Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/14/2020
10:00 AM
Jan Youngren
Jan Youngren
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Crypto-Primer: Encryption Basics Every Security Pro Should Know

With so many choices for encrypting data and communication, it's important to know the pros and cons of different techniques.

Encryption has become a routine part of everyday life. Your iPhone uses it to defeat cybercriminals and snoopers. Security cameras may use it to keep footage private. And your VPN definitely uses it, to fence off online traffic and make it invisible to prying eyes.

Recently, however, there has been a legislative push in the US to limit ways in which encryption can be used. First came the EARN IT Act, which would set up a government commission to dictate best practices to tech companies, and now there is an even more direct affront to encryption in the form of the Lawful Access to Encrypted Data Act.

In light of these realities, it's helpful to have a better understanding of what encryption is, what are the various types of encryption and encryption algorithms, and which types offer the strongest protection. This article will explain why encryption is important but also help to make an informed decision when protecting your data.

What's an Encryption Type?
When we talk about encryption types, we are dealing with the way that encryption processes operate. There are three major forms — asymmetric, symmetric, and hash functions — and they work in different ways.

Asymmetric: A common form of encryption in use on today's Internet, asymmetric cryptography is also known as public key cryptography. In this type of encryption, data is encrypted using a pair of keys.

One of these keys is the public key, while the other is the private key. The public key is known by the provider of encryption services and is used to apply initial encryption. It will usually be changed on a regular basis to ensure that it is protected from hackers. The private key is used to decrypt data when it reaches its destination and is known only to the user or recipient.

Asymmetric encryption is ubiquitous on the Web. For instance, it's used in Bitcoin; payments via APIs also generally use asymmetric encryption to ensure to secure credit card details.

This is a slower type of encryption than symmetric encryption, so it's often used to encrypt small pieces of data. For example, it is often used in conjunction with symmetric cryptography to facilitate key exchange.

Symmetric: In symmetric encryption, only a single key is required. When information is encrypted symmetrically, the two nodes use the same key, which is applied to data to encrypt and decrypt it. Generally, this key will be created via random-number generators, which themselves have grades of sophistication. Even so, the best symmetric encryption will be weaker than asymmetric alternatives.

The advantage of symmetric encryption is speed. Because one key is involved, data can be encrypted and read much faster.

Hash functions: Slightly different than asymmetric and symmetric encryption, hash functions still turn plaintext into impenetrable code for the purposes of data protection.

A hash function converts an input into a predetermined output. It doesn't matter how large the input is; it will always create a hash of the same fixed length. The created hash cannot be turned back into the input, so there's no decryption involved in the conventional sense.

This may seem less useful than standard encryption, but it is actually a very powerful tool. Hash functions have become the primary way to prove that data or software is authentic and that outsiders haven't tampered with it.

Hashes are also used routinely in password storage systems, storing passwords in hashed format instead of plaintext. They can also detect whether documents or data have been changed via monitoring changes to the hash output.

Introducing Encryption Algorithms
Algorithms are essentially the tools used to turn plaintext into indecipherable chunks of data. We refer to it here as an algorithm, but in traditional cryptography, the word "cipher" is much more common. For the purposes of this article, we'll treat the terms as interchangeable.

Algorithms are graded according to their strength. This in turn usually refers to the length of the key size used by specific forms of encryption. For example, in the popular AES-128 algorithm, the key length is 128 characters.

Length matters because the longer a key is, the more computations an attacker must process in order to decrypt an encoded message. Hence, we've seen key lengths steadily growing over the years to 256- and even 512-bit versions.

However, key length is not everything; ciphers are stronger or weaker for other reasons as well. The five most common algorithms include:

DES: The granddaddy of today's encryption algorithms, Data Encryption Standard (DES) was invented by IBM in the 1970s with a key length of 56 characters. In 1977, it became the first digital algorithm approved as a Federal Information Processing Standard, and became the go-to option for protecting classified documents.

These days, DES is an antique, providing virtually no protection against hackers. However, without it we'd be unprotected against digital intruders.

Triple DES: Triple DES (or 3DES) uses a 168-bit cipher and essentially works by applying old-style DES to data chunks three times. Data is encrypted with one DES key, then decrypted with another, before being encrypted with a third key. At the other end, the process is simply reversed. This tends to provide enhanced protection against brute forcing, although NIST downgraded the algorithm in 2017. Therefore, it's not the gold standard.

AES: The Advanced Encryption Standard (AES) was introduced as a replacement for DES, and was created by the Belgian cryptographers Joan Daemen and Vincent Rijmen. In 2001, it was adopted by NIST as the leading encryption standard and remains relevant to modern cryptography.

Key sizes vary from 128 to 256 bits, which can apply between 10 and 14 rounds of encryption on targeted data. That delivers a high level of security and speed, which has made AES the option of choice for tools like VPNs. As of 2020, AES has still not been effectively cracked, and according to Edward Snowden, not even the NSA has been able to brute-force the algorithm.

RSA: RSA (Rivest–Shamir–Adleman) is a public key algorithm, which has been around since 1977. It uses two shared prime numbers, which are as large as possible. While the primes remain private, an auxiliary number also forms part of the public key.

Cracking the primes is extremely tough, especially if padding is used to strengthen the private keys. But the algorithm suffers in terms of speed, making it useful for some actions (such as encrypting documents), but less useful for encrypting traffic on the Web.

SHA-256: The gold standard hashing algorithm, SHA-256 replaced older ciphers such as SHA-1 and MD5. SHA-256 is often a good partner function of AES-256 and is yet to be cracked. Notably, SHA-256 is used quite extensively in Bitcoin.

Knowledge Is Protection Power 
As you can see, there's a huge difference between a type of encryption and the cipher. In short, a type of encryption refers to the way the process is organized. An algorithm is applied as part of that process to actually convert data into an unreadable format.

With digital threats growing all the time and governments hungry for data on citizens, encryption isn't a minor issue. So, get to know how it works, and choose a system that provides the protection you need.

Related Content:

 

Jan Youngren is a cybersecurity and consumer protection specialist at VPNpro focused on investigations that help readers navigate the complex infosecurity sphere. His research and commentary has been featured in Forbes, ComputerWeekly, PC Mag, TechRadar, ZDNet, The Mirror, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...