Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/14/2020
10:00 AM
Jan Youngren
Jan Youngren
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Crypto-Primer: Encryption Basics Every Security Pro Should Know

With so many choices for encrypting data and communication, it's important to know the pros and cons of different techniques.

Encryption has become a routine part of everyday life. Your iPhone uses it to defeat cybercriminals and snoopers. Security cameras may use it to keep footage private. And your VPN definitely uses it, to fence off online traffic and make it invisible to prying eyes.

Recently, however, there has been a legislative push in the US to limit ways in which encryption can be used. First came the EARN IT Act, which would set up a government commission to dictate best practices to tech companies, and now there is an even more direct affront to encryption in the form of the Lawful Access to Encrypted Data Act.

In light of these realities, it's helpful to have a better understanding of what encryption is, what are the various types of encryption and encryption algorithms, and which types offer the strongest protection. This article will explain why encryption is important but also help to make an informed decision when protecting your data.

What's an Encryption Type?
When we talk about encryption types, we are dealing with the way that encryption processes operate. There are three major forms — asymmetric, symmetric, and hash functions — and they work in different ways.

Asymmetric: A common form of encryption in use on today's Internet, asymmetric cryptography is also known as public key cryptography. In this type of encryption, data is encrypted using a pair of keys.

One of these keys is the public key, while the other is the private key. The public key is known by the provider of encryption services and is used to apply initial encryption. It will usually be changed on a regular basis to ensure that it is protected from hackers. The private key is used to decrypt data when it reaches its destination and is known only to the user or recipient.

Asymmetric encryption is ubiquitous on the Web. For instance, it's used in Bitcoin; payments via APIs also generally use asymmetric encryption to ensure to secure credit card details.

This is a slower type of encryption than symmetric encryption, so it's often used to encrypt small pieces of data. For example, it is often used in conjunction with symmetric cryptography to facilitate key exchange.

Symmetric: In symmetric encryption, only a single key is required. When information is encrypted symmetrically, the two nodes use the same key, which is applied to data to encrypt and decrypt it. Generally, this key will be created via random-number generators, which themselves have grades of sophistication. Even so, the best symmetric encryption will be weaker than asymmetric alternatives.

The advantage of symmetric encryption is speed. Because one key is involved, data can be encrypted and read much faster.

Hash functions: Slightly different than asymmetric and symmetric encryption, hash functions still turn plaintext into impenetrable code for the purposes of data protection.

A hash function converts an input into a predetermined output. It doesn't matter how large the input is; it will always create a hash of the same fixed length. The created hash cannot be turned back into the input, so there's no decryption involved in the conventional sense.

This may seem less useful than standard encryption, but it is actually a very powerful tool. Hash functions have become the primary way to prove that data or software is authentic and that outsiders haven't tampered with it.

Hashes are also used routinely in password storage systems, storing passwords in hashed format instead of plaintext. They can also detect whether documents or data have been changed via monitoring changes to the hash output.

Introducing Encryption Algorithms
Algorithms are essentially the tools used to turn plaintext into indecipherable chunks of data. We refer to it here as an algorithm, but in traditional cryptography, the word "cipher" is much more common. For the purposes of this article, we'll treat the terms as interchangeable.

Algorithms are graded according to their strength. This in turn usually refers to the length of the key size used by specific forms of encryption. For example, in the popular AES-128 algorithm, the key length is 128 characters.

Length matters because the longer a key is, the more computations an attacker must process in order to decrypt an encoded message. Hence, we've seen key lengths steadily growing over the years to 256- and even 512-bit versions.

However, key length is not everything; ciphers are stronger or weaker for other reasons as well. The five most common algorithms include:

DES: The granddaddy of today's encryption algorithms, Data Encryption Standard (DES) was invented by IBM in the 1970s with a key length of 56 characters. In 1977, it became the first digital algorithm approved as a Federal Information Processing Standard, and became the go-to option for protecting classified documents.

These days, DES is an antique, providing virtually no protection against hackers. However, without it we'd be unprotected against digital intruders.

Triple DES: Triple DES (or 3DES) uses a 168-bit cipher and essentially works by applying old-style DES to data chunks three times. Data is encrypted with one DES key, then decrypted with another, before being encrypted with a third key. At the other end, the process is simply reversed. This tends to provide enhanced protection against brute forcing, although NIST downgraded the algorithm in 2017. Therefore, it's not the gold standard.

AES: The Advanced Encryption Standard (AES) was introduced as a replacement for DES, and was created by the Belgian cryptographers Joan Daemen and Vincent Rijmen. In 2001, it was adopted by NIST as the leading encryption standard and remains relevant to modern cryptography.

Key sizes vary from 128 to 256 bits, which can apply between 10 and 14 rounds of encryption on targeted data. That delivers a high level of security and speed, which has made AES the option of choice for tools like VPNs. As of 2020, AES has still not been effectively cracked, and according to Edward Snowden, not even the NSA has been able to brute-force the algorithm.

RSA: RSA (Rivest–Shamir–Adleman) is a public key algorithm, which has been around since 1977. It uses two shared prime numbers, which are as large as possible. While the primes remain private, an auxiliary number also forms part of the public key.

Cracking the primes is extremely tough, especially if padding is used to strengthen the private keys. But the algorithm suffers in terms of speed, making it useful for some actions (such as encrypting documents), but less useful for encrypting traffic on the Web.

SHA-256: The gold standard hashing algorithm, SHA-256 replaced older ciphers such as SHA-1 and MD5. SHA-256 is often a good partner function of AES-256 and is yet to be cracked. Notably, SHA-256 is used quite extensively in Bitcoin.

Knowledge Is Protection Power 
As you can see, there's a huge difference between a type of encryption and the cipher. In short, a type of encryption refers to the way the process is organized. An algorithm is applied as part of that process to actually convert data into an unreadable format.

With digital threats growing all the time and governments hungry for data on citizens, encryption isn't a minor issue. So, get to know how it works, and choose a system that provides the protection you need.

Related Content:

 

Jan Youngren is a cybersecurity and consumer protection specialist at VPNpro focused on investigations that help readers navigate the complex infosecurity sphere. His research and commentary has been featured in Forbes, ComputerWeekly, PC Mag, TechRadar, ZDNet, The Mirror, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25449
PUBLISHED: 2020-12-04
Cross Site Scripting (XSS) vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column.
CVE-2020-25465
PUBLISHED: 2020-12-04
Null Pointer Dereference. in xObjectBindingFromExpression at moddable/xs/sources/xsSyntaxical.c:3419 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25461
PUBLISHED: 2020-12-04
Invalid Memory Access in the fxProxyGetter function in moddable/xs/sources/xsProxy.c in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25462
PUBLISHED: 2020-12-04
Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903.
CVE-2020-25463
PUBLISHED: 2020-12-04
Invalid Memory Access in fxUTF8Decode at moddable/xs/sources/xsCommon.c:916 in Moddable SDK before OS200908 causes a denial of service (SEGV).