3DES, is another type of symmetric encryption that ciphers data in three different 56-bit blocks. It’s traditionally the encryption of choice for banks and other financial institutions, encrypting sensitive information like ATM pin numbers. However, as with DES, many experts view it as a legacy form of encryption.
  • AES: The advanced encryption standard is a symmetric encryption method that uses 128-, 192- and 256-bit key lengths. Governments and organizations typically use it to encrypt classified data in a single block.
  • Blowfish: This is a publicly accessible, free-to-use symmetric encryption algorithm that encrypts data in separate 64-bit blocks. It’s used in products ranging from e-commerce websites to virtual private networks (VPNs)
  • Twofish: It’s essentially a new version of Blowfish, encrypting data in 128-bit blocks and 16 rounds. Like its predecessor, Twofish doesn’t require a paid licence and uses symmetric encryption principles. It can be used in software and hardware environments.
  • RSA: The Rivest-Shamir-Adleman (named after its creators) standard is a widespread asymmetric encryption algorithm that has existed since the 1970s. Organizations and individuals typically use it to encrypt online data, which is ciphered with a public key and deciphered with a private one. RSA encryption keys are formed on the product of large prime numbers.
  • ECC: The elliptic curve cryptography is one of the most sophisticated forms of asymmetric encryption. It encrypts data based on the mathematical theory of elliptic curves, with use cases ranging from authentication to digital signatures.

Encrypting the network

Whatever encryption system you use, there is always the issue of how you exchange the necessary keys between sender and recipient in the first place. This is particularly important in this era of ubiquitous wireless communications.

The original Wi-Fi security, WEP, provides a 64-bit option using a 40-bit key, or a 128-bit option using a 104-bit key. But the handshaking process in a Shared Key WEP system means that initialisation frames can be captured and used to deduce the key - the infamous packet sniffing performed by "war chalkers" looking to reveal WLAN security credentials so passers-by can use them. The more secure Open Key option is still relatively easy to crack, too.

As a result, WEP was replaced by WPA2 and subsequently WPA3. WPA uses a temporal key integrity protocol (TKIP), which creates a new 128-bit key for each packet of information, of which there will be so many every second that snooping becomes very hard indeed. However, WPA2 improves this still further with an AES-based 256-bit key, and WPA3 uses a 192-bit key in place of the 128-bit in previous versions.

WPA3 also handles encryption on a device-by-device basis, to keep each device separately secure rather than sharing keys.

Encryption is essential for many other everyday activities. You wouldn't want login information or financial details to be passed in plain text form over the internet, or even a private network. So secure sockets layer (SSL) and then transport layer security (TLS) were developed to enable devices to securely communicate with one another.

A remote connection can be made securely over a public network such as the internet using encrypted tunneling protocols, such as SSH Secure Shell. This uses public key encryption, with the remote system holding a public key and the local system a private key. These must be from a matching pair to allow connection. A VPN is a similar tunneling system for running a private network over a public one.

Various encryption methods can be employed, including TLS, SSH, and IPsec. The latter works at a lower level of the network protocol stack, so can protect any application traffic across the network. In contrast, with TLS and SSH, the applications need to support these encryption systems themselves to communicate securely.

The future of encryption

Encryption is a great way of securing and verifying sensitive data and communications, but it’s not entirely impenetrable to cyber criminals. Whether it’s stealing security keys, breaking ciphers, or hijacking data in transit, there are various ways hackers get past encryption.

But in the foreseeable future, this could change thanks to advancements in quantum computing and cryptography. Moore argues that, when combined, encryption will become “bulletproof”.

“It could potentially promise enhanced security by leveraging the behavior of quantum particles, making it theoretically impossible for data interception without detection,” he tells ITPro.

“Given its potential to address vulnerabilities in standard encryption methods, it could therefore play a crucial role in the future of cybersecurity.”

RELATED WHITEPAPER

On the flip side, hackers empowered with quantum cryptography represent a potential threat to businesses, which must be anticipated and guarded against.

Moore points out, however, that quantum computing must overcome “technical and practical challenges” to become widely adopted and deliver benefits for encryption. This will take “a minimum of 10 years”.

Away from technology advancements, the political climate is pressuring tech firms to break end-to-end encryption within messaging apps on the basis of preserving national security. Messenger and WhatsApp are the more commonly used communication platforms with end-to-end encryption baked, in while Telegram and Signal are two other popular options for those who want to keep their communications away from prying eyes.

TOPICS
Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.

With contributions from