What Is Encryption? All You Need to Know
You may not realize it, but you’re using encryption around the clock: every time you send an iMessage, check your WhatsApp group chat, send an email, or use your credit card. Data is being encrypted and decrypted when you simply open your phone, your web browser, or use your home wifi. Encryption is a fact of life in the digital world, and the bedrock of a secure internet. It protects our personal information, our business operations, and our national security. It’s ever-evolving, has different levels, and is also far from a fail-safe.
What are encryption and decryption?
Encryption is a way of mathematically converting a piece of information into a seemingly unreadable scramble, usually consisting of letters and figures. You can only decrypt the message, convert it back into plain, readable text, by using a special key.
Digital data can be encrypted when it’s just sitting on a device (at rest) or when it’s in transit from one device to another.
- At rest. To protect your stored data from third parties, you can encrypt individual files on your computer, or entire drives. With "full disk" encryption, all of the data on your device should be protected, and accessible only through a passcode or biometrical data like a thumbprint or face scan. However, not all operating systems have this enabled by default—so it’s a good idea to check your settings, and encrypt.
- In transit. Whether it’s traveling over the internet via a wired connection or a wireless one (including Bluetooth), encryption protects data from an unauthorized actor intercepting it, spying on it, or otherwise tampering with it while it’s changing location.
Encryption may seem like a 21st-century innovation, but its roots reach back millennia. Back in ancient Greece, military leaders would encode sensitive messages by intentionally scrambling the text. The missives could only be deciphered by someone who knew how to arrange the characters in the correct order. Today, computers use algorithms to do the scrambling and deciphering. Their computational power makes encryption very difficult or even impossible to crack.
Why is encryption used?
Encryption can help protect many areas of our lives, from our bank accounts to our countries’ democracies.
- Encryption secures your personal information. Encryption protects your data from falling into the hands of hackers or other criminals, but also from unwanted spying from businesses or governments. It keeps your finances under lock, your communications safe, your health records secure, and your online activity private.
- Encryption secures your business. You can use encryption to safeguard proprietary business information and your company’s finances. Cyberattacks on businesses are becoming more and more common, with 50% more attacks per week on corporate networks in 2021 than in 2020. If you’re handling any kind of customer data, encryption will help protect that data and foster customer trust.
- Encryption protects national security Cyber attacks have become a key weapon in international warfare. Encryption can shield government communications and databases in the event of a data breach, but also potentially prevent attacks that could disrupt a country's financial system or infrastructure (like a power grid).
- Encryption can bolster democracy. Data encryption can be an important way of protecting crucial democratic institutions, whether it's freedom of the press, freedom of expression, or freedom of assembly. Journalists use end-to-end encryption to safely communicate with sources in order to expose the wrongdoing of those in power. Activists around the world use encrypted messaging apps to communicate with each other and organize protests and other grassroots initiatives without governments snooping on them.
- Encryption can be a lifesaving tool for vulnerable groups. Groups that face societal or governmental repression use end-to-end encrypted messaging and encrypted devices to communicate safely, safeguard their privacy, and simply lead their lives with less fear.
Symmetric vs. asymmetric encryption
Encryption can be categorized in several different ways, but there are two broad encryption methods: symmetric and asymmetric encryption.
Symmetric encryption uses the same key to encrypt and decrypt the data. Each of the devices that are communicating must know the same code to be able to send and read the encrypted data, and the sender must know which devices will be communicating.
One of the most secure encryption algorithms used today is described by the Advanced Encryption Standard (AES), which has been the encryption standard for over two decades and is used and endorsed by the U.S. government. It’s a symmetric key algorithm, and a successor to the 1970s’ Data Encryption Standard. The AES is a "block cipher," which means it can encrypt data using blocks, and not just individual bits. Each block goes through several rounds of encryption, making it essentially impossible to decipher.
Technically, cracking the basic AES key would take as long as 36 quadrillion years, preventing virtually any "brute-force attack” (in which an attacker checks all possible passwords or codes until one of them works, much like guessing which key will open a lock). AES encryption is used very broadly, including in wifi networks, messaging apps, virtual private networks (VPNs), or password managers.
Asymmetric encryption, also known as public key encryption, uses a pair of keys: one to encrypt the data, and a corresponding one to decrypt it. There's a private key that's only known to its owner, and a public key that is shared with others.
With symmetric encryption, if a third party discovers what the secret key is, they can easily decrypt the encrypted message. Asymmetric encryption prevents that from happening because the two keys are different. They are created together and are tied to each other. They rely on large prime numbers–and because the number of primes is infinite, there are nearly endless possibilities for the composition of the keys. This makes public key encryption extremely difficult to crack.
This is how exchanging information using public-key encryption works:
- Person A makes sure that Person B knows Person A’s public key, either by sending it to Person B, or by making it publicly available on their own website or social media.
- Person B sends Person A a message using Person A’s public key.
- Only Person A can read the message because only their private key decrypts the data.
Another way to describe asymmetric encryption is by comparing it to sending and receiving snail mail. Anyone can drop a letter in a mailbox (the locked kind), but only the person with a key can open it.
One of the most well-known public key encryption programs is called PGP, or "Pretty Good Privacy." Many journalists use it, for example, to give potential sources a secure way to communicate with them. They make their public key available in their social media bios or email signatures.
What is end-to-end encryption?
End-to-end encryption is an asymmetric type of encryption, protecting the information the user sends from the moment they type it out (or otherwise create it) to the moment the recipient gets it on their device. The message is encrypted on the original device, usually using a program that generates a public and a private key. The data is decrypted once it gets to its destination. No one else can decode it, whether it’s a hacker or even the network that the information is being sent over, like the messaging app or the internet provider.
While end-to-end encryption used to only be used for sensitive information like health records or credit card numbers, worries about data security and general surveillance have pulled it into the mainstream. Today, regular people are switching over to end-to-end encrypted apps like Signal for everyday messaging. After facing criticism related to its privacy protocols, Zoom introduced end-to-end encryption for its users' video conferencing needs in late 2020.
End-to-end encryption is also perhaps the most controversial method of securing data. Its impenetrability is at the crux of a years-long fight between tech companies, who want to protect user privacy, and governments, who argue that law enforcement should have backdoor access to encrypted communication in case it is used to commit crimes. In February 2022, a bill that aims to make companies liable for knowingly hosting child sexual abuse material on their platforms advanced in the U.S. Senate. Privacy advocates and the tech industry worry that if signed into law, the bill would severely undermine, if not ban, end-to-end encryption. They are concerned that the government can argue that merely providing that kind of encryption helps bad actors hide their crimes from law enforcement.
As of right now, law enforcement can access some information about an end-to-end encrypted message. They can’t see the content of the message, but by requesting its metadata from the messaging service, they can find out who was the sender and recipient, and when the message was sent.
End-to-end encryption vs. transport-layer security
While end-to-end encryption is often used in secure communications, there’s a form of encryption that we use even more frequently.
Transport-layer security (TLS), or transport layer encryption, secures data as it travels back and forth between a device and a server. Unlike with end-to-end encryption, the line of communication is not secure, meaning that the service provider (a messaging app or a website) can see the content of the data. The information is also often stored on the service provider's servers, making it accessible to law enforcement if they request it.
Transport-layer security protects web pages that are encrypted using HTTPS, or "Hypertext Transport Protocol Secure." A website thus encrypted protects the information that a user may be asked to enter in—such as a credit card number or address during online shopping. That data is visible to the administrators of the website, but not any malicious eavesdroppers. HTTPS also allows your device to verify the identity of a website. Older websites, or ones that haven't yet transitioned to HTTPS, and use HTTP instead, make your data vulnerable to getting intercepted.
Transport-layer security is also used in VPNs. It encrypts the traffic between your device and the internet service provider, making it inaccessible to anyone who would want to see what websites you visit.
Everyone’s doing it, but no one’s completely safe
Encryption has become a bit of a magic word in the tech industry. But privacy still isn’t guaranteed.
New research shows that TLS may still be vulnerable to some hacking, like so-called “man-in-the-middle” attacks, which operate by redirecting traffic.
Even VPNs don’t keep your browsing history completely private. When you’re using a VPN, while invisible to anyone else, your web traffic is still visible to the VPN provider.
And end-to-end encryption isn't 100% secure. While the line of communication is secure, the endpoints—the devices themselves—may not be. A third party can access ostensibly encrypted data if they have access to the device, or through malware on the device itself.
At the same time, the tide of encryption will be difficult to reverse, with users increasingly valuing their security and privacy, and cyber warfare prompting governments to build up their digital defenses.
Ready for a private search experience that was built for people, not data mining or advertising? Try Neeva, the world’s first private, ad-free search engine. We are committed to showing you the best results for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.