What is Encryption?

This article was first published on Medium. You can take a look at it here

Lately, there’s been a lot of buzz about encryption. A lot of people have this misconception that encryption is complicated and only a rocket scientist can understand the concept. False, encryption is everywhere and contrary to popular thought, it isn’t very complicated. Encryption can be as simple as a secret code that two 5 year olds came up. Fundamentally, encryption is when you take some readable/understandable information and scramble it up into gibberish. The goal of encryption is to stop anyone, besides the intended recipients, from reading the message.

Encryption is not a new concept. The technique dates back millennia, to the times of Julius Caesar. In 45 BC, in ancient Rome, Julius Caesar used the “Caesar Cipher” to encode messages to his top generals. Since then, modern warfare has expanded the use of encryption. In World War II, the Germans created Enigma, a machine to encrypt their messages. The British created Colossus in response to decrypt the Nazi messages. Today, encryption is used very frequently, especially in messaging applications.

So what exactly is encryption and how does one go about implementing it. Before we walk through an example, let’s define a few terms.

1. Plaintext – This is the text/data in raw form, this is what will encrypted
2. Cipher – This is the algorithm, or group of steps performed on the data, that is used to encrypt the plaintext.
3. Ciphertext – This is the encrypted text/data obtained when applying a cipher to the plaintext
4. Encryption – This is the process of obtaining a ciphertext from plaintext
5. Decryption – This is the process of obtaining a plaintext from a ciphertext (the reverse of encryption)

Let’s walk through an example with the sentence ‘you are awesome’. This sentence is our plaintext. Our cipher will be moving each letter down one space in the alphabet, so that A becomes B, B becomes C and so on. Our ciphertext then becomes ‘zpv bsf bxftpnf’. This encryption method is an example of the Caesar Cipher. To decrypt the message, the intended recipient must know that it was encrypted by shifting each letter down one. Then the recipient simply reverses the process to decrypt the message!

There are two types of encryption used today, symmetric and asymmetric. The difference between these methods is the way they use keys to encrypt and decrypt messages. In symmetric encryption, the sender and receiver use the same key to encrypt and decrypt the message. The Caesar Cipher (mentioned above) is an example of symmetric encryption. Caesar and his generals would both use the same agreed upon key (shifting the alphabet by one) when encrypting and decrypting the message. Symmetric key encryption is a great way to transfer information among a small group of people. However, it is not scalable. If Caesar wanted to send one general a message he didn’t want the other generals to read, he would have to have a separate encryption key for that specific general. As the number of generals who would receive different messages grows, so does the number of symmetric keys. The formula to calculate how many symmetric keys are needed for n participants is n*(n-1)/2. The number of keys needed can get out of hand very quickly for large groups.

Asymmetric key encryption solves the scalability problem by providing each user with a pair of keys, a public key and a private key. A message encrypted with one key from the pair, can only be decrypted with the other key from the pair. Let’s walk through an example with cryptography’s favorite characters, Alice and Bob. Alice and Bob each have a public and private key. Their public keys are distributed freely to any use. If Alice wants to send Bob a message, she encrypts it with Bob’s public key, which everyone knows. When Bob receives the message, he uses his private key, known only to him, to decrypt the message. This solves the scalability issue by requiring only two keys per user or 2n. The table below demonstrates the number of keys required per the number of participants for both encryption scenarios.

But what if there’s a malicious attacker who is trying to intercept Alice’s message to Bob? If Eve is eavesdropping between Alice and Bob, she may be able to obtain the encrypted message, but she can only decrypt it using Bob’s private key which only Bob has. This is a fundamental principle in security called Kerckhoffs' principle. It states that the details of the algorithm used to encrypt/decrypt messages can be publicly known but not the key.

Why would we want our algorithm to be exposed to everyone? Isn’t that contradictory to being secure?

It actually isn’t; having a secret algorithm is bad practice in security. This is referred to as ‘security through obscurity.’ Security through obscurity is bad because it implies that obscurity is the principal means of security. Obscurity is fine until it is discovered. Once found, the system is vulnerable again which is basically like having no security at all. Consider the scenario of burying $1000 under a tree. The only way your money is safe is if no one know it is there. Real security would be putting your money in a safe. There are thousands of the same safe but if someone found your safe, they would not be able to get your money because only you have the combination. The safe in this example is the algorithm, it is publicly known but the security lies within your combination, or the key.

While these are the basics of encryption, it is important to note that encryption is not entirely foolproof. A malicious attacker could still gain access to your message by simple means such as reading the message on your screen or by a more involved attack such as man-in-the-middle. There are ways to prevent such attacks but protecting data online is not an easy task. Rest assured though that the underlying mathematics of current day encryption algorithms are much more sophisticated than the examples provided in this article. While the actual algorithms are complicated, the basic fundamentals of symmetric and asymmetric encryption are less intimidating!

This is the fifth post in my "What is" tech blog series. I'll be writing more every week here and on my blog!