A complete guide to data encryption

Data encryption

The fact that data has immense value in the modern age is no secret and while the comparison between data, oil and gold in terms of monetary value has been rinsed for all its worth, the fact of the matter is that it's all completely true.

Data is incredibly valuable to businesses especially and, as such, methods to protect said data should be supremely sophisticated and reliable. Whether it's protecting your customers' personal data or sending messages between friends, encryption deserves a place in everyone's daily lives, regardless of how tech-savvy one may be.

Throughout the ages, people have found ways to protect what they value the most from those who may wish to steal it. Whether it's buried in the ground, stuffed under a mattress or locked in a safe, everyone has their favourite method of securing valuables but when it comes to the cyber space and protecting data, there's no room for preference. Here, encryption is king and it's expected to have a long and powerful rule. When used correctly, it's the digital equivalent of Las Vegas casino's vault; it'll take something truly special and extraordinary to break in a steal it.

Encryption has a long and fascinating history; it's a complex technology that's by no means perfect even today. Encryption technology is one of the most resilient defences deployed to protect data and naturally, attackers are consistently devising ways to break the most prized standards.

Defining data encryption

The wider concept of cryptography dates back as far as Egyptian antiquity, and computing in general, was invented in large part during the Second World War to break encrypted enemy messages. However, pioneering information theorist Claude E Shannon is usually cited as the founder of modern, mathematically-based cryptography. Through a large part of the 20th-century encryption was primarily used by governments. But in the 1970s cryptography became more widely available with the creation of the Data Encryption Standard (DES), and the arrival of public-key encryption.

DES works by dividing a 64-bit block of data into two 32-bit halves, which are processed alternately through 16 stages. A 56-bit portion of a 64-bit numerical key is selected, and this is used in different permutations at each stage to encrypt the data according to a set schedule and series of functions. Decryption involves running this process in reverse, so requires the original 56-bit key that was used during encryption.

Public-key encryption works slightly differently. This uses two mathematically linked but numerically different keys for encryption and decryption, one of which is public, and the other private. The public key is used for encryption, while the private key is used for decryption. Because different keys are used in the two stages, this process is called asymmetric, in contrast to the symmetric system used by DES.

The original DES was soon under concerted threat of breakage, with academics proposing methods to crack it as soon as it had arrived in 1977. However, it wasn't until 1998 that DES was officially broken, when the Electronic Frontier Foundation used a $250,000 system to find a key in just over two days. With the help of distributed.net, this was reduced to under a day in 1999. These efforts used what is called a "brute force" attack, where every key is tried until the correct one is found. Systems able to perform this kind of attack have become increasingly cheap.

Since the insecurity of DES was demonstrated, alternatives have been developed including RC5, Blowfish, and the International Data Encryption Algorithm (IDEA). These use larger keys to increase their security, with Blowfish, in particular, supporting keys up to 448-bits in length. Another option came from developing DES itself, and this became Triple DES (TDES), where DES is applied three times with either two or three different keys (2TDES and 3TDES). However, in 2001 the Advanced Encryption Standard (AES) was chosen after a competition to find a successor to DES. This uses symmetric keys of 128-bit, 192-bit or 256-bit length, with ten, 12 and 14 rounds of encryption respectively. It remains a popular choice for data security, with the US Government using it, for example.

Encrypting the network

Whatever encryption system you use, there is always the issue of how you exchange the necessary keys between sender and recipient in the first place. This is particularly important in this era of ubiquitous wireless communications. The original Wi-Fi security, WEP, provides a 64-bit option using a 40-bit key, or a 128-bit option using a 104-bit key. But the handshaking process in a Shared Key WEP system means that initialisation frames can be captured and used to deduce the key - the infamous packet sniffing performed by "war chalkers" looking to reveal WLAN security credentials so passers-by can use them. The more secure Open Key option is still relatively easy to crack, too.

As a result, WEP has subsequently been replaced by WPA2, which is based on the 802.11i standard, with the interim WPA acting as a transitional stop-gap between the two. WPA uses a temporal key integrity protocol (TKIP), which creates a new 128-bit key for each packet of information, of which there will be so many every second that snooping becomes very hard indeed. However, WPA2 improves this still further with an AES-based 256-bit key. This can be created from a passphrase in a similar fashion to WEP or WPA, called a Pre-Shared Key. Alternatively, enterprises can employ an 802.1x authentication server where a user name and password will be required.

Encryption is essential for many other everyday activities. You wouldn't want login information or financial details to be passed in plain text form over the internet, or even a private network. So secure sockets layer (SSL) and then transport layer security (TLS) were developed, both of which have had successive versions. The current version of TLS is 1.2, which can use AES. It can be run on top of the main internet transport protocols, including HTTP (Web pages), FTP (file transfers), SMTP (email), NNTP (Usenet news) and XMPP (Jabber instant messaging). However, despite TLS version 1.1 being available since 2006 and 1.2 since 2008, they are not yet widely adopted, which is particularly worrying as the previous version was shown in 2011 to be vulnerable to an attack called Browser Exploit Against SSL/TLS, or BEAST.

A remote connection can be made securely over a public network such as the internet using encrypted tunnelling protocols, such as SSH Secure Shell. This uses public key encryption, with the remote system holding a public key and the local system a private key. These must be from a matching pair to allow connection. A virtual private network (VPN) is a similar tunnelling system for running a private network over a public one. Various encryption methods can be employed, including TLS, SSH, and IPsec. The latter works at a lower level of the network protocol stack, so can protect any application traffic across the network. In contrast, with TLS and SSH, the applications need to support these encryption systems themselves to communicate securely.

There are clearly many different levels at which data encryption can be employed, and if you want to keep your business secrets secret, and confidential communications private, it's essential to get to grips with using encryption effectively. A corporate wireless network should be using WPA2 with 802.1x authentication, and any Web connections sending sensitive information should use SSL/TLS, preferably the latest version 1.2. If your employees access the company network remotely, an IPsec-secured VPN will ensure all their activities remain obscured from anyone spying on the data packets as they travel over the public internet - perhaps even from the US government.

Threats to data encryption

As we mentioned previously, criminals are devising ways to break existing methods of encryption. For example, Pretty Good Privacy, a popular method of public-key cryptography which requires GnuPG software to run recently ran into a massive hurdle. Hackers realised they could poison keys with an unruly number of certificates (like legitimate alterations) causing the software to break whenever a user tried to use their key, rendering it useless.

There is also the growing threat that quantum computing presents to the world of encryption. The reason why current encryption standards work is that modern computers simply aren't powerful enough to run the algorithms required to crack the encryption.

But, quantum computing is advancing - albeit slowly. Big tech firms are creating machines capable of trafficking more and more qubits but they're nowhere near the level needed to run the algorithms required to break AES-256 encryption standards. Experts indicate we may be around ten years away from computers being advanced enough to break modern encryption - some estimate that 6,681 qubits would be needed to run Grover's AES-256-breaking algorithm. For comparison, IBM recently sang the praises of its latest quantum computer which can only traffic 53 qubits.

Away from technology advancements, the political climate is pressuring tech firms to break their end-to-end encryption on the basis of preserving national security. Facebook and WhatsApp are the more commonly used communication platforms with end-to-end encryption baked in while Signal and Wickr are two other popular options for those who want to keep their communications away from prying eyes.

The fear that terrorist cells can use these platforms to orchestrate disastrous attacks has fuelled persistent government lobbying efforts trying to compel tech firms to add backdoors, allowing them to surveil all messages sent and received. It's a hugely sensitive conflict of rights between an individual's right to privacy and the right for national security agencies to carry out their duty. So far, the tech industry has resisted these lobbying efforts but reports suggest a UK-US data sharing agreement that could involve the breaking of end-to-end encryption is on the table.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.