There have always been secrets. And people have been trying to protect their intellectual property from prying eyes for almost as long. For example, the Roman general Julius Caesar used a code for his military correspondence by substituting each letter for the letter three places after it in the alphabet. That turned the word Caesar into Fdhvdu. This simple and – from today’s perspective – insecure form of encryption is a good way of illustrating the basic principles of cryptology.
The point of encryption is to convert plain text, which is easily readable, into a secret text comprising an indecipherable character string. It always includes one or more keys to facilitate encryption and decryption. In the example above, it was the number three representing the number of places the characters shifted.
Since then, this basic form of encryption has been replaced by highly complex technologies and algorithms. But all the different types can usually be divided into two categories: symmetrical encryption and asymmetrical encryption. In practice, companies also often use hybrid encryption.
Symmetrical encryption uses one single key for both encryption and decryption. That means that the sender and recipient both need to have access to it. And this is the weak point of this method: the key must be sent to the recipient using the securest possible means of communication. This often used to be a personal delivery using a courier, but that is clearly very cumbersome and just not possible over long distances.
The benefit of the symmetrical technique is that it’s very fast in both encryption and decryption, which is a big advantage when you’re working with large volumes of data. This technology is used in environments where it’s no problem to communicate key information securely. The symmetrical technique is often used by companies with a central authority that knows and manages all the keys, such as in closed banking systems.
One example of a symmetrical encryption method is the Advanced Encryption Standard (AES).
Compared to symmetrical encryption, asymmetrical methods are a fairly modern invention. RSA was the first cryptosystem based on this technique, but it wasn’t introduced until 1977. The initials stand for Rivest, Shamir and Adleman, who were the inventors of this algorithm.
There are always two keys for asymmetrical encryption. The pair of keys comprises a private and a public key. The private key is used to decrypt data or create signatures, while the public key encrypts data or check signatures.
Companies can provide users with access to the public key on a server or via email – there’s no need for secretive transfers. As such, anyone can encrypt a message and send it to the key’s owner, who’s the actual recipient. This owner of the private (or secret) key is the only person able to read the message in plain text.
The separation of public and private keys solves the problem with symmetrical encryption – in other words, the time-consuming and potentially unsecure key-sharing process. In addition, each user of asymmetrical encryption only needs one pair of keys, whereas symmetrical methods require as many as 66 keys for communications between just 12 people.
The biggest disadvantage of this relatively secure technique is that it requires a huge amount of computing power. Also, asymmetrical algorithms are far slower than symmetrical ones. This is why many companies use a combination of both methods.
The best of both worlds: hybrid encryption
With hybrid techniques, the key is encrypted using the asymmetrical method and the actual message with the symmetrical one. Examples include the TLS internet protocol that sets up a secure connection between the web browser and the server. The server and client use asymmetrical encryption for identification and authentication, after which they generate a symmetrical session key. All further communication is then encrypted symmetrically with the session key. This enables even large volumes of data to be encrypted quickly and securely.
Size matters: key length
Along with the technique itself, the length of the key plays a decisive role in data security. The longer it is, the less likely it is that attackers can identify that one correct key. In order to decrypt the original text, they would need to try out all possible keys.
As a rule, key lengths are expressed as bits and are a logarithmic unit of measurement, so a key length of 3 bits (2 x 2 x 2 = 8) gives us eight different keys. If we double the key length to 6 bits, we have 64 different keys. The longer the key is, the more secure the encrypted data. However, the key length depends on the technique used as well as on the algorithm.
In the 1990s, RSA used key lengths of between 512 und 1024 bits. Since then, attackers have been using more sophisticated equipment. Today, RSA keys of at least 2048 bits are considered to be secure and this number is still increasing.
Encryption in practice
The encryption techniques described above are used today in several different areas, such as:
- Email encryption: secures communications by exchanging keys, but is complicated and potentially dangerous.
- Local encryption: can encrypt things like an entire computer hard disk, giving business travellers some protection if their laptop is stolen.
- Internet encryption: secures the connection between client and server. Used for the transmission of sensitive data, such as in online banking and e-commerce.
- Online data encryption: many cloud platforms enable users to secure data stored online. However, professional data rooms should be used for business data to ensure reliable rights management, provider shielding and tamper-proof activity logging.