eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Encryption uses mathematical algorithms to transform and encode data so that only authorized parties can access it. This guide will provide a high level overview of encryption and how it fits into IT through the following topics:
To understand how encryption works, we need to understand how it fits into the broader realm of cryptology, how it processes data, common categories, top algorithms, and how encryption fits into IT security.
The science of cryptography studies codes, how to create them, and how to solve them. The codes created in cryptographic research are called cryptographic algorithms, or encryption algorithms, and the process of applying those algorithms to data is called encryption. Decryption describes the process of applying algorithms to return the encrypted data, or ciphertext, to readable form, or plaintext.
A visual diagram showing the relationship between cryptography and cryptanalysis.
Encryption algorithms use math to transform plaintext data into ciphertext. While the math remains the same, unique cryptographic keys generate unique ciphertext. Cryptographic keys can be random numbers, products of large prime numbers, points on an ellipse, or a password generated by a user.
In general, the more bits used and the more complex the process, the stronger the encryption will be. Encryption algorithms define the following:
Algorithms can also specify more complex techniques, such as padding blocks, key size variations, and processing a mix of encrypted and unencrypted data simultaneously.
The two main types of encryption categories are symmetric and asymmetric.
Symmetric encryption uses a single key to encrypt and decrypt data. Symmetric encryption will typically be used for local encryption (drives, files, databases, etc.) and data transmission (Wi-Fi router algorithms, transport layer security [TLS], etc.); however, to share data with another person, organization, or application, the encryption key must also be shared which exposes the key to theft.
Asymmetric cryptography uses a public key and a private key to enable more secure sharing. Data encrypted with one key cannot be decrypted using the same key, so the public key can be freely published without exposing the private key. The use cases for asymmetric encryption include:
Encryption algorithms define the transformation of data in terms of math and computer processes. These algorithms will constantly be tested to probe for weaknesses, and algorithms found weak to attack will be replaced. Currently, the top four algorithms include AES, Blowfish, ECC, and RSA.
AES or the Advanced Encryption Standard was adopted in 2001 by the US National Institute of Standards and Testing (NIST) as the standard for symmetric encryption. The algorithm allows for variable key sizes and variable rounds to increase randomness and security. AES encryption can be commonly found in communication protocols, virtual private network (VPN) encryption, full-disk encryption, and Wi-Fi transmission protocols.
Blowfish provides a public-domain alternative to AES symmetric encryption. It is commonly incorporated into open-source applications and operating systems and will commonly be used in file and folder encryption. While the more robust Twofish algorithm is available to replace Blowfish, the Twofish algorithm has not been widely adopted.
ECC, or elliptic-curve cryptography, creates an asymmetric encryption standard that uses elliptic curves to generate public and private keys. While not as popular as the RSA standard (see below), ECC can generate equivalent encryption strength with smaller key sizes, which enables faster encryption and decryption. ECC is used for email encryption, cryptocurrency digital signatures, and internet communication protocols.
RSA, or the Rivest, Shamir, and Adleman algorithm, provided the first asymmetric key adopted for use and remains very popular today. The algorithm uses very large prime numbers and key sizes of 2,048-4,096 bits. RSA remains commonly used in secure messaging, payment applications, and encryption of smaller files.
All four of these algorithms are expected to be broken by techniques that use quantum computing, so quantum-resistant algorithms are in development to provide encryption solutions for the future. For those interested in more detail, other algorithms, and other types of encryption, consider reading Types of Encryption, Methods & Use Cases.
Fundamental protocols incorporate encryption to automatically protect data and include internet protocol security (IPSec), Kerberos, Secure Shell (SSH), and the transmission control protocol (TCP). Encryption can also be found incorporated into a variety of network security and cloud security solutions, such as cloud access security brokers (CASB), next-generation firewalls (NGFW), password managers, virtual private networks (VPN), and web application firewalls (WAF).
Specialized encryption tools can be obtained (some are free or open source) to enable specific types of encryption. More complex commercial tools provide a variety of encryption solutions or even end-to-end encryption.
Key categories for encryption tools include:
Encryption can be applied to protect data but relies upon the rest of the security stack to protect the encryption keys, computers, and network equipment used to encrypt, decrypt, and send encryption-protected data. Organizations should apply encryption solutions that enhance and complement existing cybersecurity solutions and strategies.
Encryption plays many roles in protecting data within the IT environment, but all uses provide three key advantages: compliance, confidentiality, and integrity.
Many compliance standards require some form of encryption for data at rest and many also specify requirements for the transmission of data. For example,
Organizations need to select the appropriate encryption solution to protect regulated data where it resides (at rest) or flows (in transit) through the organization. This may require a robust encryption tool or a combination of specialized encryption tools and other security solutions.
Encryption protects all data:
End-to-end encryption is a term used to describe two very different types of encryption. The first is data encrypted throughout the lifecycle of use, which is currently more of a goal than a common practice. The second is data encrypted throughout a transmission from one device to another.
All types of encryption protect an organization against data breaches stemming from cyberattacks or even a lost laptop. Encryption renders data unreadable to attackers and unauthorized users to preserve the confidentiality of the information.
When receiving data, an organization needs to know if it can be trusted with regards to its origin and accuracy. Transmission protocols use encryption to protect against data tampering and interception in transit. Encryption protocols can also verify the authenticity of sources and prevent a sender from denying they were the origin of a transmission.
For example, the Hypertext Transfer Protocol Secure (HTTPS) protocol enables secure web connections that provide both security and integrity for connections. Such secured and encrypted connections protect both consumers and organizations against fraud and enable secure e-commerce transactions.
Encryption plays a critical role in security; however, constant attacks magnify errors and attackers can also turn encryption against an organization. To effectively deploy encryption, organizations must address the challenges of capacity constrained encryption, cracked encryption, human error, key management, and malicious encryption.
Encryption adds overhead to operations and can be very computational resource-intensive to execute. Yet, Internet of Things (IoT) devices tend to be designed with the minimum computing resources required to accomplish the designed task of the device (security camera, printer, TV, etc.).
While less computationally constrained than IoT, mobile devices constrain computations to avoid consuming power and draining battery life. Yet as they become more universal, both IoT and mobile devices are increasingly targeted by attackers.
NIST continues to encourage the development of lightweight cryptography that can be used in constrained environments and researchers also continue to explore new types of hardware (microchips, architecture, etc.) that can perform encryption using less power and memory.
Until these solutions become widely available, organizations will need to recognize that encryption may not be deployed equally on mobile and IoT devices. Compensating controls may need to be added to these devices (and further add operational overhead), or regulated and sensitive data will need to be blocked from access for these devices.
While mobile devices and IoT remain the current focus of research, capacity constraint can also apply to under-provisioned endpoints, servers, and containers. Processing encryption will add significant computing overhead and both security and operations need to be sure to consider current resource constraints when they select encryption solutions.
Good encryption practices can be rendered useless by flawed algorithms, brute computing force, and intentionally weakened algorithms. In each of these cases, the cracked encryption can lead to leaked data, but the nature of the risk remains distinct.
As cryptography develops, the weaknesses of older encryption algorithms become exposed. New encryption algorithms will be developed to replace the older algorithms, yet organizations and tools can lag behind the developing edge of encryption, posing a risk of future data leaks.
For example:
Although replaced and no longer intended for use, organizations with older data repositories or older equipment may discover obsolete encryption standards still in use. While discovery and elimination of obsolete and flawed encryption algorithms can be difficult, ignoring obsolete encryption leaves open back doors to the data protected by the weak algorithms.
Encryption algorithms use math to lock the data, but computers can be used to attack that math with brute force computing power. Weak passwords and short key lengths often allow quick results for brute force attacks that attempt to methodically guess the key to decrypt the data.
Modern encryption algorithms use layered keys and enormous key lengths based upon prime numbers to make most brute force attacks infeasible. Even with cloud-scale resources, it would take years of applying expensive computing power against the algorithms to produce results. However, the rise of quantum computing threatens to enable rapid breaking of our current encryption codes.
To address this challenge, organizations must first ensure that their users do not use weak passwords or short key lengths vulnerable to current brute force attacks. Second, they must explore options for quantum-resistant computing as they become available for their most sensitive data.
Lastly, data stolen today may remain uncrackable for a decade or more, but quantum computing may break those passwords in the future. Organizations must continue to harden their overall security to prevent all data breaches and avoid reliance on encryption for protection.
Learn more about cryptanalytic threats with Rainbow Table Attacks and Cryptanalytic Defenses.
Governments and law enforcement officials around the world, particularly in the Five Eyes (FVEY) intelligence alliance, push for encryption backdoors in the interests of national safety and security. The increase in encrypted online communication by criminal and terrorist organizations provides the excuse to intentionally add flaws or special decryption capabilities for governments.
Opponents of encryption backdoors repeatedly complain that government-mandated encryption flaws put all privacy and security at risk because the same backdoors can also be exploited by hackers, unethical governments, and foreign adversaries. While commercial tools officially resist and deny adding backdoors, most organizations will lack the resources to investigate their encryption tools for intentional weaknesses.
Meanwhile, law enforcement agencies, such as the Federal Bureau of Investigation (FBI), have criticized technology companies that offer end-to-end encryption, arguing that such encryption prevents law enforcement from accessing data and communications even with a warrant. The FBI has referred to this issue as going dark, while the U.S. Department of Justice (DOJ) has proclaimed the need for responsible encryption that can be unlocked by technology companies under a court order.
Pressure on both professional and personal encryption can also be seen in government legislation. In 2018, Australia passed a Telecommunications and Other Legislation Amendment that permits a five-year jail penalty to be applied to visitors that refuse to provide passwords for all digital devices when crossing the border into Australia.
Organizations can do little to defend against intentionally weakened algorithms but can attempt to use multiple types of encryption to decrease risk. However, these additional encryption steps will only prevent unauthorized access in a technical sense and will not diminish any legal risks related to government inquiries.
Human error remains a critical threat to every layer of security, including encryption. Even future quantum-resistant encryption algorithms will be vulnerable to an encryption key that is published to GitHub, attached to an email sent to the wrong recipients, or accidentally deleted.
Most errors can be classified as badly selected passwords, lost encryption keys, or poor encryption key protection.
Badly selected passwords apply primarily to symmetric encryption algorithms used to protect Wi-Fi networks or encrypt files and folders. Users tend to reuse passwords or use easy-to-remember passwords that can be easily guessed or cracked using brute force attacks.
While potentially acceptable for non-critical information, badly selected passwords need to be detected and changed before attackers can exploit them. Organizations need to apply internal brute force attacks against encryption protecting regulated and critical information to ensure their safety.
To help guard against bad passwords, an organization can centrally manage passwords and provide password manager solutions to employees. However, as the passwords become more centrally controlled, attackers will shift focus to attacking central repositories and additional layers of security should be applied to the repository defense.
Lost encryption keys simply destroy access to data. While it is technically possible to decrypt the data without possessing the lost encryption key, significant computational resources and skills would be required if the encryption system was designed properly.
The distribution of encryption tools to employees must be accompanied by training and warnings regarding lost keys. Lost keys can be mitigated by centralized controls and prevention of the download and use of unauthorized encryption software.
Poor encryption key protection causes a different problem by exposing the key to public access or leaking the key to potential attackers. Organizations need to track encryption keys to even deploy data loss protection (DLP) solutions to detect accidental key disclosure.
Centrally managed encryption can help protect against both lost and accidentally exposed keys by placing key management in the hands of experts trained to protect their integrity. Organizations should consider how key management practices can support the recovery of encrypted data if a key is lost or destroyed. Similarly, organizations should manage the distribution and availability of encryption keys to help limit the risk of disclosure.
Keys should be stored in a protected and isolated repository protected by identity and access management (IAM) tools, privileged access management (PAM) tools, multi-factor authentication (MFA), or even zero trust architecture. Some organizations will further enhance encryption key protection and management by enclosing them in an encrypted container (key wrapping) or with the use of encryption key management tools.
Over time, the regular distribution of data encrypted with a specific encryption key increases the probability of success for brute force attacks. If an attacker can gather a large number of files encrypted with the same key, they gain data points that can be used to improve the efficiency of attack. Similarly, over time, the risk of accidental disclosure of keys will steadily increase.
To counter these risks, organizations must practice effective encryption key management. Encryption key management relies primarily on effective encryption key storage (covered above) and encryption key rotation.
Key rotation, or the periodic replacement of encryption keys, reduces the likelihood of success for brute force attacks by creating moving targets for decryption. Using different keys or replacing encryption keys strengthens the capability of encryption to protect data over the long term.
However, key rotation also adds complexity. First, disaster recovery efforts will often be prolonged by key retrieval and decryption processes. Second, encryption key rotation can render data stored in backups or on removable media inaccessible. Previous keys will need to be tracked and retained to enable the decryption of older data encrypted with those keys.
While most challenges involve the organizations strategy and operational use of encryption for security, attackers also use encryption maliciously during cyberattacks. An organization must monitor and attempt to inspect encrypted traffic and the use of encryption software throughout the organization to detect malicious activity.
Two common examples of the use of malicious encryption include ransomware and encrypted communications with command and control servers. Ransomware attackers will use encryption programs to lock hard drives, folders, and data to prevent legitimate access.
Better antivirus (AV), endpoint detection and response (EDR), and extended detection and response (XDR) solutions can detect and block some attacks. However, many effective ransomware attacks use legitimate encryption tools in their attacks to impersonate authorized activity and complicate detection.
Command and control attacks similarly impersonate legitimate traffic that uses encrypted protocols such as TLS to avoid firewall inspections. Next-generation firewalls (NGFW) and secure web gateways (SWG) can inspect traffic flowing through their solution to offer some protection against this type of attack.
The use of cryptology predates computers by several thousand years. Julius Caesar used one of the earliest documented codes, the Caesar Shift Cipher, to send secret messages to Roman troops in remote locations.
The code required an alphabetic shift of a message by a separately agreed-upon number of letters. For example, attack in three days shifted by 5 letters would be written as fyyfhp ns ymwjj ifdx. Early text shift ciphers such as these proved effective until the development of text analysis techniques that could detect the use of the most commonly used letters (e, s, etc.).
Modern cryptography developed in the early 1970s with the development of the DES, Diffie-Hellman-Merkle (DHM), and Rivest-Shamir-Adleman (RSA) encryption algorithms. Initially, only governments pursued encryption, but as networks evolved and organizations adopted internet communications for critical business processes, encryption became essential for protecting data throughout all public and private sectors.
As flaws in these pioneering algorithms became known, cryptologists developed new techniques to make encryption more complicated and incorporated them into new algorithms and even new classifications of algorithms, such as asymmetric encryption. Todays standard encryption algorithms, such as AES or ECC, will be replaced by new technologies more capable of resisting the increasing power of cloud and quantum computing that can be applied to break encryption codes.
Despite many regulations that require encryption and over 50 years of availability, encryption remains sparsely adopted. A study by Encryption Consulting found that only 50% of global enterprises adopt an enterprise encryption strategy and only 47% protect cloud-hosted and sensitive data with encryption.
Enterprises represent the largest, best funded organizations, so this poor adoption rate implies the great expense or great effort required to deploy encryption. Not true! Adopting and incorporating encryption does not require a huge budget. Even the smallest organization can take advantage of low and no-cost encryption software or use built-in encryption features in operating systems and other security tools.
Adopting encryption will require some effort, but the benefits far outweigh the challenges. Todays widespread dispersion of data and intense cyberattack environment make a data breach nearly inevitable. Organizations of all sizes need encryption to provide the final safeguards to limit the financial impact of leaked data.
This article was originally written by Fred Donavan and published on May 5, 2017. It was updated by Chad Kime on December 7, 2023.
The rest is here:
What Is Encryption? Definition, How it Works, & Examples - eSecurityPlanet
- Elon Musk weighs in on the encryption wars between Telegram and Signal - Business Insider - May 15th, 2024
- Microsoft to Make BitLocker Encryption the Default in Next Windows 11 Build - ExtremeTech - May 15th, 2024
- Encryption toolkit for media makers: An introduction - Freedom of the Press Foundation - May 15th, 2024
- Which is it, RPD? Shooting, Disorderly, Or Encryption and Lies? - Rockford Scanner - May 15th, 2024
- Windows 11 Will Enable Encryption by Default During Installation - 80.lv - May 15th, 2024
- Apple and encryption services Wire and Proton have provided information on activists at the request of police - GIGAZINE - May 15th, 2024
- End-to-end encryption may be the bane of cops, but they can't close that Pandora's Box - The Register - May 6th, 2024
- Microsoft breaks VPN encryption in Windows 11 and Windows 10 - GB News - May 6th, 2024
- Marriott admits it falsely claimed for five years it was using encryption during 2018 breach - CSO Online - May 6th, 2024
- Marriott admits it wasn't using encryption before major 2018 hack - TechRadar - May 6th, 2024
- WhatsApp could leave India over encryption battle - Rest of World - May 6th, 2024
- Encryption: The Cornerstone Of Cryptocurrencies | MENAFN.COM - MENAFN.COM - May 6th, 2024
- Quantum-proofing passwords and artwork with DNA encryption - Advanced Science News - May 6th, 2024
- News: Encryption and encrypted passwords in the world of blockchain and crypto - Bitfinex - May 6th, 2024
- Banking Encryption Software Market to Reach USD 11.50 Bn by 2029, at a CAGR of 9.2 percent As Revealed In N... - WhaTech - May 6th, 2024
- ETtech Explainer: WhatsApp's standoff with Centre over end-to-end encryption - The Economic Times - May 6th, 2024
- Explained: Why WhatsApp is willing to leave India over encryption - MSN - May 6th, 2024
- The Future of End-to-End Encryption May Get Decided This Week in Nevada | TechPolicy.Press - Tech Policy Press - March 13th, 2024
- What is fully homomorphic encryption and how will it change blockchain? - Blockworks - March 13th, 2024
- Zamas homomorphic encryption tech lands it $73M on a valuation of nearly $400M - TechCrunch - March 13th, 2024
- WhatsApp encryption status might appear at the top of chats - BGR - March 13th, 2024
- TELCLOUD Teams With CyberProtonics to Add Quantum Encryption Security Technology on All POTS Line Phone ... - Business Wire - March 13th, 2024
- WhatsApp Clears Up Confusion Over Encryption With A Handy New Chat Label - Hot Hardware - March 13th, 2024
- WhatsApp Now Offers Encryption Label At The Top Of Your Chat Window: What It Means - News18 - March 13th, 2024
- WhatsApp update: An encryption indicator for chats is in the works, says report - HT Tech - March 13th, 2024
- Navigating an evolving landscape of threats and the rise of the encryption-less data breach - iTWire - March 13th, 2024
- Quantum Cryptography and Encryption Market Size, Growing Demand and Trends 2023 to 2030 - WhaTech - March 13th, 2024
- WhatsApp wants to 'show off' its end-to-end encryption feature to users - The Times of India - March 13th, 2024
- Disk Encryption Software Market Report Probes the Size, Share, Competitive Landscape and Trend Analysis - WhaTech - March 13th, 2024
- Signal President Meredith Whittaker Warns Against Encryption Threats and Tech Accountability Misuse - BNN Breaking - March 5th, 2024
- Shiba Inu Implements State-of-the-Art Encryption to Enhance Privacy & Security for Users and Developers - The Defiant - DeFi News - March 5th, 2024
- NYPD shows no sign of reversing Staten Island police radio encryption, but state legislation could change that - SILive.com - March 5th, 2024
- BitLocker encryption broken in 43 seconds with sub-$10 Raspberry Pi Pico key can be sniffed when using an ... - Tom's Hardware - February 9th, 2024
- BitLocker's Encryption Is Broken, But It's Still Not Time to Switch - MUO - MakeUseOf - February 9th, 2024
- Breaking Bitlocker: Watch Microsoft's Windows disk encryption being bypassed in just 43 seconds - BetaNews - February 9th, 2024
- Microsoft BitLocker encryption hacked by a cheap off-the-shelf Raspberry Pi Pico - ReadWrite - February 9th, 2024
- Web3 Foundation Announces Grant Funding for Creation of On-Chain Randomness and Timelock Encryption ... - StartupHub.ai - February 9th, 2024
- BitLocker Gets Pi All Over It's Face As A Pico Cracks The Encryption Key - PC Perspective - February 9th, 2024
- The Dawn Of Quantum Computing In Finance: Revolutionizing Data Analysis And Encryption, According To Investor ... - Global Banking And Finance Review - February 9th, 2024
- Cryptographic storage is a secure way to store data using encryption and other security measures. - Medium - February 1st, 2024
- Senator proposes new encryption provision in bill against online child exploitation - The Record from Recorded Future News - February 1st, 2024
- Email Encryption Market is Expected to Reach US$ 20.7 Billion by 2032: IMARC Group - EIN News - February 1st, 2024
- EU: Open letter on security-cloaked threats to encryption - ARTICLE 19 - Article 19 - January 15th, 2024
- Mind Network: Revolutionizing Web3 Security and Privacy with Fully Homomorphic Encryption - BSC NEWS - January 15th, 2024
- What Is Encryption? - Definition, Types & More | Proofpoint US - January 7th, 2024
- Encryption, Its Algorithms And Its Future - GeeksforGeeks - January 7th, 2024
- End-to-end encryption: What it is, how it works, and why you need it - The Indian Express - January 7th, 2024
- What Is Encryption and Why It's Important for Cybersecurity - devmio - January 7th, 2024
- Quantum Quandary: Navigating the Path to Unbreakable Encryption - Security Boulevard - January 7th, 2024
- What is Encryption and how does it work? | OpenText - December 20th, 2023
- The police scanner is fading away due to the move to encryption communication - Kankakee Daily Journal - December 20th, 2023
- EAGLYS, Mitsui, and Quantinuum Partner on Hardened Encryption Keys Using Quantum Computing - Quantum Computing Report - December 20th, 2023
- Meta rolls out default end-to-end encryption for its 1 billion users. Here's what to know - The European Sting - December 20th, 2023
- Messenger finally gets end-to-end encryption by default - The Verge - December 11th, 2023
- Meta Announces End-to-End Encryption by Default in Messenger - EFF - December 11th, 2023
- Why It Took Meta 7 Years to Turn on End-to-End Encryption for All Chats - WIRED - December 11th, 2023
- Meta to expand encryption on Messenger making it similar to WhatsApp - CNBC - December 11th, 2023
- Default end-to-end encryption introduced in Messenger - SC Media - December 11th, 2023
- Meta Launches Default End-to-End Encryption for Chats and Calls on Messenger - The Hacker News - December 11th, 2023
- Encryption: It's Not About Good and Bad Guys, It's About All of Us - Center for European Policy Analysis - December 11th, 2023
- Default end-to-end encryption is finally coming to Messenger and Facebook - Popular Science - December 11th, 2023
- Lack of Encryption the Primary Reason for Sensitive Data Loss - Business Wire - December 11th, 2023
- Facebook Messenger end-to-end encryption is finally here - BGR - December 11th, 2023
- Facebook Messenger Now Uses End-to-End Encryption by Default - How-To Geek - December 11th, 2023
- What does end-to-end encryption on Facebook and Messenger mean for users? - The National - December 11th, 2023
- Meta starts adding controversial encryption to Facebook and Messenger chats - The Independent - December 11th, 2023
- The Quantum Computing Threat to Encryption and Cybersecurity - Medium - December 11th, 2023
- Meta adds end-to-end encryption to Messenger and Facebook. Details here | Mint - Mint - December 11th, 2023
- AI and Quantum Computing Threaten Encryption and Data Security - Security Boulevard - December 11th, 2023
- End-to-end encryption in Facebook Messenger will now work by default - Mezha.Media - December 11th, 2023
- Equiniti Announces Partnership with Beyond Encryption to Strengthen its Secure Digital Communications - Global Banking And Finance Review - November 17th, 2023
- Bluefin, The Payments Fintech Focused On PCI-Validated Encryption And Tokenization Technologies, Partners - Crowdfund Insider - October 27th, 2023
- Cryptography | NIST - National Institute of Standards and Technology - October 16th, 2023
- What Is Encryption? - Internet Society - October 16th, 2023
- How to Encrypt Files, Folders and Drives on Windows | TechSpot - May 3rd, 2023
- What Is Encryption, and How Does It Work? - How-To Geek - May 3rd, 2023
- What Is Encryption? | Definition + How It Works | Norton - January 30th, 2023
- What is PGP Encryption and How Does It Work? - Varonis - January 30th, 2023
- What is Encryption and How Does it Work? - TechTarget - January 22nd, 2023
- Now you can enable end-to-end encryption in Instagram chats: Heres how | Mint - Mint - December 28th, 2022