Understanding Encryption in 7 Steps

Trust the process

Hello everyone, I hope you are having a wonderful morning and are enjoying Cyber Adjacent’s month of passwords so far. As promised, this newsletter will go deeper than pastel slides and into the bold world of encryption – an essential part of cyber security and data protection.

Everything I have learned about encryption has been unnecessarily convoluted and hard. As a result, it took me a long time to get my head around it. And sure, whilst encryption can be a complex topic, understanding the basics (as with many cyber topics) shouldn't be a painful experience.

To help explain encryption, I’ve broken it down into seven clear and (hopefully) meaningful sections. I hope this will build a strong foundation of understanding for you and that it doesn’t feel like you’re doing high school maths with your dad on a Sunday night. 

1.     Concept of a Secret Message

Encryption can be defined as the process of converting a message, which we call 'plaintext ', into a coded format. This coded format is what we refer to as an 'encrypted message '.

For someone to have access to this encrypted message, they need to decode it by knowing how it was encrypted and, if applicable, having the key. In simple terms, encryption is like writing a secret message. You write the message in such a way that only the person you’re sending it to can understand it, even if it is intercepted.

2.     Concept of a ‘key’

Keys are strings of data that cryptographic algorithms use to transform information into an encrypted format and to decrypt it. These keys are the code you use to encrypt and decrypt information. For example, passwords are a very common type of key used, but most keys for encryption are much more complex and handled by computers to be less predictable.

If the phrase ‘cryptographic algorithms’ has thrown you, don’t worry, we’ll get to it later.

3.     Symmetric Encryption

Symmetric encryption is a simple and efficient form of encryption. It uses the same key to encrypt and decrypt information. Similar to a front door, you lock and unlock that door with the same key, and anyone who has that key can access it.

Like front doors, the challenge with symmetric encryption is that if the key is discovered, all the encrypted data can be decrypted, which is why sharing the key securely is a challenge.

4.     Asymmetric Encryption

Asymmetric encryption has been developed to solve the problem of securely sharing keys. It uses a pair of keys—one public and one private. The public key can be shared with anyone and is used to encrypt information. The private key is kept secret and can only be used to decrypt information encrypted by its corresponding public key. This means that the message can't be decrypted even if that public key and the encrypted information are intercepted.

Put simply:

1.     Alex wants to send a secure message to Sarah, so they encrypt it with Sarah’s public key and send the message to Sarah.

2.     Sarah can then use their private key to decrypt the message. If Sarah wants to reply, she can write a message, encrypt it with Alex’s public key, and return it to them.

The distribution of public and private keys is managed in what is usually referred to as a Public Key Infrastructure. This infrastructure provides the framework for asymmetric encryption to be used at scale, including mechanisms to verify who public keys belong to.

5.     Cryptographic algorithms

Cryptography is the science of secure communication (like encryption). Cryptographic algorithms are mathematical procedures or protocols that convert plaintext to cipher text and vice versa. Many algorithms have been developed for both symmetric and asymmetric encryption.

Some well-known algorithms are listed below. There is no requirement for you to understand how they work. What you do need to know is that each type has specific use cases, strengths, and weaknesses, and which one you decide to use will depend on your security requirements (99% of the time, it won’t be your decision anyway).

Common symmetric encryption algorithms

1.     AES (Advanced Encryption Standard): Widely used and considered very secure.

2.     DES (Data Encryption Standard): An older algorithm that was widely used but is now considered less secure due to it only requiring a short key length which modern computers can crack.

3.     3DES (Triple DES): An improvement on DES, it encrypts data three times, making it more secure than its predecessor but slower.

Common asymmetric encryption algorithms

1.     RSA (Rivest-Shamir-Adleman): One of the first asymmetric encryption methods and is widely used for secure data transmission.

2.     ECC (Elliptic Curve Cryptography): Uses the properties of elliptic curves to provide the same level of security as RSA but with smaller key sizes, making it more efficient.

6.     Encryption uses in the real world

Encryption is used everywhere online to ensure privacy and authenticity:

-        Websites will encrypt the data sent to and received from their site so anyone looking at the traffic won’t be able to see it – think online banking, shopping, and any half-decent website.

-        Messaging applications like Signal use end-to-end encryption, so messages cannot be read even if intercepted.

-        Hardware encryption, for example, your phone's passcode or computer password, is a form of encryption.

7.     Encryption in the future

Encryption is so good at the moment because the above algorithms would take lifetimes to crack even with enormous resources with current computing levels. Unauthorised access to encrypted messages is not due to people cracking these algorithms. Unauthorised access usually happens through:

-        Brute force attacks, literally guessing the key if it is simple enough

-        Stealing keys if people leave them lying around, like in plaintext in an email

-        Social engineering i.e., people being convinced or coerced to hand over their keys

Further technology developments, like quantum computing, will change that. We will touch on quantum computing in a later newsletter, but for now, think of it as a computer that sees information in brand new ways. For example, cracking an RSA key today with a classic computer would take thousands of years. However, a suitably powerful quantum computer could achieve this in hours. Don’t stress too much about this though, post-quantum cryptography is a discipline dedicated to developing quantum-secure algorithms.  

Congratulations!

You are now an expert in the basics of encryption. Please let me know if you have any questions or if anything doesn’t make sense. Alternatively, let me know if this is actually a straightforward concept and I am just smooth braining my way through life.

Follow us on Instagram for more password posts. In the meantime, stay secure and keep an eye out for the snakes (unencrypted data).