The truth about encryption

Right now, encryption is a controversial topic, On the one hand, it's a solution that helps individuals and organisations maintain their privacy and secure their most sensitive data. On the other, it's painted as a technology that helps terrorists conceal their plans and criminals avoid conviction. Like many tools, it has its positive and negative applications, depending on who's using it, but why is it so important, and how does it work?

The use of encryption actually dates back to ancient times. Over 3.500 years ago the Mesopotamians were encrypting cuneiform text to conceal the information within, while in the 5th Century BC both the Hebrews and Spartans were using primitive encryption systems to encode their messages. Since then, systems of encryption have been developed and used by everyone from the Renaissance courts of Rome and Florence to Napoleon's armies to, perhaps most famously, the movements of Axis forces during World War II. Encryption has both saved and cost many lives.

Before the digital age, encryption was mainly used to maintain the secrecy of military communications or for the purposes of diplomacy and espionage, but with the advent of the Internet and the ubiquity of online stores and services it's use has become widespread. It's core function is maintaining confidentiality, ensuring that only the person who stores information or sends a message can read it, along with those authorised to read it.

However, encryption also serves two other purposes. First, it authenticates that a message came from a specific sender or that information was added and encrypted by that person. Second, it guarantees that the contents of the file or message haven't been altered. Only those with the means to encrypt or decrypt the file or message would be able to tamper with it, and provided the encryption scheme works that should only be those authorised to do so.

How does encryption work?

Whether you're using a simple code dial, a Bible-based cipher, an Enigma machine or a supercomputer, the basic principles of encryption work the same way. The original text of a document, file or message, known as the plaintext, is processed through a scheme or, these days, a complex algorithm, to create a new encrypted cyphertext which is unrecognisable from the plaintext. Whoever receives the document, file or message, then has to run the cyphertext through a reverse process of decryption to restore it to the plaintext. In computing, this means processing it using a variant of the same algorithm to return the document, file or message to its original state.

To make things a little more complex, computer-based encryption systems might work in two slightly different ways. Classic encryption systems are what we call private key systems, where both the sender and the receiver use the same key the string of data that tells the algorithm how to turn the plaintext into the cyphertext, or vice versa to encrypt and decrypt the message. Often called a symmetric encryption system, it prioritises confidentiality.

Other systems use what's called a public key system, where you can have multiple public keys that encrypt information, but only one, mathematically-related private key that can decrypt it. This has the advantage that a whole range of people and organisations can encrypt a confidential message or a sensitive file, but only the person authorised to do so can read it. What's more, a private key system enables the user of the private key to encrypt a file or a message so that those with a public key can decrypt it, but in the knowledge that only the person with the private key could have encrypted it. One of today's most-used encryption systems, AES, is a private key or symmetric system. Another, RSA, is a public key or asymmetric system. Both have their definite and specific uses.

You don't need to understand any of this to use encryption. It's all controlled in software at the application or operating system level, though the actual processing may be accelerated by specific features of a CPU or even GPU. It all happens so transparently and imperceptibly that you might not even be aware that you're using encryption to, say, safeguard the contents of your work PC's hard drive or send sensitive data across the Internet using SSL. Most PC, workstation and server operating systems and even the two major mobile operating systems - now have some encryption system in place to protect data at rest (the data stored on the device). Browsers, email clients and other applications will have encryption systems to protect data in transit (while it's being sent or transmitted across a network or the Internet).

Whatever encryption system you have, there will always be someone who wants to break it, usually by trying to intercept or recreate the private key. The most basic method is what's known as a brute force attack, the equivalent of trying every combination of every character in a PIN code or password until you hit the right one. For the human mind this would be impossible even with just four digits, but for systems leveraging multiple processor cores or hundreds or thousands of stream processors the type you'd find in a good GPU it's only a matter of time.

As a result, key length, or the number of characters in the key matters, because the longer it is, the harder it will be to brute force. As a result, a 128-bit AES key would be easier to break than a 256-bit AES key, though the way the system works means both would be challenging for even the most advanced computers. The other approach is cryptoanalysis, breaking down the cipher itself in order to spot a weakness that could help decrypt the message without the key. This has been a successful approach throughout history, including the breaking of the Engima machine at Bletchley Park during World War II.

Is encryption always a good thing?

As we said earlier, encryption is a tool, and like most tools much depends on the person using it. Encryption is a good thing when it prevents cybercriminals eavesdropping on communications between, say, you and your credit card provider, or when it prevents the data on a stolen company laptop from being viewed and then distributed around the darker corners of the Web. Privacy advocates would also argue that encryption is a guarantor of privacy and civil rights, preventing government agencies, security services and law enforcement from snooping on your private communications or engaging in mass-scale surveillance.

However, encryption also throws up problems for security and law enforcement, in that criminals and terrorists use encryption to hide activities or conceal files and data that might lead to their conviction. As British Home Secretary, Amber Rudd, said in August, The inability to gain access to encrypted data in specific and targeted instances. Is right now severely limiting our agencies' ability to stop terrorist attacks and bring criminals to justice.'

It seems, the use of end-to-end encryption in messaging apps like WhatsApp makes it near-impossible for security services to snoop in on criminal or terrorist activity and prevent a crime or attack from happening. Meanwhile the strong encryption can make it harder for a police force to find and analyse evidence, particularly when there are 24 to 36 hour time limits between an arrest and a suspect being either released or charged. While there are legal ramifications for those who refuse to help authorities with decryption up to two years or five years in jail, depending on the offence - encryption can still hold up investigations into crimes ranging from child pornography to hacking to financial crime.

Some authorities have suggested banning or weakening encryption in consumer-level messaging products, while others have suggested a mandatory back door' which could be opened on request from law enforcement under suitable legal guidelines. Many technology experts and privacy campaigners argue that doing either would simply weaken the protection encryption affords to companies and individuals, while pushing criminals and terrorists towards other apps or messaging solutions that retained strong end-to-end encryption.

This is a question with no easy answer, where there's a need to balance the rights of companies and individuals with the needs of security, law enforcement and public safety. In the end, whatever challenges encryption poses for the authorities, it seves a useful purpose for businesses and for all of us, helping to protect our most sensitive information from those who might abuse it.

Find out how to best protect the data that your business relies on...

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.