Data encryption is a computing process that encodes plaintext/cleartext (unencrypted, human-readable data) into ciphertext (encrypted data) that is accessible only by authorized users with the right cryptographic key. Simply put, encryption converts readable data into some other form that only people with the right password can decode and view – and is a vital component of digital transformation.
Whether your business produces, aggregates, or consumes data, encryption is a key data privacy protection strategy that keeps sensitive information out of the hands of unauthorized users. This page provides a very high-level view of what encryption is and how it works.
How Does Encryption Work?
Encryption uses a cipher (an encryption algorithm) and an encryption key to encode data into ciphertext. Once this ciphertext is transmitted to the receiving party, a key (the same key, for symmetric encryption; a different, related value, for asymmetric encryption) is used to decode the ciphertext back into the original value. Encryption keys work much like physical keys, which means that only users with the right key can ‘unlock’ or decrypt the encrypted data.
Encryption vs. Tokenization
Encryption and tokenization are related data protection technologies; the distinction between them has evolved.
In common usage, tokenization typically refers to format-preserving data protection: data protection that substitutes a token – a similar-looking but different value – for individual sensitive values. Encryption typically means data protection that converts data – one or more values, or entire data sets – into gibberish that looks very different from the original.
Tokenization may be based on various technologies. Some versions use format-preserving encryption, such as NIST FF1-mode AES; some generate random values, storing the original data and the matching token in a secure token vault; others produce tokens from a pre-generated set of random data. Following the definition of encryption above, tokenization of any sort is clearly a form of encryption; the difference is tokenization’s format-preserving attribute.
What is the Purpose of Encryption?
Encryption plays a vital role in protecting sensitive data that is transmitted over the Internet or stored at rest in computer systems. Not only does it keep the data confidential, but it can authenticate its origin, ensure that data has not changed after it was sent, and prevent senders from denying they sent an encrypted message (also known as nonrepudiation).
In addition to the robust data privacy protection it provides, encryption is often necessary to uphold compliance regulations established by multiple organizations or standards bodies. For example, the Federal Information Processing Standards (FIPS) are a set of data security standards that U.S. government agencies or contractors must follow per the Federal Information Security Modernization Act of 2014 (FISMA 2014). Within these standards, FIPS 140-2 requires the secure design and implementation of a cryptographic module.
There are two main types of encryption: symmetric and asymmetric.
Symmetric encryption algorithms use the same key for both encryption and decryption. This means that the sender or computer system encrypting the data must share the secret key with all authorized parties so they can decrypt it. Symmetric encryption is typically used for encrypting data in bulk, as it is usually faster and easier to implement than asymmetric encryption.
One of the most widely used symmetric encryption ciphers is the Advanced Encryption Standard (AES), defined as a U.S. government standard by the National Institute of Standards and Technology (NIST) in 2001. AES supports three different key lengths, which determine the number of possible keys: 128, 192, or 256 bits. Cracking any AES key length requires levels of computational power that are currently unrealistic and unlikely ever to become so. AES is widely used worldwide, including by government organizations like the National Security Agency (NSA).
Asymmetric encryption, also known as public key encryption, uses two distinct but mathematically linked keys – a public key and a private key. Typically, the public key is shared publicly and is available for anyone to use, while the private key is kept secure, accessible only to the key owner. Sometimes the data is encrypted twice: once with the sender’s private key and once with the recipient’s public key, thus ensuring both that only the intended recipient can decrypt it and that the sender is who they claim to be. Asymmetric encryption is thus more flexible for some use cases, since the public key(s) can be shared easily; however, it requires more computing resources than symmetric encryption, and these resources increase with the length of data protected.
A hybrid approach is thus common: a symmetric encryption key is generated and used to protect a volume of data. That symmetric key is then encrypted using the recipient’s public key, and packaged with the symmetrically encrypted payload. The recipient decrypts the relatively short key using asymmetric encryption, and then decrypts the actual data using symmetric encryption.
One of the most widely used asymmetric encryption ciphers is RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. RSA remains one of the most widely used asymmetric encryption algorithms. Like all current asymmetric encryption, the RSA cipher relies on prime factorization, which involves multiplying two large prime numbers to create an even larger number. Cracking RSA is extremely difficult when the right key length is used, as one must determine the two original prime numbers from the multiplied result, which is mathematically difficult.
Modern Encryption Weaknesses
Like many other cybersecurity strategies, modern encryption can have vulnerabilities. Modern encryption keys are long enough that brute-force attacks – trying every possible key until the right one is found – are impractical. A 128-bit key has 2128 possible values: 100 billion computers each testing 10 billion operations per second would take over a billion years to try all of these keys.
Modern cryptographic vulnerabilities typically manifest as a slight weakening of the encryption strength. For example, under certain conditions, a 128-bit key only has the strength of a 118-bit key. While the research that discovers such weaknesses are important in terms of ensuring encryption strength, they are not significant in real-world use, often requiring unrealistic assumptions such as unfettered physical access to a server. Successful attacks on modern strong encryption thus center on unauthorized access to keys.
How Can Encryption Help Your Company?
Data encryption is a key element of a robust cybersecurity strategy, especially as more businesses move towards the cloud and are unfamiliar with cloud security best practices.
CyberRes, a Micro Focus line of business, and its Voltage Data Privacy and Protection portfolio enable organizations to accelerate to the cloud, modernize IT, and meet the demands of data privacy compliance with comprehensive data encryption software like Voltage SecureData and Voltage SmartCipher. CyberRes Voltage portfolio solutions enable organizations to discover, analyze, and classify data of all types to automate data protection and risk reduction. Voltage SecureData provides data-centric, persistent structured data security, while Voltage SmartCipher simplifies unstructured data security and provides complete visibility and control over file usage and disposition across multiple platforms.
Email continues to play a fundamental role in an organization’s communications and day to day business – and represents a critical vulnerability in its defenses. Too often, the sensitive data being transmitted via email is susceptible to attack and inadvertent disclosure. Email encryption represents a vital defense in addressing these vulnerabilities.
In highly regulated environments such as healthcare and financial services, compliance is mandatory but difficult for companies to enforce. This is especially true with email because end-users strongly resist any changes to their standard email workflow. SecureMail delivers a simple user experience across all platforms including computers, tablets, and native mobile platform support with full capability to send secure, originate, read, and share messages. Within Outlook, iOS, Android, and BlackBerry, for example, senders can access their existing contacts and simply click a “Send Secure” button to send an encrypted email. The recipient receives secure messages in their existing inbox, just as they would with clear text email
Encrypting Big Data, Data Warehouses & Cloud Analytics
Voltage for Cloud Analytics helps customers reduce the risk of cloud adoption by securing sensitive data in cloud migration and safely enables user access and data sharing for analytics. The encryption and tokenization technologies help customers comply with privacy requirements by discovering and protecting regulated data at rest, in motion and in use in cloud warehouses and applications. These solutions also minimize multi-cloud complexity by centralizing control with data-centric protection that secures sensitive data wherever it flows across multi-cloud environments.
Integration of with cloud data warehouses (CDWs), such as Snowflake, Amazon Redshift, Google BigQuery, and Azure Synapse, enables customers to conduct high-scale secure analytics and data science in the cloud using format-preserved, tokenized data that mitigates the risk of compromising business-sensitive information while adhering to privacy regulations.
PCI Security Compliance and Payment Security
Enterprises, merchants, and payment processors face severe, ongoing challenges securing their networks and high-value sensitive data, such as payment cardholder data, to comply with the Payment Card Industry Data Security Standard (PCI DSS) and data privacy laws. Simplify PCI security compliance and payment security in your retail point-of-sale, web, and mobile eCommerce site with our format-preserving encryption and tokenization.
Voltage Secure Stateless Tokenization (SST) is an advanced, patented, data security solution that provides enterprises, merchants, and payment processors with a new approach to help assure protection for payment card data. SST is offered as part of the Micro Focus SecureData Enterprise data security platform that unites market-leading Format-Preserving Encryption (FPE), SST, data masking, and Stateless Key Management to protect sensitive corporate information in a single comprehensive solution.
Micro Focus' Voltage Structured Data Manager and Voltage SecureData, named the ‘Leader’ in Dynamic Data Masking!
Recognition as the leader in Dynamic Data Masking demonstrates the value of the out of the box tools offered by the Voltage Data Privacy and Protection portfolio including performance, scale, data classification, masking techniques, reporting, legacy platform support, and support for compliance requirements such as GDPR, CRPA, and HIPAA.