Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes. Encryption has a long history dating back to when the ancient Greeks and Romans sent secret messages by substituting letters only decipherable with a secret key.
The ancient Greeks used a tool called a Scytale to help encrypt their messages more quickly using a transposition cipher. They would simply wrap the strip of parchment around the cylinder, write out the message, and then when unwound it wouldn’t make any sense. This encryption method could be fairly easily broken, of course, but it’s one of the first examples of encryption actually being used in the real world. Julius Caesar used a somewhat similar method during his time by shifting each letter of the alphabet to the right or left by a number of positions, an encryption technique known as Caesar’s cipher. Since only the intended recipient of the message knew the cipher, it would be difficult for any other person to decode the message.
During World War II, the Germans used the Enigma machine to pass encrypted transmissions back and forth the battlefield. It took the Allied forces years before they were able to crack the messages, which was instrumental to their victory.
Most forms of cryptography in use nowadays rely on computers, simply because a human-based code is too easy for a computer to crack. Cryptosystems use a set of procedures known as cryptographic algorithms, or ciphers, to encrypt and decrypt messages to secure communications among computer systems, devices such as smartphones, and applications. A cipher suite uses one algorithm for encryption, another algorithm for message authentication and another for key exchange. This process, embedded in protocols and written in software that runs on operating systems and networked computer systems, involves public and private key generation for data encryption/decryption, digital signing and verification for message authentication, and key exchange.
Computer encryption systems generally belong in one of two categories: symmetric-key encryption and public-key encryption.
Just like two ancient Greek generals sending messages to each other, computers using symmetric-key encryption to send information back and forth must have the same key. In , each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to which, so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. This is what your home WiFi uses. You have just one key, or “password”, which you plug into both your wireless router and your laptop.
Symmetric-key algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits, often in blocks of 64 bits at a time, and encrypt them as a single unit. Block ciphers are the main method of modern cryptography, while stream ciphers are rarely used.
The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key. Because computers have become increasingly faster since the '70s, security experts no longer consider DES secure as a brute force attack could easily decipher encrypted data in a short while. DES has been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys.
When connecting to a website on the public internet it becomes more complicated and symmetric encryption, by itself, won’t work because you don’t control the other end of the connection. How do you share a secret key with each other without the risk of someone on the internet intercepting it in the middle? In November 1976, a paper published in the journal IEEE Transactions on Information Theory by Diffie and Hellman, titled "New Directions in Cryptography," addressed this problem and offered up a solution: public-key encryption.
Also known as asymmetric-key encryption, public key cryptography is used as a method of assuring the confidentiality, authenticity and non-repudiation of electronic communications and data storage. Public-key encryption uses two different keys at once, a combination of a private key and a public key. The private key must remain confidential to its respective owner, while the public key is made available to everyone via a publicly accessible repository or directory. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key.
Although a message sent from one computer to another won't be secure since the public key used for encryption is published and available to anyone, anyone who picks it up can't read it without the private key. The key pair is based on prime numbers of long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are nearly infinite possibilities for keys.
Typically both the public and private keys are computed together at the same time, in the same mathematical process. This means they’re strongly related, mathematically speaking. Because of this relationship, they can be used to encrypt/decrypt the same data. And that is also why public and private keys from different key-pairs would not work together. Every web server has its own unique set, making your connection to the website unique from other sites.
However, the process can only go one direction. When one of the keys (either public or private) is used to encrypt some data, only the other key can be used to decrypt it. So, it doesn’t matter who else has the public key because it’s worthless once the data has been encrypted. It can only be decrypted with the private key, which is stored in secret on the web server.
Public key algorithms are fundamental security ingredients in cryptosystems, applications and protocols. They underpin various Internet standards, such as Transport Layer Security (TLS). Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA).
Public Key Infrastructure (PKI) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). PKI functions because of digital certificates. A digital certificate is a form of electronic identification for websites and organizations. Secure connections between two communicating machines are made available through PKI because the identities of the two parties can be verified by way of certificates. PKI functions on asymmetric key methodology; a private key and a public key. The private key can only be accessed by the owner of a digital certificate, and they can choose where the public key goes. A certificate is essentially a way of handing out that public key to the owner wants to have it.
If you are going to encrypt a large amount of data, then you may need to consider using both types of encryption. Asymmetric encryption is used first to establish the connection, which is then replaced with symmetric encryption (called the session) for the duration of the connection. Here’s how it works in more detail:
Your browser reaches out to the website server and requests a connection. The server sends you its public key while it keeps its private key a secret. Your browser generates a third key called a session key, which is encrypted by your computer using the public key you got from the server. The encrypted session key is then shared with the server. The server decrypts the session key that it received from you using the secret private key and both ends have the session key that your computer generated. The public key encryption is terminated and replaced with symmetric encryption. The session with the server continues using only symmetric encryption, and that’s how it remains until you leave the website.
Public key (asymmetric) encryption is only used briefly in the beginning to exchange the third key which is used for the rest of the connection. This is because of the mathematical complexity involved in asymmetric encryption and therefore requires much more computing power to sustain. It is not suitable for long sessions because of the processing power it takes to keep it going.
The algorithm trusted by the United States Government, Advanced Encryption Standard (AES), uses symmetric key encryption to cipher and decipher information. Widely considered impervious to all attacks, AES has a maximum key length of 256 bits and is practically unbreakable. It has become the global standard of encryption, and is what’s used to keep most of our interpersonal communications secure.
Nothing in the world of cybersecurity can be 100% guaranteed, and varying levels of the encryption’s mathematical design properties and secure implementation will definitely impact its effectiveness. But in the case of well-designed AES that has been implemented to best practice, the odds of current computing technologies cracking the complexity of AES is highly unlikely.
The biggest potential threats to the current standards of encryption are actually found in two new cryptology developments. The first is the increased migration from on-premises storage to cloud environments, which presents a dilemma around cloud storage. Allowing cloud storage to be easily searchable makes it highly vulnerable to attack, but certain encryptions make it difficult for owners to find information when needed. The emerging solution to this problem is searchable symmetric encryption (SSE), which enables users to store documents in ciphertext form while maintaining the functionality to search keywords within their documents.
The second threat is quantum computing, a technology that has not yet even realized its full potential. All security professionals need to take the onset of quantum computing seriously, as there will soon be quantum computers capable of breaking or entirely fabricating machine identities.
Venafi and the Machine Identity Management Development Fund are bringing together the true leaders of quantum-safe computing to development machine identities that are post-quantum-safe.