# Encryption

Why Trust Techopedia

## What is Encryption?

Encryption is the conversion of data into a form that cannot be easily understood by unauthorized entities. The process of converting encrypted data back into its original form is called decryption.

Encryption ensures that sensitive information cannot be read, used, or misused by those parties who should not have access. The encryption process uses special algorithms called ciphers and mathematical variables called encryption keys to transform readable plaintext data into ciphertext.

Ciphertext, which looks like a long sequence of random letters and numbers, is meaningless without knowing what cipher and which key was used to encrypt the data.

### Techopedia Explains the Encryption Meaning

The term encryption comes from the Greek word “kryptos,” which means “hidden” or “secret.” The encryption definition’s etymology reflects the fundamental purpose of encryption: to disguise information, hide its value, and keep its meaning secret.

## How Does Encryption Work?

Encryption works by mathematically transforming readable data (plaintext) into an unreadable format (ciphertext).

Every encryption scheme requires two things: a complex algorithm (cipher) and a secret key that’s used to customize the algorithm. The combination of the two things is what makes an encryption process strong.

To break encryption, a malicious actor would need to reverse engineer the encryption process and figure out which algorithm was used to encrypt the data and what secret key was used to customize the algorithm.

There are two important principles that support the way encryption schemes work: substitution ciphers and permutation ciphers.

• Substitution Ciphers: Replace plaintext characters with different characters according to a defined mapping system. A classic example is the Caesar cipher, in which each letter is shifted to a certain number of positions in the alphabet. In a more complex substitution cipher, such as the monoalphabetic cipher, each letter of the plaintext is replaced with a unique letter from a scrambled version of the alphabet. This makes the cipher more difficult to break without knowing the substitution rule.
• Permutation Algorithms: Work by rearranging the elements of the plaintext according to a specific rule or set of rules, which is determined by the encryption key. This process, which is also known as transposition, creates a ciphertext in which the original order of the plaintext is scrambled. The strength of a permutation algorithm comes from the difficulty of guessing the original positions of the elements without knowing which key was used during transposition.

## What is an Encryption Key?

An encryption key is a string of binary digits (bits) that determine the output of a cryptographic algorithm. The strength of an encryption scheme is largely dependent upon key secrecy and integrity.

Key management policies and procedures ensure that secret keys are replaced or updated as necessary. Key management best practices support the addition of new keys, new users, and new encryption scenarios without compromising security.

Effective key management includes not only protecting keys from unauthorized access but also ensuring that authorized users can access the right key when needed. If an encryption key gets lost, there’s no way to recover it, and the result can be permanent data loss.

As organizations grow and their encryption needs evolve, a robust key management system needs to be scalable and able to adapt.

Many industries are subject to regulations that mandate specific standards for encryption keys. When key management is included in an organization’s security policy, it can help employees meet compliance regulations and help the organization avoid financial penalties.

## What is an Encryption Algorithm?

An encryption algorithm is a mathematical formula that’s used to transform plaintext into ciphertext. The purpose of encryption algorithms is to protect data by transforming it into a format that can only be read by those parties who have the correct secret key.

Encryption algorithms work in conjunction with a pair of secret keys: an encryption key that’s used to scramble the data and a decryption key that’s used to reverse the process.

### Types of Encryption Algorithms

The choice of encryption algorithm depends on the sensitivity of the data that is being protected, as well as performance requirements and compliance standards or regulations.

Here’s a list of specific encryption algorithms that are widely in use today:

Elliptic Curve Cryptography (ECC)
Provides the same level of security as RSA but with smaller key sizes, which makes it more efficient for mobile devices and smart cards.
ChaCha20
A symmetric stream cipher that offers high speed and security, often used for virtual private networks (VPNs) and encrypting Internet traffic.
Poly1305
Often used together with ChaCha20 for message authentication, providing integrity checking.
Blowfish
Twofish
A symmetric block cipher and a successor to Blowfish. Was one of the finalists in the AES selection process.
Serpent
A symmetric key block cipher that was also a finalist in the AES selection process. Known for its high security
Triple Data Encryption Standard (3DES)
Applies the Data Encryption Standard (DES) three times to each data block.
SHA-256 (Secure Hash Algorithm 256)
Used for generating hash values. Though not an encryption algorithm in the traditional sense, it’s used for verifying data integrity

## Types of Encryption Schemes

Encryption schemes can be categorized in three different ways:

1. By the type of key they use.
2. By their operational mode.
3. By the underlying principle the algorithm is based on.

### Keys

Encryption schemes can use symmetric keys, asymmetric keys, or (most often) a combination of symmetric and asymmetric keys.

Symmetric encryption ciphers use the same key to encrypt and decrypt a message. This type of encryption is fast, efficient, and well-suited for encrypting documents. It is not often used for highly sensitive communications, however, because both parties are required to have access to the same secret key.

Asymmetric encryption (also called public key cryptography) works by generating pairs of mathematically related keys. One key is used to encrypt a message, and the other key is used to decrypt the message. The sender encrypts a message using the receiver’s publicly available key. The message is then decrypted with the receiver’s private key.

Asymmetric encryption is often compared to a locked mailbox that has a slot to receive messages. Anyone who knows the address of the mailbox (the public key) can send a message, but only the owner of the mailbox has the private key to open the mailbox and read the message.

Homomorphic encryption is a form of asymmetrical encryption that allows calculations to be performed on encrypted data. The results, when decrypted, should match the result of operations as if they had been performed on plain text.

Homomorphic encryption, which uses primarily asymmetric keys, is in the early stages of adoption for everyday use. Its development is being driven largely by the need to protect personally identifiable information (PII) in the cloud.

End-to-end encryption (E2EE) prevents third parties from reading data while it’s being transferred from one system or device to another. This type of encryption typically uses a combination of asymmetric and symmetric encryption keys. At the start, asymmetric encryption is used to securely exchange a symmetric key between the communicating parties. Once the symmetric key has been shared, it is used to encrypt and decrypt messages. While E2EE provides strong data protection, it can be difficult to implement correctly. Mismanaged E2EE encryption keys can render the data inaccessible even to legitimate users.

Post-quantum encryption is an important area of encryption research because quantum computers have the potential to break many of the cryptographic algorithms currently in use today.

Developing and implementing quantum-resistant algorithms is a proactive measure designed to secure IT infrastructure against future threats. The main challenges are creating and standardizing new algorithms that can’t be broken by a quantum computer and implementing them without disrupting existing security frameworks and infrastructures.

Some researchers believe that with increased key sizes, existing symmetric encryption algorithms (like AES-256) might be sufficiently resistant to quantum attacks. Other researchers believe that post-quantum encryption schemes will use a combination of symmetric algorithms for bulk encryption and asymmetric algorithms for Internet key exchange and authentication.

### Encryption Operation Modes

Encryption operation modes describe how an encryption algorithm handles data. Block ciphers and stream ciphers are two common types of operation modes.

• Block ciphers encrypt fixed-size blocks of data. Block ciphers are generally preferred for securely encrypting data that is stored or transmitted in known, fixed sizes. If the plaintext does not perfectly fit into a block, padding is added to fill the block. Block ciphers themselves don’t inherently provide mechanisms to ensure data integrity. This concern is often addressed by combining block ciphers with a mode of operation like cipher block chaining.
• Stream ciphers encrypt plaintext one bit or byte at a time. They work by generating a seemingly random stream of bits, known as a keystream, which is then combined with the plaintext bits using an operation like XOR. The combined process produces ciphertext. The secret to making this type of operation mode secure lies in the keystream; it must be as random as possible and used only once. Stream cipher operational modes are useful for when the total data size is unknown, such as in real-time communication scenarios.

### Underlying Principles of Encryption

The underlying principles of encryption refer to the core mathematical and logical concepts upon which encryption algorithms are built. Today’s encryption schemes often combine multiple principles for robustness.

For example, substitution-permutation networks are a structural design principle for block ciphers. Each round begins with a substitution layer and ends with a permutation layer. AES and many other ciphers are built upon the SPN structure.

In addition to substitution and permutation, here are some of the other important underlying encryption principles:

ConfusionDiffusionFeistel NetworksHash Functions

Obscures the way the key influences the encryption process to make it harder to deduce the key from the ciphertext.

Spreads the influence of each individual plaintext character (or bit) over a large portion of the ciphertext. The goal is to ensure that any change in the plaintext, no matter how small, causes significant and widespread changes in the ciphertext.

Technically, this is a structural design for block ciphers rather than a principle itself. Feistel Networks split data into halves, and run them through multiple rounds of processing with a key, mixing and swapping the halves in each round. Many widely used block ciphers, including triple DES, are built on this structure.

Transforms data into a fixed-size hash. Hashing complements encryption by providing integrity checks, secure password handling, and enabling digital signatures.

## How to Encrypt Email

It’s important to remember that emails are not automatically encrypted by default.

While most email providers use the TLS protocol to encrypt email in transit, the protocol does not encrypt data at rest on email servers. That means that if an attacker gains access to a provider’s server, they will be able to access the unencrypted emails stored there.

Some email providers like ProtonMail offer end-to-end encryption, but it requires both the sender and the recipient to use the same service and settings.

## Why Do You Need Encryption?

Encryption is a critical tool for ensuring data privacy and maintaining the trustworthiness and reliability of digital communications and transactions.

Encryption is essential for protecting digital information for several key reasons:

Privacy and Confidentiality
Encryption ensures that sensitive information such as personal details, financial data, and confidential communications remain private and accessible only to authorized parties. This helps individuals and organizations to protect themselves from identity theft, financial fraud, and unauthorized disclosure of information.

Security and Data Integrity
Encryption can be used to secure data against interception and eavesdropping. It helps prevent attackers from accessing or tampering with data during transmission and helps maintain data integrity and confidentiality.

Authentication and Non-repudiation
Encryption, especially when combined with digital signatures and digital certificates, can verify the identity of the parties involved in a communication. This means you can be sure of the source of the information, and senders cannot deny the authenticity of their messages or transactions.
Regulatory Compliance
Many industries are subject to regulations that require the protection of sensitive data. Encryption helps businesses comply with data protection laws and regulations, such as GDPR in Europe, and HIPAA in the healthcare sector in the United States.
Protecting Intellectual Property
Encryption is a way for businesses and creators to protect intellectual property (IP) and trade secrets from competitors and cybercriminals, It ensures that only authorized individuals can access and use proprietary information.
Trust in Digital Transactions
Encryption enables e-commerce, online banking, and confidential communications. Without encryption, the ecosystem of digital services and commerce that we rely on today would not be viable or safe.

### When to Use Encryption?

Encryption should be used in any situation where sensitive information needs to be protected from unauthorized access or exposure. For example, encryption is a fundamental component of HTTPS, which is a secure version of the hypertext transfer protocol (HTTP) used for web communication.

HTTPS uses SSL/TLS protocols to create a secure, encrypted connection between a web browser and a server. This ensures that all data transmitted over the connection, including personal information, login credentials, and payment details, is encrypted and protected from eavesdroppers.

## How to Implement Encryption

Organizations can use a variety of approaches to encrypt data. The strategies and methods they might use can depend on the level of protection they’re trying to achieve, the type of data they want to encrypt, the potential risks or threats they face, and the amount of computing and financial resources they’re willing to invest.

Allows organizations to use their own encryption algorithms and keys to protect their data in the cloud. BYOE may also be referred to as bring your own key.

Cloud Storage Encryption
Data is encrypted before it is transmitted to the cloud and stored on a cloud service providers’ server.

Column-Level Encryption
Only specific columns of data in a relational database are encrypted. This approach provides a balance between security and performance by securing only the data that is sensitive or subject to compliance regulations.
Deniable Encryption
Encrypts data in such a way that it can be decrypted to produce different plausible outputs, depending on the key used.
Encryption as a Service
A subscription model that provides cloud service customers with an encryption gateway or tools for encrypting data before it leaves the client’s environment and managing the encryption keys. This approach allows customers who lack the resources to manage encryption themselves with a cost-effective way to address regulatory compliance concerns and protect data in a multi-tenant environment.
Full Disk Encryption (FDE)
Encrypts all the data stored on a disk drive, including the operating system and application files. This approach makes any data stored on the disk drive unreadable to anyone who doesn’t have the authorization to decrypt it.
Field-Level Encryption
Encrypts individual fields of data within a database or software application. This approach allows organizations to protect specific pieces of sensitive information while keeping other parts of the data in plain text for operational efficiency. Even if unauthorized access occurs, the most sensitive information will remain encrypted and unintelligible without the appropriate decryption key.
Encrypts data as it travels from one point to another across a communication link. This approach protects data against interception and eavesdropping by encrypting it at the network layer. Data is typically encrypted before it leaves the sender’s device and decrypted upon arrival at the recipient’s device.
Network-Level Encryption
Provides a secure tunnel through which all data passes. This process typically uses encryption protocols such as IPsec or SSL/TLS to encapsulate data packets within encrypted layers as they travel through the network. The keys for encrypting and decrypting the data are managed and exchanged securely between the sending and receiving devices, often through an automated process that establishes a secure channel before the actual data transmission begins.

### How to Break Encryption

Breaking encryption, which may also be referred to as cryptanalysis, attempts to decipher encrypted data without the encryption key. There are several theoretical and practical approaches to breaking encryption. They include:

Brute Force AttackAnalytical AttackSide-Channel AttackMan-in-the-Middle Attack

This approach requires trying every possible key until the correct one is found. The usefulness of this approach depends on the key length and the encryption algorithm’s strength; complex algorithms with longer keys are more difficult to break this way.

This approach looks for weaknesses in encryption algorithms that can be exploited. Analytical attacks may use machine learning (ML) to assist with ciphertext statistical analysis.

This approach exploits information about the physical implementation of the system to try and locate the correct key. It relies on information about timing, power consumption, electromagnetic leaks, or even sounds.

This approach focuses on intercepting communication and inserting the attacker between two parties. MITM attacks can be used to exploit weaknesses in encryption implementation or the key exchange process.

## Encryption Pros and Cons

Encryption ensures data security and privacy, but like any technology, it has advantages and disadvantages. Understanding them can help you make informed decisions about when and how to use encryption.

Pros

• Enhanced Security
• Data Privacy
• Regulatory Compliance
• Secure Communications
• Trust and Credibility
• Protection Against Data Breaches

Cons

• Complex Key Management
• Data Recovery Challenges
• Initial Setup Complexity
• Interoperability Issues
• Cost

## The Bottom Line

Encryption algorithms scramble information and render it meaningless without the correct key. It’s important to understand encryption’s meaning so you can make informed choices about what algorithm to use when you are protecting digital information from unauthorized access.