Demystifying Encryption: What It Does and How It Works
Jason Coyne, SR&ED Technical Writer specializing in technology, science, and safety.
To mark this October’s Cybersecurity Month, we are providing a short guide to cybersecurity and cyberattacks. But, of course, every month is cybersecurity month. It is important to remain vigilant about protecting your systems and information.
What About Encryption?
First, it’s important to understand the difference between encoding and encrypting. In layman’s terms, these two terms are often used interchangeably. In the world of computers, however, they are vastly different creatures. Encoding simply refers to the representation of some piece of information in some format, like using dots and dashes to represent letters, as in Morse code. Encryption, on the other hand, is a mathematical process for obscuring text or other information in such a way that it can be unobscured only by an authorized party. Although encoding techniques can be enlisted to provide a modicum of security, that protection is weak and fundamentally unreliable and may complicate interchange. Imagine writing a shopping list in Morse code: if someone unfamiliar with Morse code were to intercept it, they would be unable to immediately read it but could easily decipher the list with a little research; at the same time, it would be incredibly inconvenient for a friend or family member who’s been asked to pick up a few things at the grocery store. That’s why encryption, rather than some encoding scheme, is necessary for securing digital information.
At its heart, encryption is all about binary sequences known as keys – strings which, when fed into a known algorithm, can be used to encrypt or decrypt a given input string. Modern encryption methods employ numerous algorithms with varying characteristics, but the manner in which keys are used can always be classified as either symmetric or asymmetric. In a symmetric key design, data is both encrypted and decrypted with the same key, albeit by different mathematical functions. Such a design can be better understood by visualizing a real-life door key – the same key is used to both lock and unlock the door, but the two operations involve turning the key in opposite directions.
Asymmetric key schemes are somewhat more complex since they’re typically used for otherwise unsecured network traffic, as over the internet. In this design, encryption and decryption are performed by two different keys, respectively known as public and private keys. At the outset of communication between two parties, before any data is transmitted, each party generates a public/private key pair and sends the public key to the other party (hence the name). Now, when transmitting data, the sender can encrypt it using the recipient’s public key, and the recipient can decrypt with their private key. Overall, this system allows secure communication without the requirement that both parties have prior access to one single key.
Keeping Communication Private
Broadly speaking, the uses of encryption can be divided into two roles: protecting channels of communication and securing stored data. In the first category, data transmitted over a network – whether it be in the form of sending emails or browsing a website – is encrypted by the sender and decrypted by the recipient. In the case of websites, this is achieved by a set of protocols collectively known as HTTPS (the ‘S’ stands for ‘secure’); in recent years, the proportion of websites implementing HTTPS has risen dramatically, a trend that has made e-commerce and web browsing significantly safer. It’s a good idea for any company with a web presence to enforce HTTPS on their servers.
Although the obvious purpose of encrypted communication is to protect the secrecy of the information being exchanged, this is certainly not the only objective. It is equally important that the communication itself be protected – a malevolent actor with the ability to alter, divert, impersonate, or even simply block transmitted data can cause a significant amount of damage. For that reason, most network encryption protocols include cryptographic mechanisms for authenticating the identities of participants and the fidelity of messages. Similarly, the architecture of any system that employs network communication must be designed to mitigate attacks against both the secrecy and the integrity of that communication, such as by implementing end-to-end encryption for all network activity. More generally, any company can benefit from simple measures such as email encryption or secure videoconferencing.
The other general role of encryption, securing stored data, is somewhat more straightforward: data is saved in an encrypted form so that, should an intruder gain access, information cannot be readily extracted. Naturally, this is a crucial defense against data breaches. To use an analogy, encryption is similar to storing documents in a lockbox – even if a burglar breaks into the owner’s home and absconds with the lockbox, they can’t access its contents without the key (of course, no encryption is perfect – cracking the encryption would be analogous to picking the lock). Data storage encryption is a relatively simple yet effective cybersecurity measure that requires minimal technical expertise to implement; for example, Windows operating systems include BitLocker, which enables drive-level encryption, as a built-in feature. Companies specializing in delivering more sophisticated data encryption solutions, such as Ontario-based Datex with their flagship product DataStealth, also exist. Their products and services can help any business improve its cybersecurity situation, regardless of size or industry.