A Description of Encryption: The How, Why and When of Cryptography
The list of sites that store your password unencrypted is staggering. The Ashley Madison data breach of recent memory is a prime example of mishandling of sensitive information, where over 300GB of user data was compromised in plaintext form. It’s not the only example, either, with sites like Britannica recently being accused of plaintext password storage.
In this guide on encryption, we’re going to address why sensitive information needs to be encrypted in-transit and storage so you can protect yourself against poor security practices. We’ll give you a basic definition of encryption, go over the different ways in which it happens and provide some uses for it, too.
Our hope is that by the end of this guide you’ll understand the need for encryption on sensitive data and the real-world applications for it. While cryptography is a dense and complex topic, we’ve tried to make it as simple as possible for the purpose of this guide.
What is Encryption?
Encryption is a simple concept to grasp. Essentially, it’s a way that you can encode a piece of information so only the intended recipient can access it. The information is scrambled using a cipher, such as AES, and a key is shared between parties that allows the recipient to decrypt it.
The cipher converts plaintext to ciphertext, making the information unreadable. In order to ensure only the intended recipient can decrypt that data, an encryption key is shared that allows two machine to agree that the data source and destination are as intended. We’ll talk more about encryption keys in the next section.
Cryptography, the broader term for securely passing information, isn’t new. The ancient Greeks often used ciphers to scramble messages, usually just rearranging the letters of each word or applying a simple rule. The Ceaser cipher is a good example. The same methods apply to digital encryption, but the ciphers are more complex.
In the digital world, encryption is used as a means of securing personal information, such as passwords and internet traffic, as we’ll discuss in a later section. If you have an online account just about anywhere, your information is likely encrypted. While you haven’t actively taken part in the process, you’ve still received the benefit.
Encryption protects against interception and theft of your data. The scrambled data can only be decrypted with the encryption key, which the attacker shouldn’t have access to. There are two main types of encryption that have different functions.
Types of Encryption
There’s more than one way to encrypt plaintext: the limit seems to be the human imagination. Let’s take a look at a few of the most common types.
Private Key/Symmetric Encryption
Symmetric encryption uses the same key to encrypt and decrypt the data. That means the encryption key is shared between parties before the data is encrypted or decrypted. Symmetric encryption would be like having a safe where you store your data. You, and anybody else that could access that data, would need the combination to open the safe.
This encryption is mainly used to protect data at-rest. A good example of this is cloud storage, where encryption happens while the data is still stored, and only decrypted when accessed by an authorized user.
The basic process works like this: A user requests access to encrypted data. The storage container sends back an encryption key to the key manager. The key manager verifies the legitimacy of each party, then opens a secure connection between them.
Now that the secure connection is opened, the encryption key is shared between parties. After that’s done, the encrypted information is decrypted and sent as plaintext to the requesting party.
There are a lot of steps when it comes to symmetric encryption, which makes it most applicable to data at rest. Asymmetric encryption is better for data in motion, as it allows users to actively encrypt packets of data without sharing a key between them.
Public Key/Asymmetric Encryption
Asymmetric encryption relies on a public/private key pair instead of a private key shared between parties. It starts with the encryption of your data, which uses a public key. As the name suggests, the public key is made freely available to anyone who needs it.
This type of encryption is used for data in motion. An example would be connecting to the internet through a virtual private network, as we’ll discuss in a later section. A symmetric session key is used to encrypt the data, and then a public key is used to encrypt the symmetric key. Once the encrypted data is received, the private key is used to decrypt the key which is then used to convert the ciphertext.
First, the sender and recipient verify each other’s certificates. The sender requests the public key of the recipient, which is then shared. A ephemeral symmetric key — which is only used for one session — encrypts the plaintext to ciphertext.
Then, the public key encrypts the symmetric key.
The encrypted data is sent to the recipient. The symmetric key is decrypted using the private key that matches the public one shared with the sender. Now that the recipient can see the symmetric key, they can convert the ciphertext back to plaintext.
There’s still a symmetric key, but it doesn’t need to be shared between parties before encryption takes place. The data is encrypted with an unshared symmetric key, and that key is encrypted using the public/private key pair.
Storing Encrypted Data
There’s an inherent flaw with any cipher; it’s intended to be decrypted. If an attacker has access to the decryption key, then your information is immediately revealed. Storing passwords on a server, even in an encrypted form, isn’t safe. Assuming your password and encryption method are weak, it can easily be decrypted (check out our guide on creating a strong password to avoid this).
The intention of encryption is decryption by the intended party. Because of that, it’s not common or good practice to store encrypted passwords on a server. The value of the encrypted data doesn’t need to be known, so there’s no reason to allow such data to be stored. Encryption is meant for transit, not storage.
Hash It
A more secure method is to store a password hash on a server. Hashing is a process where a value can be calculated from text using an algorithm. Hashes are better because they can’t be reversed engineered. You can generate a hash from a password, but you can’t generate a password from a hash.
Unfortunately, this doesn’t solve every problem. An attacker can still use the hash to brute force attack your password. If an attacker manages to steal a table of password hashes, then they can use a dictionary attack to figure out those passwords through a process of trial and error.
Once the attacker figures out what algorithm the passwords were hashed with, they can use a piece of software that will generate possible passwords using common words in the dictionary. The candidate passwords are hashed using the known algorithm and then compared to the password hashes in the table.
If there’s a match, the attacker has successfully cracked your password.
It’s even easier if you’re using a common password. Let’s assume there’s a data breach and your password hash is stolen. The password you used, for some terrible reason, is “password123.” The MD5 hash of that password is 482C811DA5D5B4BC6D497FFA98491E38. That will always be the hash of that string of text for that algorithm. You can’t reverse engineer a hash, but you can use that hash to guess the password. This is still considered more secure for storing data that doesn’t need to be revealed, though. 482C811DA5D5B4BC6D497FFA98491E38 cannot go through the algorithm to spit out “password123” on the other end.
Salt It
Our theoretical hacker has figured out that 482C811DA5D5B4BC6D497FFA98491E38 is the hash for “password123.” Even worse, they’ve found 50 matches to that hash in the database, meaning 50 accounts are compromised for the price of one.
That’s where salting comes in. A salt is data added to a password before it’s hashed. There’s no set rule for what a salt should be; whoever is salting your password can determine that. Let’s say, for example, that you create an account and the website you created it with salts your password before hashing it.
For that account, the salt is to add a random number plus your first and last initial to your password, based on the account information you entered when you signed up. Now, “password123” becomes, for example, “password1239jr.”
Salting doesn’t eliminate the problem of brute force attacks, but it significantly decreases the chance of an attack being successful. Even users with identical passwords won’t have the same hash result, meaning that the attacker has to figure out not only the hashing algorithm but also the salting method.
Uses for Encryption
Encryption is important, and it has been for centuries. In the digital age, this couldn’t be more true. A single piece of sensitive data could expose you to cybercrime, including identity theft and fraud. There are many uses for encryption that can protect your online accounts, sensitive files and internet traffic.
Securing Your Passwords
Passwords are the most important data you’d want encrypted, considering it’s often the key that unlocks innumerable other pieces of data about you. A password manager allows you to use a strong, unique password on each of your online accounts, exponentially increasing your security.
As we discussed in the hashing section above, a password hash can be revealed through a brute force attack. However, these attacks prey on weak passwords, not strong ones. A similar attack, while being able to figure out “password123,” would have a difficult time generating “ZTG$iS%8a2zF” as a candidate password.
The above example was generated with the LastPass browser extension. It can generate a 12 character password, as with our example above, but also any combination of up to 99 characters. It’s also the best free password manager on the market, which you can read about in our LastPass review.
Password managers store password data in an encrypted vault that only you have access to. That vault is protected with a master password that only you have knowledge of. The best password managers have security measures in place to protect your master password, too.
Dashlane, for example, uses a zero-knowledge model, meaning neither your master password nor any of its hashes are stored. Your master password is encrypted with AES-256 on your local device after salting and sent through 200,000 rounds of SHA2 hashing.
As hashing is a one-way street, this makes your master password much more difficult to crack. An alphanumeric master password of at least eight characters would take approximately 45,000 years to crack using SHA2 hashing. If you use the more modern Argon2 hashing algorithm, which Dashlane offers, it would take just shy of seven million years.
Dashlane has a lot to offer outside of security, too, including a robust feature set and easy to use interface. You can learn more about it in our Dashlane review.
Hiding Your Internet Traffic
Most internet traffic is encrypted. If you land on a site that has an SSL certificate, you’re connecting to that site over an encrypted connection. It’s encrypted from the outside world, though, not from your ISP. Additionally, this form of encryption has known exploits that can easily be carried out, as you can read about in our SSL vs. TLS guide.
That’s where a virtual private network comes in. In addition to hiding your IP address and anonymizing your traffic, a VPN will also encrypt your internet connection. That means your ISP, or anyone who could break your secure tunnel, won’t be able to detect what you’re doing online.
This has upsides for security, such as hiding personal data that you’re transferring over the internet, but also for privacy. Your ISP won’t be able to spy on what you’re doing, whether it’s downloading a couple of movies or otherwise (which you should do with our best VPN for torrenting).
The best VPN providers use top notch methods, too. ExpressVPN, for example, encrypts your traffic with AES-256 with the OpenVPN protocol. You can learn more about protocols in our guide to VPN security, and about ExpressVPN in our ExpressVPN review.
If you don’t care for that service, NordVPN (read our NordVPN review) is a great alternative.
Storing Your Data
As we noted in our guide on how to encrypt your data for cloud storage, managed encryption in the cloud causes a few issues. In particular, services that encrypt your data on their servers also manage the encryption key, making you more vulnerable than you need to be.
That’s where zero-knowledge cloud storage comes into play. As with password managers who use this model, your password, encrypted or unencrypted, is not stored on the provider’s servers. In most cases, you manage the encryption key, too, meaning that if a government agency came knocking, all the provider could give them is a bundle of ciphertext.
Zero-knowledge doesn’t inherently mean more secure; cloud storage security is more complicated than that. However, the best zero-knowledge cloud services are a safe bet, especially since many of them share a spot in our secure cloud storage guide.
The winner of both of those guides, as well as our complete clouds comparison, is Sync.com. It earned a 100 percent rating in security in our Sync.com review for its zero-knowledge model and top-notch AES-256 encryption.
There are a few other providers that have excellent security scores, such as pCloud, as you can read in our pCloud review. If you want to shop around more, the top providers in our cloud storage services are a good place to start.
Final Thoughts
Encryption is part of using the internet. Your sensitive information is required for banking, access to medical records and even shopping online. Our hope is that this guide has given you a better understanding of how your data is being handled so you can make an informed decision about what organizations you let maintain it.
As long as it’s handled properly, encryption is one of the best things for cybersecurity. Password managers, VPNs and secure cloud storage providers ensure that you’re protected from hasty password storage, creeping ISPs and unsecured data.
Do you feel more confident in encryption? Let us know in the comments below and, as always, thanks for reading.