Demystifying Encryption & Public Key Cryptography (Part 1)
Welcome to Penneo’s newsletter, where you'll find actionable advice to tackle the challenges faced by your business when it comes to data security & regulatory compliance.?
Today's read is ~13 minutes
In 2023, nearly all businesses collect, process, and store critical data on their systems. If a breach occurs, it’s all at risk of falling into the wrong hands.?
The same goes for the programs and tools we use in our personal life - from our Internet browser to our messaging apps, from our smart appliances at home to the wearable devices we put on every day.
With privacy becoming top of mind in the business world as much as in the private sphere, the concepts of encryption and end-to-end encryption are becoming more known and relatable. But their precise meaning and the way encryption actually works still appear quite mysterious, as if it was reserved for an elite of tech experts.
Well, it doesn't need to be.?
And it shouldn't!?
After all, the privacy of what you store on your laptop or smartphone is based on encryption, as is the confidentiality of our conversations. So it would be beneficial to grasp at least the basics of its functioning. (Plus, encryption is at the foundation of the technology enabling digital signatures that confirm the identity of the signatories! - but we'll come back to that later.)
Since it sounds like a rather complex topic at first glance, we'll break it down into simple concepts and short examples, starting with the basics of cryptography.?
This month's newsletter will focus on what encryption is, how to encrypt data at rest and data in transit, and the difference between symmetric and asymmetric encryption.?
If you haven't yet, subscribe to our newsletter to be notified when we publish our second episode next month - Demystifying Encryption & Public Key Cryptography (Part 2) -, where we'll show you how asymmetric encryption can be used to prove the authorship of a message and we'll also discuss end-to-end encryption's pros and cons.?
So hang tight!
Getting started: What is encryption, and what is it for?
Generally, encryption refers to the mathematical process of making a message unreadable except for the person who has the key to decrypt it into readable form.?
The first encryption methods were historically born to respond to the need for secrecy. Military officers used them to share encoded messages and prevent their content from being read even after falling into enemy hands. And that’s still the main goal pursued today (in non-military environments, too) - albeit perfected to the highest level, in the form of what we know as end-to-end encryption.?
Encryption is today a more common and affordable tool within everyone's reach - made available by some messaging apps, document transaction software, data management solutions, etc.?
However, there is still some confusion on the subject - which we’ll hopefully clear up through this article!
What can be encrypted, and how?
Encryption can be used to protect data at rest (such as information, documents, and images on a device) and data in transit (like messages from one person to another).
The information stored on your devices (data at rest)
Data “at rest” is data stored somewhere - be it a laptop, smartphone, or external hard drive - and not intended to be moved. This type of encryption can cover specific files on a device, all the data in a storage folder, or even the device as a whole.?
A common example of encryption of data at rest is, indeed, device encryption (a.k.a. “full-disk” encryption) which encrypts all the information stored on a device with a password or another “locking” method. This type of encryption typically looks like the device lock screen that enables access to your computer or phone after typing the passcode or using your fingerprint.?
The messages you send to another person (data in transit)?
Data “in transit” is data that moves from one place to another. This “movement” occurs as a result of any communication - not only between people but also between websites and browsers. For instance, when navigating the internet and going to a website, you can browse it because the data from that web page travels from the website’s servers to your browser.
The same happens when you send a message on a messaging app, as that message moves over a network - from your smartphone to the servers of the app’s provider to your recipient’s device.?
More specifically, the message sent from one device to another passes through a cellphone tower, then the servers of the messaging service provider, then another cell phone tower, and ultimately reaches the recipient’s device.?
When no encryption is in place (that is, in most cases), all the elements-actors included along the message’s way (the so-called intermediaries) will be able to read the unencrypted message being sent.
As the message can be seen by these servers (and usually stored on them), it might be vulnerable to disclosure and leak if the servers involved get hacked or compromised.
How Encryption Saves The Day
If you want your messages to be confidential, the conversation between you and the recipient needs to be encrypted.?
There are two ways to encrypt data in transit: transport-layer encryption and end-to-end encryption.
Transport-layer Encryption
Transport-layer encryption - also known as transport layer security (TLS) - protects a message sent from your device to another by encrypting its content as it travels from your device to the messaging app’s servers and from the messaging app’s servers to your recipient’s device.?
Therefore the message is only encrypted for the cell phone towers in this example, not for the messaging service provider - who can decrypt it and see its content.?
It follows that the confidentiality of your conversation is still at risk.?
For example, when you have a conversation on Facebook Messenger, your conversation is encrypted in transit between your device and Facebook, and between Facebook and the recipient’s device. Therefore, Facebook can potentially read your messages and disclose their contents. Obviously, if they did and leaked private conversations of their users, the most used social media would likely lose its wide popularity.?
To clarify, relying on a messaging app that uses transport-layer encryption does not mean your data is unsafe. It only means that what protects your privacy is not only the encryption but also (and especially) the company’s privacy policies and data processing practices.
As mentioned, encryption is not just about protecting communication between people’s devices but also between websites.?
Another example of transport-layer encryption can be seen on some URLs. Next to the URL, you can find the communication protocol - that, for some websites, is still “https://”. If you visit a website using HTTP protocol and a malware is spying on your network, you have no protection against malicious actors. They can see which websites you're navigating and what information you’re typing in (like credit card numbers or other personal data).?
Conversely, if you are browsing on an HTTPS-protected website, your connection is secured and encrypted. The message you write on that website, your searches, login credentials, and whatever sensitive information you enter is hidden from any hacker that breaches your network.?
Only the website’s owner can access it to provide you with the services you’re looking for, and no other people can read any of your information. You can check the protocol type to see if the website you’re browsing is https-protected, like in the example below, and click on the locker icon in the URL bar to get more information about the connection's security.
End-to-End Encryption
End-to-end encryption ensures greater protection for data in transit. The message being sent from one device to another is encrypted all the way from the sender (the initial “end”) to the recipient (the final “end”). Nothing and nobody, including the messaging service provider, can read the content of your conversation.?
Today, several communication apps offer end-to-end encrypted messaging services (like WhatsApp, Telegram, Signal, etc.). When using such applications, the service providers can only see that you are having a conversation with your recipient but are unable to decrypt and view the messages you are transmitting.?
This is why end-to-end encryption is a much safer data privacy method.?
You can feel free to communicate sensitive data, medical information, financial or legal details, business affairs, or simply have an intimate conversation without prying eyes.?
The original sender and the intended receiver are the only two individuals who can read the messages. No one sitting in the middle can see their content, not even the company running the communication service.?
So, which of the two encryption methods should you prefer??
If you trust the application you are using, its data processing policies, and its infrastructure's security, transport-layer encryption might look safe enough to meet your needs.?
Nonetheless, we recommend preferring services that enable end-to-end encryption when available because of the higher privacy and secrecy they provide.?
A Closer Look at End-to-End Encryption
End-to-end encryption (E2EE) is based on public key cryptography, a type of asymmetric-key encryption.?
All these terms refer to the process of converting (encrypting) ordinary plain text into unintelligible text and vice-versa (decrypting it) by means of keys.?
End-to-end encryption is based on the use of two different (asymmetric) keys: one to encrypt the message and one to decrypt it (respectively called public key and private key).?
Having clarified the basics of encryption, we’ll dive into what end-to-end encryption (E2EE) means, how it works, and what it can be used for in our next newsletter. To better understand it, though, we will now take a step back and walk you through how symmetric-key encryption (with one key) & asymmetric-key encryption (with two keys) work.?
Bear with us. We'll get there in no time!
Symmetric Encryption: Pros and Cons of Using a Single Key?
Let’s say that Bob, Joe, and Alice are sitting beside each other.?
Bob wants to send a message to Alice on a note. To do so, that note has to go through Joe’s hands, who will then pass it on to Alice.?
If Bob wants to keep the message secret (so that Joe can’t read it and only Alice can), Bob needs to use some form of encryption to make it unreadable for Joe.?
Bob decides to encrypt the message with a key of 3, shifting the alphabet letters by three (so A becomes D, B becomes E, etc.), and, in the same (reverse) way, the message will then be decrypted by Alice. So, for instance, a message saying “HELLO” will be encrypted as “KHOOR”.?
The method of shifting the letters down the alphabet by three is historically known as the Caesar cipher, as Julius Caesar used it to communicate in secrecy.?
This encryption method based on one single key used to both encrypt and decrypt the message is the simplest example of symmetric cryptography (symmetric encryption).?
Although it seemed effective in the distant past, it is a rather weak and vulnerable encryption mechanism today.
In the example above, if Joe wanted to decipher the message, he would just try all the possible combinations - and it wouldn’t take long to guess the key to interpreting the message and converting it into readable text. Moreover, Joe could spy on Bob and Alice until they tell each other the key to their encryption method - at which point, he would always be able to read their messages.
Luckily, cryptography has made great strides since the time of Caesar, hand in hand with technology. The mathematical capabilities of today's computers can generate much more complex keys than the key of three, which are also much harder to guess.
Using a single key for encrypting and decrypting the message is the main flaw of symmetric cryptography. That’s why it’s much safer to use asymmetric cryptography.?
Instead of one single key, asymmetric cryptography uses two different keys - one to encrypt the message and another to decrypt it.
Asymmetric Encryption: When Two (Keys) Truly is Better Than One?
To continue with the example above, let’s assume that Bob and Alice are now in two different countries and want to send messages to each other from their computers without anyone else being able to read their conversation.?
In this situation, the intermediary Joe is replaced by a number of third parties: Bob and Alice’s computers, Internet connection providers, browser and email providers, and other computers and data servers that need to be involved in enabling their communication online.?
If Bob and Alice want their messages to remain private, they must use asymmetric encryption. To do so, they rely on a messaging service that provides a public key encryption functionality.?
This encryption system creates for both Bob and Alice two keys: a public key and a private key. The two keys are represented by very large numbers and are connected to each other.?
The public key and the private key are generated together and tied together. It is as if they represented two sides of the same coin, and they complement each other.?
The public key is used to encrypt the message; the private key is used to decrypt it.?
To send an encrypted message to Alice, Bob needs her public key.?
Alice can send her public key to Bob over an insecure channel, like an unencrypted email, because the public key is something that can be shared openly and does not need to be kept secret - as it can only be used to encrypt messages, not to decrypt them.?
Bob receives Alice’s public key and can now use it to encrypt a message and send it over on the internet until it reaches Alice’s computer.
But how exactly is the message encrypted? What does encryption software do??
In our example, all of the intermediaries involved along the message’s way can see that a message is being transmitted from Bob to Alice. They can see its metadata (such as the date and time of the message, the subject line, and the sender and recipient’s name) but cannot read the message’s content. The content of the message looks indecipherable for all of them since they lack Alice’s private key to decrypt it.?
Once Alice receives the message, she can use her private key (kept secret and never shared with anybody on any communication channel) to decrypt the message and read its content.?
Therefore, with public key cryptography, the message is encrypted from the initial sender/end (Bob) and can only be decrypted by the final recipient/end (Alice). Ergo, it’s kept confidential from end to end.?
In the same way, if now Alice wants to reply to Bob by sending him an encrypted message, she will need Bob’s public key (that he can share publicly and freely) to encrypt it. The message will be unreadable to anybody other than Bob, who will be able to decrypt it using his private key.
We hope we helped you familiarize yourself with what encryption means (and its importance!).
Next month, you’ll be able to read about how asymmetric encryption can be used for identity-proof purposes to verify the author of a message. And, similarly, how it can be relied upon to ensure the identity of a person signing a document digitally - in other words, how asymmetric encryption becomes the key for digital signatures!?
Moreover, we’ll go through the benefits of using end-to-end encryption, whether and how it can be hacked, and how you can prevent that from occurring.?
Stay tuned to learn more!
Thanks for reading!
If you're interested in reading more about how to ensure compliance in your business, check out Penneo’s website, and follow us by subscribing to our email newsletter !
Subscribe and browse our previous newsletters and articles here .
CEO @ Seald ?? | Intégrez du chiffrement de bout-en-bout dans votre application en quelques minutes ??? | Solution certifiée par l'ANSSI ????
1 年Great article! I hope end-to-end encryption becomes standard.