Important terms:

Encryption: the process of converting data from a readable format to an encoded format

Public key infrastructure: (PKI) an encryption framework that secures the exchange of online information

types of encryption

Symmetric encryption: is the use of a single secret key to exchange information. Because it uses one key for encryption and decryption, the sender and receiver must know the secret key to lock or unlock the cipher.

Asymmetric encryption: is the use of a public and private key pair for encryption and decryption of data. It uses two separate keys: a public key and a private key. The public key is used to encrypt data, and the private key decrypts it. The private key is only given to users with authorized access.

The importance of key length

ciphers are vulnerable to brute force attacks. In modern encryption, longer key lengths are considered to be more secure. Longer key lengths mean more possibilities that an attacker needs to try to unlock a cipher.

One draw back to having long encryption keys is slower processing times. Providing fast data communication online while keeping information safe is a delicate balancing act.

Approved algorithms

Many web applications use a combination of symmetric and asymmetric encryption. This is how they balance user experience with safeguarding information.

Symmetric algorithms

Triple DES (3DES) is known as a block cipher because of the way it converts plaintext into ciphertext in “blocks”. Its origins trace back to the Data Encryption Standard (DES), which was developed in the early 70’s. DES was on of the earliest symmetric encryption algorithms that generated 64-bit keys. A bit is the smallest unit of data measurement on a computer. As you might imagine, Triple DES generates keys that are 192 bits, or three times as long. Despite the longer keys, many organizations are moving away from using Triple DES due to limitations on the amount of data that can be encrypted. However, Triple DES is likely to remain in use for backwards compatibility purposes.

Advanced Encryption Standard (AES) is one of the most secure symmetric algorithms today. AES generates keys that are 128, 192, or 256 bits. Cryptographic keys of this size are considered to be safe from brute force attacks. It’s estimated that brute forcing an AES 128 bit key could take a modern computer billions of years.

Asymmetric algorithms

Rivest Shamir Adleman (RSA) is named after three creators who developed it while at MIT. RSA is one of the first assymetric encryption algorithms that produces a public and private key pair. Asymmetric algorithms like RSA produce even longer key lengths. In part, this is due to the fact that these functions are creating two keys. RSA key sizes are 1,024, 2,048, 4,096 bits. RSA is mainly used to protect highly sensitive data.

Digital Signature Algorithm (DSA) is a standard asymmetric algorithm that was introduced by NIST in the early 90’s. DSA also generates key lengths of 2,048 bits. This algorithm is widely used today as a complement to RSA in public key infrastructure.

Generating keys

One way to generate keys is with OpenSSL, an open source command line tool that can generate public and private keys. OpenSSL is commonly used by computers to verify digital certificates that are exchanged as part of public key infrastructure.

Obscurity is not security

In the world of cryptography, a cipher must be proven to be unbreakable before claiming that it is secure. According to Kerchoff’s principle, cryptography should be designed in such a way that all the details of an algorithm–except for the private keys–should be knowable without sacrificing its security.

A cryptographic system should not be considered secure if it requires secrecy around how it works.

Encryption is everywhere

Companies use both symmetric and asymmetric encryption. Websites tend to use asymmetric encryption to secure small blocks of data that are important. Usernames and passwords are often secured with asymmetric encryption while processing login requests. Once a user gains access, the rest of their web session often switches to using symmetric encryption for its speed.

Data encryption like this is becoming increasingly required by law. The Federal Information Processing Standards (FIPS 140-3) and the General Data Protection Regulation (GDPR) outline how data should be collected, used, and handled.