When talking about data encryption, you’re generally referring to one of three main types of encryption methods: symmetric, asymmetric, and hashing.
While there are numerous other forms of encryption, including stream ciphers and transposition ciphers, they generally use one of these three methods as their basis.
Each type of encryption has its benefits and drawbacks, and each is better suited to certain situations than others.
I’m not an expert on this topic, but I’d like to share my understanding with the readers of this blog.
Here’s an overview of the most common terminologies and encryption types used today.
Cryptography and Encryption
The term cryptography refers to code and encoding to secure information. In contrast, encryption refers to the process of translating the plain text into unintelligible characters using mathematical algorithms that can only translate back by using specific decryption keys or through brute force (i.e., trial and error).
This article explains how cryptography and encryption work to protect your data from hackers and eavesdroppers and what you can do to safeguard your information better online.
Data in Transit
HTTPS, TLS, and SSL are all protocols used to encrypt data in transit (i.e., when sent from one location to another). The difference between these protocols is the kind of encryption and their history.
HTTPS, or Hypertext Transfer Protocol Secure, is secure by default on most browsers; when you visit a website with HTTPS enabled, your connection is encrypted automatically without any additional steps on your part.
Data at Rest
This method protects information when stored on a storage device. This encryption would keep data safe even if hackers gained access to your hard drive, so long as they don’t have your password.
It’s also important to note that you should use Data at Rest Encryption for all devices—cell phones, computers, hard drives, and anything else that has access to sensitive information.
Data at rest is often abbreviated DAR. To keep things simple, many people say encrypting our hard drives.
The most common type of encryption is also known as symmetric encryption, which uses a single key to encrypt and decrypt data.
Both parties must have access to that shared key to decrypt it, making it very secure.
It’s not fast or scalable but an excellent option for devices that don’t have high storage capacity or only need data to be temporarily secure. Examples include credit card terminals and ATMs.
In asymmetric encryption, both parties have a pair of keys that work together to unlock the content.
If you send encrypted information to someone using asymmetric encryption, you’ll need both your public and private keys to decrypt it.
The most popular use for Asymmetric encryption is for digital signatures. Anyone can encrypt a document with their public key, but only their paired private key can decrypt it.
Understanding Hash function
A hash function is a mathematical algorithm that takes any input and turns it into an unpredictable output.
This predictable output is called a hash, hence the hash function.
While not mathematically related to each other, a hash could be considered an encrypted version of its original state.
The process used to create these hashes means they are much shorter than their original inputs and unique for each input value.
What is a digital signature?
A digital signature is a mathematical scheme for demonstrating that a known sender created a message (authentication and non-repudiation) and has not modified in transit (integrity).
Digital signatures protect against eavesdropping and authenticate electronic documents.
Digital signatures ensure data integrity, provide data origin authentication, allow multiple parties to sign on a single document without risk of signing conflicts or adding non-repudiation.
Common Encryption Algorithms & Functions Explained
Understanding encryption algorithms and common uses can help you make better decisions about your company’s data security strategy, as well as determine which solutions will work best for your business needs. Here are some of the most common encryption algorithms and how they work.
The RSA algorithm is named after Ron Rivest, Adi Shamir, and Leonard Adleman. It was developed in 1977, patented in 1983, and has become a standard for digital encryption.
The RSA algorithm relies on two prime numbers: p, known as the public key, and q (the private key). To encrypt using RSA, you first need to generate two large primes greater than 100 digits.
Using these primes and your private key (q), you can easily create your public key (p). You then put any data you want to encrypt into an integer between 1-100.
Advanced Encryption Standard (AES)
Advanced Encryption Standard is a symmetric-key encryption standard adopted by the U.S. government in 2001 and now used worldwide.
It was designed to replace Data Encryption Standard (DES), approved by NIST in 1977 to protect sensitive, unclassified information but ultimately found too weak for that purpose.
The algorithm described by AES is a subset of Rijndael, developed in 1998 by two Belgian cryptographers, Vincent Rijmen and Joan Daemen.
AES has been adopted as a standard by the International Organization for Standardization (ISO) and as an American National Standards Institute (ANSI) standard as well as an Internet Engineering Task Force (IETF) protocol.
Elliptic Curve Cryptography (ECC)
Short for Elliptic Curve Cryptography, ECC is an asymmetric encryption algorithm that utilizes a different mathematical approach than RSA.
The National Institute of Standards and Technology describes it as based on arithmetic modulo an integer, 160 bits in length, and notes that it can be faster to use than RSA.
Financial institutions use ECC primarily in several types: prime number-based, Koblitz curves with specific sizes, and elliptic curves over F or GF(2^m), where m is a prime divisor of n.
A popular algorithm is BrainpoolP256r1 which ratified as part of FIPS PUB 186-4 published by NIST (National Institute of Standards and Technology).
Popular digital wallet software such as Dashpay utilizes ECC for key generation and transaction signing.
Password-based Key Derivation Function (PBKDF)
A password-based key derivation function (PBKDF) derives a secret key from a password or passphrase.
Password-based key derivation functions are typically implemented by applying a pseudorandom function, such as AES, HMAC, or SHA, to a user-provided password or passphrase.
The output of an appropriate hash function, truncated to 160 bits (20 bytes), can be used as a cryptographic key to encrypt data and/or verify signatures.
The key feature of PBKDFs is that they use salt to ensure that two users with different passwords generate different derived keys. Otherwise, it would be possible for an attacker to derive their keys by observing many authentication attempts using known passwords.
This makes cracking specific passwords complicated without knowing or guessing their salt values.
Secure Hash Algorithm (SHA)
The Secure Hash Algorithm (SHA) is a cryptographic hash function designed by the United States National Security Agency and published by NIST as a U.S. Federal Information Processing Standard (FIPS).
SHA-3 (Secure Hash Algorithm 3) aka Keccak is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015.
The purpose of a secure hash algorithm is to take an input of any size and produce an output called a message digest of fixed size that can be used as proof of data integrity; that is, it proves that some input data has not been changed.
This allows someone receiving an object (such as an executable or other program code) over an insecure medium to verify with reasonable certainty that they have received what they were sent, even if they cannot be sure what data exactly was sent.
Keyed-Hash Message Authentication Code (HMAC)
A Keyed-Hash Message Authentication Code (HMAC) is a specific message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key.
Like any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.
In practice, HMACs are typically used as digital signatures to verify both data attributes. Use HMACs to verify email, file checksums, or authenticate your API requests.
You’ll find different flavors of HMAC—you might know them by their trade names: HmacSHA1, HmacSHA256, or HmacSHA512. Some algorithms work better than others depending on how fast you need to produce hashes and how secure you want things to be.
What is counter encryption (CTR)?
CTR stands for counter encryption and is a mode of operation for block ciphers. It was designed to help address some of the weaknesses found in earlier modes.
In CTR mode, plaintext input blocks are split into fixed-size chunks called blocks before being encrypted (EAX means block-cipher encryption with ciphertext stealing).
The goal of plaintext splitting is to make it more difficult for an attacker who may gain access to one encrypted message to determine another message’s contents.
To achieve that, you can use a different number of bits from each original block as input into the key derivation function or randomly select a few bits from each chunk.
What is The Cipher Block Chaining (CBC)?
The Cipher Block Chaining (CBC) algorithm is a process for encrypting information. The goal of CBC is to ensure that each block of data is encrypted using unique keys.
One way to do so would be to generate an entirely new key for every single piece of data. As it turns out, however, generating random numbers can be complicated and time-consuming.
Consequently, CBC uses one key to encrypt multiple data blocks at once. This makes encryption far more efficient.
Cipher block chaining is one of the most used methods for encrypting large messages.
Without chaining, it would be pretty simple for black hats to decrypt intercepted messages by taking any given block of ciphertext and decrypting it separately from all other blocks—in fact, they wouldn’t even need all those previous blocks to decode a specific message.
What is Galois/Counter Mode (GCM)?
Galois/Counter Mode (GCM) is an encryption method that adds an extra layer of security by allowing encryption on larger data blocks.
OpenVPN connections and SSL/TLS commonly use GCM-based security.
Although several modes are based on two different ciphering algorithms (counter mode vs. Galois counter mode), they all operate similarly: they take plaintext blocks. They use cryptographic keys to generate encrypted blocks that look like random noise.
From the most basic to the most complex, encryption applies to almost every niche. With consumers, companies, and governments looking for greater privacy and data security, there’s a growing demand for encryption, security software, and job profiles.
Credit: Cover photo by Markus Spiske on Unsplash.