Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jan Youngren
Jan Youngren
Connect Directly
E-Mail vvv

Crypto-Primer: Encryption Basics Every Security Pro Should Know

With so many choices for encrypting data and communication, it's important to know the pros and cons of different techniques.

Encryption has become a routine part of everyday life. Your iPhone uses it to defeat cybercriminals and snoopers. Security cameras may use it to keep footage private. And your VPN definitely uses it, to fence off online traffic and make it invisible to prying eyes.

Recently, however, there has been a legislative push in the US to limit ways in which encryption can be used. First came the EARN IT Act, which would set up a government commission to dictate best practices to tech companies, and now there is an even more direct affront to encryption in the form of the Lawful Access to Encrypted Data Act.

In light of these realities, it's helpful to have a better understanding of what encryption is, what are the various types of encryption and encryption algorithms, and which types offer the strongest protection. This article will explain why encryption is important but also help to make an informed decision when protecting your data.

What's an Encryption Type?
When we talk about encryption types, we are dealing with the way that encryption processes operate. There are three major forms — asymmetric, symmetric, and hash functions — and they work in different ways.

Asymmetric: A common form of encryption in use on today's Internet, asymmetric cryptography is also known as public key cryptography. In this type of encryption, data is encrypted using a pair of keys.

One of these keys is the public key, while the other is the private key. The public key is known by the provider of encryption services and is used to apply initial encryption. It will usually be changed on a regular basis to ensure that it is protected from hackers. The private key is used to decrypt data when it reaches its destination and is known only to the user or recipient.

Asymmetric encryption is ubiquitous on the Web. For instance, it's used in Bitcoin; payments via APIs also generally use asymmetric encryption to ensure to secure credit card details.

This is a slower type of encryption than symmetric encryption, so it's often used to encrypt small pieces of data. For example, it is often used in conjunction with symmetric cryptography to facilitate key exchange.

Symmetric: In symmetric encryption, only a single key is required. When information is encrypted symmetrically, the two nodes use the same key, which is applied to data to encrypt and decrypt it. Generally, this key will be created via random-number generators, which themselves have grades of sophistication. Even so, the best symmetric encryption will be weaker than asymmetric alternatives.

The advantage of symmetric encryption is speed. Because one key is involved, data can be encrypted and read much faster.

Hash functions: Slightly different than asymmetric and symmetric encryption, hash functions still turn plaintext into impenetrable code for the purposes of data protection.

A hash function converts an input into a predetermined output. It doesn't matter how large the input is; it will always create a hash of the same fixed length. The created hash cannot be turned back into the input, so there's no decryption involved in the conventional sense.

This may seem less useful than standard encryption, but it is actually a very powerful tool. Hash functions have become the primary way to prove that data or software is authentic and that outsiders haven't tampered with it.

Hashes are also used routinely in password storage systems, storing passwords in hashed format instead of plaintext. They can also detect whether documents or data have been changed via monitoring changes to the hash output.

Introducing Encryption Algorithms
Algorithms are essentially the tools used to turn plaintext into indecipherable chunks of data. We refer to it here as an algorithm, but in traditional cryptography, the word "cipher" is much more common. For the purposes of this article, we'll treat the terms as interchangeable.

Algorithms are graded according to their strength. This in turn usually refers to the length of the key size used by specific forms of encryption. For example, in the popular AES-128 algorithm, the key length is 128 characters.

Length matters because the longer a key is, the more computations an attacker must process in order to decrypt an encoded message. Hence, we've seen key lengths steadily growing over the years to 256- and even 512-bit versions.

However, key length is not everything; ciphers are stronger or weaker for other reasons as well. The five most common algorithms include:

DES: The granddaddy of today's encryption algorithms, Data Encryption Standard (DES) was invented by IBM in the 1970s with a key length of 56 characters. In 1977, it became the first digital algorithm approved as a Federal Information Processing Standard, and became the go-to option for protecting classified documents.

These days, DES is an antique, providing virtually no protection against hackers. However, without it we'd be unprotected against digital intruders.

Triple DES: Triple DES (or 3DES) uses a 168-bit cipher and essentially works by applying old-style DES to data chunks three times. Data is encrypted with one DES key, then decrypted with another, before being encrypted with a third key. At the other end, the process is simply reversed. This tends to provide enhanced protection against brute forcing, although NIST downgraded the algorithm in 2017. Therefore, it's not the gold standard.

AES: The Advanced Encryption Standard (AES) was introduced as a replacement for DES, and was created by the Belgian cryptographers Joan Daemen and Vincent Rijmen. In 2001, it was adopted by NIST as the leading encryption standard and remains relevant to modern cryptography.

Key sizes vary from 128 to 256 bits, which can apply between 10 and 14 rounds of encryption on targeted data. That delivers a high level of security and speed, which has made AES the option of choice for tools like VPNs. As of 2020, AES has still not been effectively cracked, and according to Edward Snowden, not even the NSA has been able to brute-force the algorithm.

RSA: RSA (Rivest–Shamir–Adleman) is a public key algorithm, which has been around since 1977. It uses two shared prime numbers, which are as large as possible. While the primes remain private, an auxiliary number also forms part of the public key.

Cracking the primes is extremely tough, especially if padding is used to strengthen the private keys. But the algorithm suffers in terms of speed, making it useful for some actions (such as encrypting documents), but less useful for encrypting traffic on the Web.

SHA-256: The gold standard hashing algorithm, SHA-256 replaced older ciphers such as SHA-1 and MD5. SHA-256 is often a good partner function of AES-256 and is yet to be cracked. Notably, SHA-256 is used quite extensively in Bitcoin.

Knowledge Is Protection Power 
As you can see, there's a huge difference between a type of encryption and the cipher. In short, a type of encryption refers to the way the process is organized. An algorithm is applied as part of that process to actually convert data into an unreadable format.

With digital threats growing all the time and governments hungry for data on citizens, encryption isn't a minor issue. So, get to know how it works, and choose a system that provides the protection you need.

Related Content:


Jan Youngren is a cybersecurity and consumer protection specialist at VPNpro focused on investigations that help readers navigate the complex infosecurity sphere. His research and commentary has been featured in Forbes, ComputerWeekly, PC Mag, TechRadar, ZDNet, The Mirror, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.