A lot of communications protocols use encryption to make sure your connection is secure. Understanding what encryption actually does and why it’s important for everyone is a good idea, so you know what it can protect you from, and what it can’t.
Encryption is a mathematical process of scrambling data using an encryption cipher and an encryption key. The encrypted data or ciphertext can only be decrypted back to its original “plaintext” form through the use of a decryption key.
With a good encryption algorithm, the ciphertext should be indistinguishable from random noise, or meaningless values. This makes it impossible to tell if the data even is a ciphertext, or if its just noise. This design makes it significantly harder to analyse the ciphertext in an attempt to decrypt it without needing the decryption key through a process called cryptanalysis.
Tip: Noise is random background static, just like the snow or static seen on some old TVs when they don’t have a signal.
Symmetric vs asymmetrical
For some classes of encryption algorithms, the decryption key will be the same as the encryption key, in others the two keys are different. When the decryption key is the same as the encryption key, it is known as symmetric encryption. In this case, the encryption key can be thought of as a password, and anyone with the password can encrypt or decrypt data. AES is a good example of a symmetric encryption algorithm, as one of its uses is to secure HTTPS communications on the internet.
Tip: HTTPS or Hypertext Transfer Protocol Secure, is the primary encrypted communication protocol used on the internet.
Asymmetric encryption uses a separate encryption and decryption key, it is also commonly referred to as public-key cryptography. The encryption key is known as a public-key, it is published for anyone to use to encrypt data. The decryption key though is known as the private key, and as the name suggests, it is kept private.
This form of encryption can be used to ensure that only the intended recipient can decrypt and read the encrypted message. A common example of a public-key encryption algorithm is RSA. RSA is also commonly used in HTTPS connections but only so the two computers can securely agree a symmetric encryption key to use.
Tip: Asymmetrical encryption algorithms are slower to use than symmetrical ones that provide similar security levels. Therefore, asymmetrical encryption is only used to agree a symmetrical encryption key in protocols that require speed and efficiency such as HTTPS.
Tip: One thing HTTPS doesn’t do is guarantee that you’re connecting to the website you meant to. What it does do is guarantee that you’re connecting the website that you entered in the search bar. If you made a typo and accidentally browse to exanple.com rather than example.com, HTTPS will confirm that you’re securely connected to exanple.com. HTTPS only verifies that your connection to the webserver is secure. HTTPS also doesn’t imply that the website that you’re connecting to doesn’t contain viruses or other malicious software.
The security of an encryption algorithm is measured in bits. Bits of security refers to the size of the encryption key used and therefore how difficult it is to guess. Unfortunately, it’s not possible to directly compare the security of symmetrical and asymmetrical algorithms this way.
Symmetrical encryption algorithms such as AES need to use at least a 128-bit encryption key to be considered secure, although a 256-bit key is recommended. Asymmetrical algorithms need to use at least a 2048-bit key to be considered secure.
A 256-bit encryption key has a 2^256 possible combinations, that’s two multiplied by itself 256 times. Written out in full, there are: 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 possible combinations of a 256-bit encryption key. This number is so big that it is roughly equal to the number of atoms that scientists predict exist in the visible universe.
It is incomprehensibly difficult to correctly guess the key needed to decrypt data encrypted with a 256-bit key. Even if you had dedicated access to the fastest supercomputers and centuries of time, you would still be statistically unlikely to correctly guess the decryption key.
Why is it important?
When logging into a website, you send your username and password, or your bank details. These details are private and sensitive, if someone else has them, they could access your accounts, impersonate you, steal money from you, and more.
When using the plain text HTTP protocol, anyone on the network between you and the web server could intercept and read the communications you send and receive. This includes your passwords and other sensitive details. Other users on your home network, your ISP, and other users on any public Wi-Fi hotspots you connect to could be in a position to perform this type of attack.
If you use HTTPS protect communications to and from the web server, your details are encrypted and can’t be read by anyone else. This encryption will keep your passwords and other private data secure when browsing the internet.
Encryption isn’t just important for private or sensitive data though; it is also a useful privacy tool. For example, it can stop your ISP for example from snooping on your web browsing habits.
Encrypting as much of your communications as possible makes it less obvious where sensitive data is hidden that attackers might want to try to steal. As such it is generally recommended that you use encryption wherever possible to secure everything you do.
With modern hardware and encryption algorithms, encryption adds only an imperceptible delay, so you don’t need to worry about it slowing down your internet connection either.