Data Encryption 101

Data Encryption 101: A Guide to Data Security Best Practices

What is data encryption? We hear about it all the time and we may know what it means, in general terms. But, what is data encryption, actually?

Let’s start with the name: data is information. It could be an email message, the contents of a database or a file stored on a laptop. The word encryption is a blend of English and Greek that means “in hidden” or, more loosely, “in hiding.” Data encryption is the process of hiding information from malicious actors or anyone else with prying eyes.

We encrypt data to keep it confidential. Data encryption is part of a broader class of cybersecurity countermeasures known as data security. Data security is all about keeping our data safe from unauthorized access, ransomware lockup (which is a malicious form of encryption), breach or malicious corruption, i.e. changing data to make it useless.

Modern data encryption is the latest mode of data protection in a very long line of such practices. It’s a form of cryptography, an ancient technique of hiding information by substituting one character for another. How to encrypt data? Encryption works by means of a complex mathematical algorithm known as a data encryption cipher. Like the secret decoder ring found in your child’s cereal box, the cipher algorithm transforms normalized data (i.e. plaintext) into a sequence of ostensibly random, unrecognizable characters. This is the “ciphertext.” 

The ciphertext is unreadable, at least for any real meaning. The phrase, “Hi, how are you?” might encrypt into a ciphertext that reads, “8363, 5017, 11884, 9546.” To get back to “Hi, how are you” requires a process of decryption. Decryption involves the use of the same algorithm that was used in encryption, except this time, the mathematical “key” that was used to change plaintext to ciphertext is put to work changing it back to plaintext. More on this in a moment.

What does it look like when data encryption fails?

Modern data encryption technologies make it extremely difficult for malicious actors to see confidential data. However, it is not 100% reliable. To understand what it looks like when data encryption fails, it’s first necessary to get into more detail on how the process works. 

Encryption relies on the use of keys, which are long strings of numbers that enable the mathematical encryption algorithm to work. Typically, keys come in pairs, one for the sender of encrypted information, the other for the receiver. You need both to make the algorithm work. 

Hackers can figure out the keys. Once they have the keys, they can easily decrypt data and steal it. This takes a process known as “brute forcing,” where the hacker uses a powerful computer to guess at the numbers in the key. The longer the key, the harder it is to use brute force. If the key were very short, say three digits long, it would be relatively easy to crack. You’d have 999 options before you figured it out. Today’s keys are far, far longer. A 128-bit key, which is standard in today’s encryption practices, requires over 300,000,000,000,000,000,000,000,000,000,000,000 possible key combinations to crack! This seems impossible, even for a supercomputer, but it can happen.

What is Data Encryption? Infographic

Data encryption solutions

There are two basic kinds of encryption solutions: Those for data at rest and others for data in transit. Hackers can go after data that you store (at rest) or data you send in messages (in transit). The messages might be email, but they could also be internal, system-to-system messages that carry data around your network. 

Separate solutions are available for data at rest versus data in transit. Systemically, each has its own impact. For data at rest, you have to configure any application that needs access to encrypted data with the means to decrypt it. For data in transit, you have to arrange for both the sender and receiver to have encrypt/decrypt capabilities. These requirements create administrative burdens, and things can quickly become quite complex when you’re sending encrypted messages outside of your organization and so forth.

Who needs to use data encryption? The answer is just about anyone. You don’t have to be a secret agent to want to keep your data confidential. In fact, you might be using encryption without even knowing it. Many technology services encrypt and decrypt your data so it will be safe when they use it. Businesses should encrypt data that could damage their financial results if it were breached. Individuals should encrypt sensitive personal data like their medical histories and social security numbers.

Data encryption algorithms

How to encrypt your data

Continuing with this little encryption 101 review, let’s go over the most common data encryption methods and algorithms. The two most widely used methods for data encryption are “public key,” also known as asymmetric encryption and “private key,” or symmetric encryption. Both rely on key pairs, but they differ in the way the sending and receiving parties share the keys and handle the encrypt/decrypt process.

With public key/asymmetric encryption, the sender uses a publicly known key to encrypt the data. The receiver has the private key that forms the other half of the public/private key pair. Using the private key, in combination with the public key, the receiver can decrypt the data. In Private key/symmetric encryption, both sender and receiver have the same, secret key. As you might imagine, there’s a lot of management overhead involved in storing and transmitting secret keys.

Companies, encryption products and government agencies make use of a number of different encryption algorithms today. These include:

  • Triple DES (3DES)—A modernization of the older, but highly influential Digital Encryption Standard (DES). 3DES takes DES’ 56-bit key size up to 168-bits, making it harder to crack, but also more compute-intensive to handle.
  • Advanced Encryption Standard (AES)—A symmetric cipher based on the Rijandael block cipher. It is used in the US federal government as well as in consumer technologies like the Apple Macintosh computer.
  • RSA—One of the first and most widely adopted modes of asymmetric cryptography for data in transit. It originated in 1977. RSA works through a public key based on two large prime numbers, along with an additional value used to encrypt the data. 
  • Elliptic curve cryptography (ECC)—A powerful, not-well understood form of data encryption. It is faster than comparable algorithms, so it is favored by government agencies like the NSA.

Data encryption made easy

How complicated is data encryption? It depends on how sophisticated your needs are. You can buy a simple encryption app for your laptop. That’s easy, if it’s just for you. If you’re managing encryption for a Fortune 500 corporation, it’s a job for a team of people and some pretty powerful, expensive tools. 

What kind of data can or should be encrypted? Encryption best practices should align with your broader security policies. It makes no sense, and is too complicated and expensive, to encrypt everything. Data encryption requires specialized software tools. You usually have to purchase keys, either directly or by buying an encryption product that embeds the keys in its functionality. And, encryption slows down processes like emailing and data processing. 

It makes sense to be selective about encryption. You should encrypt data which is sensitive, data that would have a negative impact on you or your business if it were breached, blocked by ransomware or corrupted. 

How to encrypt your data

You might wonder about actionable steps for basic data encryption on your devices. The good news is that a lot of solutions are available, either at low or even no cost. Android phones, for example, have full-device encryption if they run Android Gingerbread (2.3.x) or later. You have to turn it on, but it’s there. The iPhone encrypts your data (at rest) by default. If you follow the news, this has been a source of controversy regarding devices owned by criminals.

Android phones, have full-device encryption if they run Android Gingerbread (2.3.x) or later. On Pixel Phones and Nexus 5+, encryption is by default. On earlier versions of Android, you have to turn it on, but it’s there.  The process of setting up encryption on and Android device involves first configuring a lock screen PIN, pattern or password. Then in Settings/App Settings, you choose Security & Location. Where it says “Encryption” on this screen, select “Encrypt Phone.” That’s really all it takes. You can this process in reverse to end encryption. 

For your computer, you can encrypt your data at rest with solutions from companies like Symantec, Kaspersky, Sophos and ESET. You can also get encrypted USB drives. Email can be encrypted through products like DataMotion SecureMail software, Proofpoint Email Encryption and Symantec Desktop Email Encryption.

The Future of Data Encryption

Data encryption and data security are constantly evolving to keep up with a worsening threat environment. While brute force decryption may be hard, hackers can still steal keys or attack places in the data management chain where encryption is suspended. For example, data is almost always encrypted when it goes through a computer’s Central Processing Unit (CPU). This is changing now, with chip makers like Intel introducing encryption tools for their CPUs.

The future of data encryption promises more innovations. These include encryption algorithms that incorporate biometrics and voice recognition—a sort of unique, personal key, if you will. The industry is also introducing “Honey Encryption” traps that shows a fake, but plausible plaintext when a hacker guesses at the decryption key. Blockchain, which is not, strictly speaking, a form of encryption, makes use of encryption-like algorithms to ensure the integrity of data that is stored using a blockchain framework. There is likely to be a lot more of this kind coming in the future.

Takeaways

Data encryption is a common and necessary element of cyber security and data security in particular. The process requires highly sophisticated technology, but solutions are becoming increasingly easy to use, at least at the consumer level. In some cases, like with iOS, encryption is happening whether the user knows it or not. For organizations, encryption should be part of the security mix, applied selectively to sensitive data assets.


Hugh Taylor

Hugh Taylor

Hugh Taylor is a Certified Information Security Manager (CISM) who has written about cybersecurity, compliance, and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google, and Advanced Micro Devices. He has served in executive roles at Microsoft, IBM, and several venture-backed technology startups. Hugh is the author of multiple books about business, security, and technology