Encryption uses mathematical algorithms to transform and encode data so that only authorized parties can access it. This guide will provide a high level overview of encryption and how it fits into IT through the following topics:
How Encryption Works
To understand how encryption works, we need to understand how it fits into the broader realm of cryptology, how it processes data, common categories, top algorithms, and how encryption fits into IT security.
What Encryption Is and How It Relates to Cryptology
The science of cryptography studies codes, how to create them, and how to solve them. The codes created in cryptographic research are called cryptographic algorithms, or encryption algorithms, and the process of applying those algorithms to data is called encryption. Decryption describes the process of applying algorithms to return the encrypted data, or ciphertext, to readable form, or plaintext.
A visual diagram showing the relationship between cryptography and cryptanalysis.
How Does Encryption Process Data?
Encryption algorithms use math to transform plaintext data into ciphertext. While the math remains the same, unique cryptographic keys generate unique ciphertext. Cryptographic keys can be random numbers, products of large prime numbers, points on an ellipse, or a password generated by a user.
In general, the more bits used and the more complex the process, the stronger the encryption will be. Encryption algorithms define the following:
- Mathematical functions applied to the transformation
- Length of the block of data processed
- Encryption key size
- Number of times encryption will be applied to the data (AKA: Rounds)
Algorithms can also specify more complex techniques, such as padding blocks, key size variations, and processing a mix of encrypted and unencrypted data simultaneously.
2 Common Types of Encryption
The two main types of encryption categories are symmetric and asymmetric.
Symmetric encryption uses a single key to encrypt and decrypt data. Symmetric encryption will typically be used for local encryption (drives, files, databases, etc.) and data transmission (Wi-Fi router algorithms, transport layer security [TLS], etc.); however, to share data with another person, organization, or application, the encryption key must also be shared – which exposes the key to theft.
Asymmetric cryptography uses a public key and a private key to enable more secure sharing. Data encrypted with one key cannot be decrypted using the same key, so the public key can be freely published without exposing the private key. The use cases for asymmetric encryption include:
- Digital signature verification
- Establishing secure connections
- Sharing encrypted data
Top 4 Encryption Algorithms
Encryption algorithms define the transformation of data in terms of math and computer processes. These algorithms will constantly be tested to probe for weaknesses, and algorithms found weak to attack will be replaced. Currently, the top four algorithms include AES, Blowfish, ECC, and RSA.
AES or the Advanced Encryption Standard was adopted in 2001 by the US National Institute of Standards and Testing (NIST) as the standard for symmetric encryption. The algorithm allows for variable key sizes and variable rounds to increase randomness and security. AES encryption can be commonly found in communication protocols, virtual private network (VPN) encryption, full-disk encryption, and Wi-Fi transmission protocols.
Blowfish provides a public-domain alternative to AES symmetric encryption. It is commonly incorporated into open-source applications and operating systems and will commonly be used in file and folder encryption. While the more robust Twofish algorithm is available to replace Blowfish, the Twofish algorithm has not been widely adopted.
ECC, or elliptic-curve cryptography, creates an asymmetric encryption standard that uses elliptic curves to generate public and private keys. While not as popular as the RSA standard (see below), ECC can generate equivalent encryption strength with smaller key sizes, which enables faster encryption and decryption. ECC is used for email encryption, cryptocurrency digital signatures, and internet communication protocols.
RSA, or the Rivest, Shamir, and Adleman algorithm, provided the first asymmetric key adopted for use and remains very popular today. The algorithm uses very large prime numbers and key sizes of 2,048-4,096 bits. RSA remains commonly used in secure messaging, payment applications, and encryption of smaller files.
All four of these algorithms are expected to be broken by techniques that use quantum computing, so quantum-resistant algorithms are in development to provide encryption solutions for the future. For those interested in more detail, other algorithms, and other types of encryption, consider reading Types of Encryption, Methods & Use Cases.
Encryption Tools and IT Security
Fundamental protocols incorporate encryption to automatically protect data and include internet protocol security (IPSec), Kerberos, Secure Shell (SSH), and the transmission control protocol (TCP). Encryption can also be found incorporated into a variety of network security and cloud security solutions, such as cloud access security brokers (CASB), next-generation firewalls (NGFW), password managers, virtual private networks (VPN), and web application firewalls (WAF).
Specialized encryption tools can be obtained (some are free or open source) to enable specific types of encryption. More complex commercial tools provide a variety of encryption solutions or even end-to-end encryption.
Key categories for encryption tools include:
- Local file and folder encryption
- Full disk encryption
- Email encryption
- Application layer encryption
- End-to-end encryption
Encryption can be applied to protect data but relies upon the rest of the security stack to protect the encryption keys, computers, and network equipment used to encrypt, decrypt, and send encryption-protected data. Organizations should apply encryption solutions that enhance and complement existing cybersecurity solutions and strategies.
3 Advantages of Encryption
Encryption plays many roles in protecting data within the IT environment, but all uses provide three key advantages: compliance, confidentiality, and integrity.
Compliance
Many compliance standards require some form of encryption for data at rest and many also specify requirements for the transmission of data. For example,
- The Health Insurance Portability and Accountability Act (HIPAA) requires security features such as encryption to protect patients’ health information.
- The Family Educational Rights and Privacy Act (FERPA) requires encryption or equivalent security measures to protect private student records.
- The Fair Credit Practices Act (FCPA) and the Payment Card Industry Data Security Standard (PCI DSS) both require secure storage and transmission of credit card numbers and other personal information.
Organizations need to select the appropriate encryption solution to protect regulated data where it resides (at rest) or flows (in transit) through the organization. This may require a robust encryption tool or a combination of specialized encryption tools and other security solutions.
Confidentiality
Encryption protects all data:
- At rest, when stored on local, network, or cloud-based data repositories
- In transit, when being sent between devices or applications
- During processing, when using homomorphic encryption algorithms
End-to-end encryption is a term used to describe two very different types of encryption. The first is data encrypted throughout the lifecycle of use, which is currently more of a goal than a common practice. The second is data encrypted throughout a transmission from one device to another.
All types of encryption protect an organization against data breaches stemming from cyberattacks or even a lost laptop. Encryption renders data unreadable to attackers and unauthorized users to preserve the confidentiality of the information.
Integrity
When receiving data, an organization needs to know if it can be trusted with regards to its origin and accuracy. Transmission protocols use encryption to protect against data tampering and interception in transit. Encryption protocols can also verify the authenticity of sources and prevent a sender from denying they were the origin of a transmission.
For example, the Hypertext Transfer Protocol Secure (HTTPS) protocol enables secure web connections that provide both security and integrity for connections. Such secured and encrypted connections protect both consumers and organizations against fraud and enable secure e-commerce transactions.
5 Challenges of Encryption
Encryption plays a critical role in security; however, constant attacks magnify errors and attackers can also turn encryption against an organization. To effectively deploy encryption, organizations must address the challenges of capacity constrained encryption, cracked encryption, human error, key management, and malicious encryption.
Capacity Constrained Encryption
Encryption adds overhead to operations and can be very computational resource-intensive to execute. Yet, Internet of Things (IoT) devices tend to be designed with the minimum computing resources required to accomplish the designed task of the device (security camera, printer, TV, etc.).
While less computationally constrained than IoT, mobile devices constrain computations to avoid consuming power and draining battery life. Yet as they become more universal, both IoT and mobile devices are increasingly targeted by attackers.
NIST continues to encourage the development of lightweight cryptography that can be used in constrained environments and researchers also continue to explore new types of hardware (microchips, architecture, etc.) that can perform encryption using less power and memory.
Until these solutions become widely available, organizations will need to recognize that encryption may not be deployed equally on mobile and IoT devices. Compensating controls may need to be added to these devices (and further add operational overhead), or regulated and sensitive data will need to be blocked from access for these devices.
While mobile devices and IoT remain the current focus of research, capacity constraint can also apply to under-provisioned endpoints, servers, and containers. Processing encryption will add significant computing overhead and both security and operations need to be sure to consider current resource constraints when they select encryption solutions.
Cracked Encryption
Good encryption practices can be rendered useless by flawed algorithms, brute computing force, and intentionally weakened algorithms. In each of these cases, the cracked encryption can lead to leaked data, but the nature of the risk remains distinct.
Flawed Algorithms
As cryptography develops, the weaknesses of older encryption algorithms become exposed. New encryption algorithms will be developed to replace the older algorithms, yet organizations and tools can lag behind the developing edge of encryption, posing a risk of future data leaks.
For example:
- The insufficient key sizes of original NIST-backed data encryption standard (DES) led to the development of the advanced encryption standard (AES)
- The older wired equivalent privacy (WEP) and the original Wi-Fi protected access (WPA) wireless protocols were found to have flawed encryption and have been replaced by WPA version 3 (WPA3)
Although replaced and no longer intended for use, organizations with older data repositories or older equipment may discover obsolete encryption standards still in use. While discovery and elimination of obsolete and flawed encryption algorithms can be difficult, ignoring obsolete encryption leaves open back doors to the data protected by the weak algorithms.
Brute Force Attacks
Encryption algorithms use math to lock the data, but computers can be used to attack that math with brute force computing power. Weak passwords and short key lengths often allow quick results for brute force attacks that attempt to methodically guess the key to decrypt the data.
Modern encryption algorithms use layered keys and enormous key lengths based upon prime numbers to make most brute force attacks infeasible. Even with cloud-scale resources, it would take years of applying expensive computing power against the algorithms to produce results. However, the rise of quantum computing threatens to enable rapid breaking of our current encryption codes.
To address this challenge, organizations must first ensure that their users do not use weak passwords or short key lengths vulnerable to current brute force attacks. Second, they must explore options for quantum-resistant computing as they become available for their most sensitive data.
Lastly, data stolen today may remain uncrackable for a decade or more, but quantum computing may break those passwords in the future. Organizations must continue to harden their overall security to prevent all data breaches and avoid reliance on encryption for protection.
Learn more about cryptanalytic threats with Rainbow Table Attacks and Cryptanalytic Defenses.
Intentionally Weakened Algorithms
Governments and law enforcement officials around the world, particularly in the Five Eyes (FVEY) intelligence alliance, push for encryption backdoors in the interests of national safety and security. The increase in encrypted online communication by criminal and terrorist organizations provides the excuse to intentionally add flaws or special decryption capabilities for governments.
Opponents of encryption backdoors repeatedly complain that government-mandated encryption flaws put all privacy and security at risk because the same backdoors can also be exploited by hackers, unethical governments, and foreign adversaries. While commercial tools officially resist and deny adding backdoors, most organizations will lack the resources to investigate their encryption tools for intentional weaknesses.
Meanwhile, law enforcement agencies, such as the Federal Bureau of Investigation (FBI), have criticized technology companies that offer end-to-end encryption, arguing that such encryption prevents law enforcement from accessing data and communications even with a warrant. The FBI has referred to this issue as “going dark,” while the U.S. Department of Justice (DOJ) has proclaimed the need for “responsible encryption” that can be unlocked by technology companies under a court order.
Pressure on both professional and personal encryption can also be seen in government legislation. In 2018, Australia passed a Telecommunications and Other Legislation Amendment that permits a five-year jail penalty to be applied to visitors that refuse to provide passwords for all digital devices when crossing the border into Australia.
Organizations can do little to defend against intentionally weakened algorithms but can attempt to use multiple types of encryption to decrease risk. However, these additional encryption steps will only prevent unauthorized access in a technical sense and will not diminish any legal risks related to government inquiries.
Human Error
Human error remains a critical threat to every layer of security, including encryption. Even future quantum-resistant encryption algorithms will be vulnerable to an encryption key that is published to GitHub, attached to an email sent to the wrong recipients, or accidentally deleted.
Most errors can be classified as badly selected passwords, lost encryption keys, or poor encryption key protection.
Badly selected passwords apply primarily to symmetric encryption algorithms used to protect Wi-Fi networks or encrypt files and folders. Users tend to reuse passwords or use easy-to-remember passwords that can be easily guessed or cracked using brute force attacks.
While potentially acceptable for non-critical information, badly selected passwords need to be detected and changed before attackers can exploit them. Organizations need to apply internal brute force attacks against encryption protecting regulated and critical information to ensure their safety.
To help guard against bad passwords, an organization can centrally manage passwords and provide password manager solutions to employees. However, as the passwords become more centrally controlled, attackers will shift focus to attacking central repositories and additional layers of security should be applied to the repository defense.
Lost encryption keys simply destroy access to data. While it is technically possible to decrypt the data without possessing the lost encryption key, significant computational resources and skills would be required if the encryption system was designed properly.
The distribution of encryption tools to employees must be accompanied by training and warnings regarding lost keys. Lost keys can be mitigated by centralized controls and prevention of the download and use of unauthorized encryption software.
Poor encryption key protection causes a different problem by exposing the key to public access or leaking the key to potential attackers. Organizations need to track encryption keys to even deploy data loss protection (DLP) solutions to detect accidental key disclosure.
Centrally managed encryption can help protect against both lost and accidentally exposed keys by placing key management in the hands of experts trained to protect their integrity. Organizations should consider how key management practices can support the recovery of encrypted data if a key is lost or destroyed. Similarly, organizations should manage the distribution and availability of encryption keys to help limit the risk of disclosure.
Keys should be stored in a protected and isolated repository protected by identity and access management (IAM) tools, privileged access management (PAM) tools, multi-factor authentication (MFA), or even zero trust architecture. Some organizations will further enhance encryption key protection and management by enclosing them in an encrypted container (key wrapping) or with the use of encryption key management tools.
Key Management
Over time, the regular distribution of data encrypted with a specific encryption key increases the probability of success for brute force attacks. If an attacker can gather a large number of files encrypted with the same key, they gain data points that can be used to improve the efficiency of attack. Similarly, over time, the risk of accidental disclosure of keys will steadily increase.
To counter these risks, organizations must practice effective encryption key management. Encryption key management relies primarily on effective encryption key storage (covered above) and encryption key rotation.
Key rotation, or the periodic replacement of encryption keys, reduces the likelihood of success for brute force attacks by creating moving targets for decryption. Using different keys or replacing encryption keys strengthens the capability of encryption to protect data over the long term.
However, key rotation also adds complexity. First, disaster recovery efforts will often be prolonged by key retrieval and decryption processes. Second, encryption key rotation can render data stored in backups or on removable media inaccessible. Previous keys will need to be tracked and retained to enable the decryption of older data encrypted with those keys.
Malicious Encryption
While most challenges involve the organization’s strategy and operational use of encryption for security, attackers also use encryption maliciously during cyberattacks. An organization must monitor and attempt to inspect encrypted traffic and the use of encryption software throughout the organization to detect malicious activity.
Two common examples of the use of malicious encryption include ransomware and encrypted communications with command and control servers. Ransomware attackers will use encryption programs to lock hard drives, folders, and data to prevent legitimate access.
Better antivirus (AV), endpoint detection and response (EDR), and extended detection and response (XDR) solutions can detect and block some attacks. However, many effective ransomware attacks use legitimate encryption tools in their attacks to impersonate authorized activity and complicate detection.
Command and control attacks similarly impersonate legitimate traffic that uses encrypted protocols such as TLS to avoid firewall inspections. Next-generation firewalls (NGFW) and secure web gateways (SWG) can inspect traffic flowing through their solution to offer some protection against this type of attack.
History of Encryption
The use of cryptology predates computers by several thousand years. Julius Caesar used one of the earliest documented codes, the Caesar Shift Cipher, to send secret messages to Roman troops in remote locations.
The code required an alphabetic shift of a message by a separately agreed-upon number of letters. For example, “attack in three days” shifted by 5 letters would be written as “fyyfhp ns ymwjj ifdx.” Early text shift ciphers such as these proved effective until the development of text analysis techniques that could detect the use of the most commonly used letters (e, s, etc.).
Modern cryptography developed in the early 1970s with the development of the DES, Diffie-Hellman-Merkle (DHM), and Rivest-Shamir-Adleman (RSA) encryption algorithms. Initially, only governments pursued encryption, but as networks evolved and organizations adopted internet communications for critical business processes, encryption became essential for protecting data throughout all public and private sectors.
As flaws in these pioneering algorithms became known, cryptologists developed new techniques to make encryption more complicated and incorporated them into new algorithms and even new classifications of algorithms, such as asymmetric encryption. Today’s standard encryption algorithms, such as AES or ECC, will be replaced by new technologies more capable of resisting the increasing power of cloud and quantum computing that can be applied to break encryption codes.
Bottom Line: Stop Ignoring and Start Adopting Encryption
Despite many regulations that require encryption and over 50 years of availability, encryption remains sparsely adopted. A study by Encryption Consulting found that only 50% of global enterprises adopt an enterprise encryption strategy and only 47% protect cloud-hosted and sensitive data with encryption.
Enterprises represent the largest, best funded organizations, so this poor adoption rate implies the great expense or great effort required to deploy encryption. Not true! Adopting and incorporating encryption does not require a huge budget. Even the smallest organization can take advantage of low and no-cost encryption software or use built-in encryption features in operating systems and other security tools.
Adopting encryption will require some effort, but the benefits far outweigh the challenges. Today’s widespread dispersion of data and intense cyberattack environment make a data breach nearly inevitable. Organizations of all sizes need encryption to provide the final safeguards to limit the financial impact of leaked data.
This article was originally written by Fred Donavan and published on May 5, 2017. It was updated by Chad Kime on December 7, 2023.