Based on the multitude of discussions regarding encryption and what it means, we thought it would be best to provide the basics on encryption and how it works in internet applications. This is just a rudimentary primer, but should provide some vocabulary to better understand encryption.
Encryption is the process of encoding messages or information in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. The authorized party can then unlock the data using an encryption key that was used to encrypt the data. Encryption can be used to protect data in storage, i.e., on a hard drive, or in transit, i.e., via a network, the internet, cell phones, etc. For data in transit, the data must be encrypted prior to distribution to ensure the data arrives without being accessed or tampered with.
The basic demonstration of encryption and decryption is as follows:
Symmetric vs. Private Keys:
Symmetric-key cryptology uses the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may either be identical or there may be a simple transformation between keys. Both parties must have access to the encryption keys, which is a drawback. This requires that the users exchange the required keys, which can result in security issues. This type of encryption is used for email and secure remote access, among other applications.
Public-key cryptology requires two separate keys: one public and one private. The public key can be freely distributed for all to use, while the private key must remain private. Neither key can accomplish both locking and unlocking tasks. Unlike symmetric-key, however, an initial exchange of keys is not required, which lessens the security risk of third party intercepts. This encryption underpins many internet security standards such as Security Sockets Layer (SSL) and Transport Layer Security (TLS), and is generally used to ensure confidentiality or mark a signature.
Keys can be generated in three different ways. First, full-strength, randomly generated, user-managed keys are the most secure as they cannot be reproduced or copied. Access to full server data gives the hacker no useful information. It is also the most difficult to use, as enabling new devices requires coordination with existing devices. There is therefore no recovery method, which results in more complicated usage and a potentially bad user experience.
Second, a key can be derived from a user’s password. This is less secure than the first method because user passwords are not as strong as cryptokeys. Nonetheless, it can still be difficult and expensive to break into a user’s data, and more difficult to hack across a large number of user accounts. From the user perspective, usability is increased because the password can be memorized. Unfortunately, if the password is lost, so is the data, and it cannot be recovered.
Third, servers and administrators can manage keys instead of having users do so. In this case, servers have access to all user data. Internal security against hackers is low as data is not encrypted internally. Nearly all internet services follow this model as it provides the best user experience from a usability perspective with respect to password recovery.