Table of contents
Mankind has known encryption since ancient times. Historically, encryption was used to keep the correspondence of the Roman Empire’s highest official’s secret. Today, thanks to the mass digitalization of all processes of our everyday life, encryption is used practically everywhere – from smartphones and smart homes to data centers and space communication satellites.
Encryption is a transformation of data that prevents unauthorized participants to read it. Currently, it has become widespread due to the massive use of computer technology. During the encryption process readable data is converted into ciphertext, which looks like a random set of characters. To do this, a cryptographic key is used – a special set of data that both recipient and sender of the encrypted message previously agree on.
With a cryptographic key you can always uncover the original message by performing the reverse encryption process – decryption. Encryption is considered secure if the cryptographic algorithm and the cryptographic key are sufficiently strong and can’t be easily guessed. In practice, this means that the encryption must be resistant to brute force attacks – enumeration of key values until the message is completely decrypted.
Data encryption can be divided into two types: data at rest encryption, which is encryption of digital data stored on computer systems, and encryption ‘in transit’ or encryption of data in transit.
The most important components of any encryption process are a cryptographic algorithm and an encryption key.. Using the encryption key in accordance with the cryptographic algorithm, the data are converted into ciphertext. After receiving the ciphertext the recipient uses his key to decrypt data. If the encryption algorithm is symmetric, the decryption key is the same; if the encryption algorithm is asymmetric, different two cryptographic keys are used, paired with the key with which it was encrypted. Encryption keys are similar to safe combinations: only those who have the right combination can access the content.
Tokenization is a data protection technique that has a lot in common with encryption. Tokenization, like encryption, changes the original data, but retains its format. Simply put, if you tokenize a phone number, then instead of certain digits, different digits will appear. It will be impossible to determine the phone number from this entry, but it will be obvious that this is a tokenized phone number: the data format has not changed, and the number of characters has remained the same. If you encrypt a phone number, it will be much more difficult to determine what kind of data encrypted.
Tokenization is convenient to protect data at the application level and individual elements of databases. For tokenization, special encryption algorithms are used that preserve the data format and substitute random values instead of original data in a protected environment.
Encryption, or transformation of data into ciphertext, is carried out on the side of the data sender. Decryption is carried out by the recipient of the data, that is, the reverse transformation of the ciphertext into plain data. Depending on the type of encryption algorithm, these processes take a different amount of time and require different computing resources. The cryptographic strength directly depends on the length of the cryptographic key used for decryption. In turn, the reliability of a particular encryption algorithm is determined by regulators in data encryption standards.
Hashing is widely used to protect data and is one of the foundations of blockchain technology. The result of hashing any amount of data is just one line of signs. Converting to a hash is easy to do, but it is extremely difficult to get the original data from the hash. An application of the hash function that we see daily is a password hashing. In order to prevent leaks, online services do not store user passwords. When creating a password, they generate its hash and store it instead. When a user authenticates with a password, the service takes the hash of the entered data and if it matches with the hash obtained earlier, grants access.
Encryption plays an important role in protecting sensitive data. By encrypting data, you will make it safer to store or transfer, since it will be in a hidden form. Encryption also provides other useful security features. Using encryption algorithms, it’s possible to provide authentication of data origin with the hash functions described above, we can make sure that the information has not been changed during transmission or storage. It’s safe to say that the main purpose of encryption is to ensure the maximum security of confidential data.
Cryptography is widely accepted in the banking sector. The issuance of plastic cards and their safe use is possible only because of the encryption of the sensitive data of the owner of the plastic card. With the advent of mobile banking, authentication process also relies heavily on encryption, every payment authorization goes through meticulous process of confirming the client’s identity in a secure foolproof way
Encryption is used to secure data transmission and storage. When making an in-store purchase using NFC technology or encrypted transactions online in your bank account – encryption will be used at every step. Your card details are stored on your device in an encrypted form. When connecting to the POS-terminal, payment data are transmitted encrypted. Then t your smartphone or other device contacts the bank and transmits data also in encrypted form.
The main components of any encryption system are data for encryption, encryption engine and key management. Protection of these components is vital to the strength of the encryption. In different systems, encryption components are protected by different methods. The most secure are systems encryption keys are stored in a special tamper-proof module, and decrypted data never leaves the boundaries of such a module.
A cryptographic key is a set of characters that is used in an encryption algorithm to convert plaintext into ciphertext. It’s impossible to extract useful information from this type of data. Depending on the type of encryption, with either the same key (symmetric encryption) or a paired key (asymmetric encryption) you can decrypt the original data in cleartext form.
Encryption key management is an important element of data protection systems. Sincethe encryption key grants access to encrypted data in cleartext, the manipulation, storage and access to encryption keys must be done in accordance with security policies. This also includes the process of generating encryption keys and their utilization after the expiration of their use. Centralized systems of key management consider like most robust. They are considered more reliable, because it’s easier to set security policies and scale encryption process as the amount of used data changes. Such systems are implemented in software or in hardware form factor.
Key wrapping is a method of protecting encryption keys in which the encryption keys are not stored or transmitted in their original state. The cryptographic keys are encrypted using symmetric key encryption. The keys can be encrypted both individually and as single source materials. This technique is useful for general strengthening of data securityand for the transmission of key materials over unreliable communication channels. The process of decrypting encryption keys is called unwrapping.
All encryption algorithms are divided into symmetric and asymmetric. The difference between these algorithms is that symmetric encryption uses the same key for both encryption and decryption, while asymmetric encryption uses two different keys for the same processes.
In symmetric encryption algorithms both a sender and a recipient use the same private key for encryption and decryption. This means that a sender must provide cryptographic private key to all recipients for them to be able to decrypt the data. Symmetric encryption has an important advantage: private key encryption requires less computation. Thus, you can encrypt data and decrypt them faster, and therefore encrypt more data on the same hardware than with asymmetrical algorithms. However, the weak point of these encryption algorithms is the transmission of the encryption key. If the transmission channel is not well protected and potential attacker manages to steal the key, he can easily access the encrypted data sent later and decrypt them.
One of the most common symmetric encryption algorithms today is the AES – a quite difficult to crack algorithm that uses different key lengths and is largely accepted as reliable by security regulators.
Asymmetric encryption uses two different linked keys for encryption and decryption processes. The public key is used for encryption while the private key (secret key) is used for decryption. The intended recipient sends his public key to the sender of the encrypted message. The sender encrypts the message with the public key and sends it to the recipient. The recipient decrypts the message using their private key as a decryption key. The public key can be transmitted quite freely even through untrusted channels: intercepting such a key will not help attackers decrypt the message. The private key usually doesn’t need to be transferred anywhere, which makes it easier to ensure its security. At the same time, the use of asymmetric encryption algorithms or public key encryption requires large computational resources.
The benefits of both types of encryption are combined in hybrid approaches to encryption. In this case both sender and receiver may use a public key cryptography to encrypt the transmission of a secret symmetric key. A symmetric algorithm is used to encrypt the transmitted data. Thus, the disadvantages of the asymmetric approach are insignificant: the symmetric encryption key is small in volume and fast to encrypt or decrypt. This way the risk of compromising the symmetric encryption key is reduced by transmitting it in an encrypted form.
Privacy. Encryption allows to protect stored or transmitted data from unauthorized users. The owner of the data has a complete control over who else can have access to his private data. Encryption protects users from criminals that illegally collect personal data on the internet and other potential intruders, realizing aa person’s right to privacy.
Security. Leakage of corporate sensitive data can be a cause of huge losses for organizations. Such accidents can happen to either stored or transmitted data. However, f the data is encrypted, its leakage will not be as critical – with a reliable encryption algorithm in use, it won’t be possible to extract any useful information.
Integrity. Using encryption, you can determine if data has been tampered with along the way. The data transmission on the Internet is not always secure by default, it is important to be able to verify that the message has not been decrypted or altered in transit to the recipient.
Regulations. Many industries are required to use encryption in their digital routine. This is supervised by government agencies. The regulatory requirements of such organizations include PCI-DSS and GDPR – security standards for plastic cards and personal data.
Advanced Encryption Standard AES is a symmetric block cipher adopted as an encryption standard by the US government. This data encryption standard has been well analyzed and is now widely used. Advanced Encryption Standard AES is one of the most popular symmetric encryption algorithms
TDES (3DES, Triple DES, Triple Data Encryption Standard) was created in 1978 as an improvement on the DES algorithm. Compared to the latter, cryptographic strength has been improved greatly. The TDES data encryption standard is also quite common and can be found in Microsoft system products. However, nowadays a more secure AES algorithm started to overtake it’s place.
ECC (elliptic curve cryptography) Elliptic curve cryptosystems are used in TLS, PGP and SSH, the most important technologies on which the modern Internet is based.
Diffie–Hellman key exchange protocol — a cryptographic protocol that allows two or more parties to obtain a shared secret key using an unprotected communication channel. The resulting key is used to encrypt further exchanges using symmetric encryption algorithms.
RSA (Rivest, Shamir and Adleman) is used in software security and digital signature schemes. Due to the low encryption speed, messages are usually encrypted using more efficient symmetric algorithms with a random session key, and only this key is encrypted with RSA, thus implementing a hybrid cryptosystem.
Brute force attack in encryption involves calculating the encryption key by enumeration of all possible variants of the key. Just like guessing a password, figuring out the key becomes incredibly difficult the longer the key value is. Resistance to such attacks also depends on the used encryption algorithm. However, the main limitation of this attacks is the amount of time it takes to guess the key. For various encryption algorithms, this limitation changes as the computing power of PCs grows continuously. For this reason, some of the older algorithms become vulnerable to this type of attack.
Encryption on the Internet is present in many instances, but most often encryption is used for http requests. The protocol that is used for every request and response on the Internet is called HTTPS (Hypertext Transfer Protocol Secure). Today, most sites work on this protocol and some browsers may not support processing pages where this protocol is not used.
HTTPS protocol uses the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encryption algorithms. The site must have a valid certificate applied on the server that hosts the site. With this certificate, the site can confirm its identity, and not an attacker who replaced the response with a malicious message. Such certificates are usually issued by reputable certificate issuing centers.
Most modern encryption methods have their own vulnerabilities. Despite the complexity of key-guessing attacks, each year such attacks become more dangerous, as the computing power of hardware rapidly increases and becomes more accessible. The development of cloud computing plays an important role in this process.
However, much more often, vulnerabilities in encryption appear due to specific mistakes? in implementation of algorithms. Cryptographic libraries for programming languages can be implemented insecurely. If software is attacked while using them, sensitive information or encryption keys may be compromised. The same applies to the softwareimplementation of cryptographic systems t, and the hardware part on which they operate. They can also contain vulnerabilities. For example, attacker could use physical access to memory or hard drive to steal data or cryptographic keys.
Protect your company data by using encryption in routine digital processes. In addition to security, the implementation of encryption often opens up new business opportunities.
For many companies emails continue to be the main communication channel between employees. Discussions about ongoing projects, exchange of electronic legal documents, and many other daily workflows are handled by sending an email. In addition, emails remain as one of the most important elements for authentication on various Internet portals – from social networks and personal cloud storage to partner portals and a company’s remote IT infrastructure. In other words, email security is a critical element of any company’s data protection.
Using encryption, you can ensure the security of those crucial emails. For example, by configuring message encryption, you can make sure that if such a message is intercepted, it will be impossible to extract useful data from it. Typically, email encryption can be configured in the email client. The most commonly used encryption protocols are TLS and SSL.
Almost all companies today use services of cloud service providers or cloud storage providers. These services can be cloud storage spaces or perhaps a provision of cloud computing power. At the same time, the amount of organization’s sensitive data that is in the cloud is growing from year to year. Eventually, it becomes quite risky to rely solely on the provider’s security system, as many of them do not take responsibility for the privacy of the data that you store in the cloud. Moreover, many popular cloud services contain vulnerabilities that cannot be eliminated in any other way than your own encryption.
For encryption in cloud environments, centralized encryption systems for hybrid environments are suited best. They are delivered in the form of a program or a hybrid between hardware and software. Using such systems, you can secure data without relying on a service provider.
The customer’s payment data are especially critical. Their disclosure may cause great harm to the owner of the payment card and potentially to the company or bank that issued the card. For this reason, encryption is crucial in the processing of cashless payments. Cardholder data must be encrypted during transmission and storage at rest. Multi-factor authentication is used to confirm payments, including customer’s biometric data, that are also protected by different types of encryptions.
The international regulation PCI DSS (Payment Card Industry Data Security Standard) was developed to standardize the data protection of plastic cards.
This standard applies to banks, processing companies, as well as plastic card manufacturers. In addition, compliance with PCI DSS is required almost everywhere where plastic cards are used: from online-stores to manufacturers of mobile payments POS terminals.
Helenix has been working with encryption systems for over 15 years. We have extensive experience in the distribution of Hardware Security Modules and the development of custom solutions for a wide variety of security requests.
If you need a consultation on encryption related solutions, you can contact us by leaving a request in the “Contact Us” section.
Encryption is an integral part of data security, which is necessary to preserve the privacy of an individual, corporate secrets, and copyright. It’s also responsible for many operations of the Internet and other information technologies.
Encryption makes sure that specific data are available only to those who have been granted access to them (encryption key), and that it won’t be spoofed on the way from the sender to the recipient.
Encryption requires computational resources. Depending on the type of encryption and amount of data, as well as the required encryption speed, such resources can be quite burdensome to acquire.
To break the encryption algorithm, attacker must either pick up a key or attack the software implementation and hardware used to implement the encryption. The second option is more commonly used.
In order to encrypt plain-text using the public key encryption, it is necessary to encrypt the source data in accordance with the previously discussed asymmetric encryption algorithm.