By Oliver Dehning, Hornetsecurity
Whether you know it or not, you’ve probably sent thousands of encrypted messages.
From file folders and email servers to social media platforms and messaging apps, encryption is used nearly everywhere to help protect data as it travels between devices or rests in hard drives. It’s one of the most important tools we have in cybersecurity, but there are crucial misconceptions users have today regarding encryption, as well as uncertain developments on the horizon. These issues concern us all; the experts designing new processes, the public who use it and our leaders who make policies around it.
With encryption being such a vital piece of data security — and with data security being among the greatest current and future challenges the world will face — people who share information digitally, at minimum, should have a surface-level understanding of how it works and the issues surrounding it. So, let’s take a “101” class in encryption.
How encryption works
When we think of encryption today, we tend to think of it from a computing standpoint, but the concept is far older. Humans have been using ciphers to cloak secret messages for years – think of codes that use certain numerals to correspond to letters. In a famous example, during World War II, British mathematicians led by computer pioneer Alan Turing broke the code for a German encryption machine, Enigma.
The basics of those early encryption methods are the same as now: text or another type of information is translated into another unreadable form, with keys used to encrypt and decrypt the data. Another party may capture the data, but without the key, it is generally useless to them. The British in World War II, for example, had captured an Enigma and learned how it worked, but that did nothing for them until they broke the code.
There are two principal methods of encryption:
- Symmetric — Multiple sides of a data transaction have the same key to encrypt and decrypt messages. The key needs to be shared with any party taking part in the data transaction, making this less secure as the number of parties knowing the key increases. It can also be quite difficult to securely exchange the key between parties, as, naturally, nobody else should get hold of it. Furthermore, as a separate key is needed for any set of communications, the number of keys needed grows dramatically with the number of parties using them.
- Asymmetric — A user has two keys that belong to each other, a key pair, that’s inseparably attached to each other. Any of the keys of the pair can be used to encrypt data and the other key will then decrypt the data. One key of the key pair is usually kept secret and called the “private key.” The other part is publicly shared, belonging to the owner of the corresponding (secret) private key. The shared key is therefore called the “public key.” If I’m sending information to a colleague and I only want them to read it, for instance, I’ll use their public key to encrypt the data, and they will use their private key to decrypt it.
Many major email providers, such as Gmail and Outlook, allow you to use built-in encryption capabilities, while others require outside services to encrypt messages. Keys, meanwhile, are generated by users and can be certified by separate certification authorities, thereby ensuring everyone has access to and can check the public key.
Holes in the process
Often, people don’t think of encryption. They may send a confidential communication over email or a messaging platform, perhaps one describing a major business deal or a piece of intellectual property, and not know whether it is going through an encrypted channel at all. This is certainly true for the major portion of all emails sent today. Even if the transmission is encrypted, the message may go through several “hops,” where bad actors can read it, before it gets to the recipient.
In fact, just because the channel is encrypted, it doesn’t mean it’s totally secure. In some messaging and email platforms, if a message is being encrypted by the platform, the information will stay secret from anyone who may capture it during transport, but the platform may still be able to read the message because it’s the one doing the encrypting. Most of the time, this isn’t an issue (the majority of communication is mundane, after all), but personal data, such as financial or health information, are dangerous to have exposed. Also, most business communication is not supposed to be public. Exposing those secrets can do a lot of damage.
As data security becomes a greater concern, most software companies will enhance their encryption capabilities — and there will still be holes. WhatsApp, the popular messaging platform owned by Facebook, features end-to-end encryption between two communicating parties, with even the platform unable to view the messages. But in a recent incident, the platform asked users to update the app when it was revealed some devices could have had spyware unknowingly added, potentially exposing data once it reached the end point. The encryption worked perfectly, but it was compromised because of the now-fixed fl aw. Another exploit, EFail, made headlines in 2018, as it allowed attackers to get access to encrypted emails through a vulnerability in some email clients.
Cybercriminals will always be attempting and discovering new ways to get around encryption. End users must trust that companies will be aware of and fix vulnerabilities at all points of the encryption process. Fortunately, there are cybersecurity companies who specifically guard against these backdoor attacks, but it’s not practical to assume every individual will be adding that extra layer of security.
The battle over backdoors
We know how successful encryption is when it comes to securing data in transit, but what if it works too well? If vital information is locked behind an inscrutable wall, perhaps a piece of embedded software would be useful?
For years, the European Union has been roiled by a debate over how much access law enforcement and intelligence agencies should have to encrypted data. Information traded between users often may hold information that can solve a crime, such as evidence of an illegal transaction or a discussion between terrorism suspects. Pre-installed software only accessible by law enforcement officials could give them a leg up.
Closer to home, U.S. Attorney General William Barr recently defended encryption backdoors for law enforcement as an acceptable risk, arguing against what he called “at best a slight incremental improvement in security,” and claiming full encryption imposes “a massive cost on society in the form of degraded safety.” This is the crux of the debate: personal security vs. public safety. Neither, however, can ever be guaranteed.
But the trouble with any measure that gives a route to encrypted data is that it fundamentally weakens encryption, rendering it essentially useless if a cybercriminal knows where to look. Law enforcement agencies may have noble intentions, but all it takes is one bad actor to break into a device and, depending on the exposed data, potentially cause a crisis. Weakening the basis around encryption weakens everything cybersecurity professionals do today and whittles an individual’s privacy. Solving one problem causes another.
The quantum future of encryption
For now, law enforcement and intelligence agencies frequently are collecting encrypted data — and then simply sitting on it. The National Security Agency (NSA) does this all the time, owning servers filled with captured information that may or may not have implications for domestic and global security or political structures. But can they crack it with no key or backdoor?
One potential method that is possibly shifting from science-fiction to science-fact is quantum computing. This technology uses quantum mechanics, such as superposition and entanglement, to do staggeringly fast computations. The resources needed to create one go beyond simply physical factors, such as new microchips and a cool environment, but by building fresh algorithms and controlling units of information called qubits, which exist as 1s and 0s at the same time. Indeed, it’s complicated stuff.
Quantum computing, however, theoretically could create an encryption channel that could never be intercepted or cracked. Conversely, a quantum computer might be able to break through encryption not with a key but with a
probability field that tells the user what is most likely the key. If the NSA, for example, had a large enough computer, it could crack all of its encrypted data within seconds.
Estimates vary on when we’ll be at this level of computing, particularly on a mass scale. IBM recently announced the IBM Q System One, “the world’s first integrated computing system for commercial use,” but outside experts
note it’s more of a steppingstone than a true leap forward. Still, should quantum computing become a reality in our future, it will change encryption forever.
Encryption and you
Just by interacting with their devices as they normally would, end users are sending encrypted messages and data every day. Some platforms, of course, have stronger measures than others, and even among the most-protected systems, there may exist flaws. Importantly, we continue to get better at encrypting data — possibly too good, for some — and third-party services add an extra layer of security to built-in encryption software.
For the regular person who sends work emails from their personal account or trades messages over a free app for the convenience, a base awareness of a platform’s encryption capabilities will make a difference. If it protects messages end-to-end and you have an extra layer of security, you’re pretty much doing the best you can on your own for now.
The world of encryption and cybersecurity will continue to advance into an amazing (if a little confusing) future. The best advice is to stay informed as that march goes on.