Data encryption is a computing process that encodes plaintext/cleartext (unencrypted, human-readable data) into ciphertext (encrypted data) that is accessible only by authorized users with the right cryptographic key. Simply put, encryption converts readable data into some other form that only people with the right password can decode and view – and is a vital component of digital transformation.
Whether your business produces, aggregates, or consumes data, encryption is a key data privacy protection strategy that keeps sensitive information out of the hands of unauthorized users. This page provides a very high-level view of what encryption is and how it works.
How Does Encryption Work?
Encryption uses a cipher (an encryption algorithm) and an encryption key to encode data into ciphertext. Once this ciphertext is transmitted to the receiving party, a key (the same key, for symmetric encryption; a different, related value, for asymmetric encryption) is used to decode the ciphertext back into the original value. Encryption keys work much like physical keys, which means that only users with the right key can ‘unlock’ or decrypt the encrypted data.
Encryption vs. Tokenization
Encryption and tokenization are related data protection technologies; the distinction between them has evolved.
In common usage, tokenization typically refers to format-preserving data protection: data protection that substitutes a token – a similar-looking but different value – for individual sensitive values. Encryption typically means data protection that converts data – one or more values, or entire data sets – into gibberish that looks very different from the original.
Tokenization may be based on various technologies. Some versions use format-preserving encryption, such as NIST FF1-mode AES; some generate random values, storing the original data and the matching token in a secure token vault; others produce tokens from a pre-generated set of random data. Following the definition of encryption above, tokenization of any sort is clearly a form of encryption; the difference is tokenization’s format-preserving attribute.
What are Types of Encryption?
There are two main types of encryption: symmetric and asymmetric.
Symmetric encryption algorithms use the same key for both encryption and decryption. This means that the sender or computer system encrypting the data must share the secret key with all authorized parties so they can decrypt it. Symmetric encryption is typically used for encrypting data in bulk, as it is usually faster and easier to implement than asymmetric encryption.
One of the most widely used symmetric encryption ciphers is the Advanced Encryption Standard (AES), defined as a U.S. government standard by the National Institute of Standards and Technology (NIST) in 2001. AES supports three different key lengths, which determine the number of possible keys: 128, 192, or 256 bits. Cracking any AES key length requires levels of computational power that are currently unrealistic and unlikely ever to become so. AES is widely used worldwide, including by government organizations like the National Security Agency (NSA).
Asymmetric encryption, also known as public key encryption, uses two distinct but mathematically linked keys – a public key and a private key. Typically, the public key is shared publicly and is available for anyone to use, while the private key is kept secure, accessible only to the key owner. Sometimes the data is encrypted twice: once with the sender’s private key and once with the recipient’s public key, thus ensuring both that only the intended recipient can decrypt it and that the sender is who they claim to be. Asymmetric encryption is thus more flexible for some use cases, since the public key(s) can be shared easily; however, it requires more computing resources than symmetric encryption, and these resources increase with the length of data protected.
A hybrid approach is thus common: a symmetric encryption key is generated and used to protect a volume of data. That symmetric key is then encrypted using the recipient’s public key, and packaged with the symmetrically encrypted payload. The recipient decrypts the relatively short key using asymmetric encryption, and then decrypts the actual data using symmetric encryption.
One of the most widely used asymmetric encryption ciphers is RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. RSA remains one of the most widely used asymmetric encryption algorithms. Like all current asymmetric encryption, the RSA cipher relies on prime factorization, which involves multiplying two large prime numbers to create an even larger number. Cracking RSA is extremely difficult when the right key length is used, as one must determine the two original prime numbers from the multiplied result, which is mathematically difficult.
What is the Purpose of Encryption?
Encryption plays a vital role in protecting sensitive data that is transmitted over the Internet or stored at rest in computer systems. Not only does it keep the data confidential, but it can authenticate its origin, ensure that data has not changed after it was sent, and prevent senders from denying they sent an encrypted message (also known as nonrepudiation).
In addition to the robust data privacy protection it provides, encryption is often necessary to uphold compliance regulations established by multiple organizations or standards bodies. For example, the Federal Information Processing Standards (FIPS) are a set of data security standards that U.S. government agencies or contractors must follow per the Federal Information Security Modernization Act of 2014 (FISMA 2014). Within these standards, FIPS 140-2 requires the secure design and implementation of a cryptographic module.
Another example is the Payment Card Industry Data Security Standard (PCI DSS). This standard requires merchants to encrypt customer card data when it is stored at rest, as well as when transmitted across public networks. Other important regulations many businesses must follow include The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
Modern Encryption Weaknesses
Like many other cybersecurity strategies, modern encryption can have vulnerabilities. Modern encryption keys are long enough that brute-force attacks – trying every possible key until the right one is found – are impractical. A 128-bit key has 2128 possible values: 100 billion computers each testing 10 billion operations per second would take over a billion years to try all of these keys.
Modern cryptographic vulnerabilities typically manifest as a slight weakening of the encryption strength. For example, under certain conditions, a 128-bit key only has the strength of a 118-bit key. While the research that discovers such weaknesses are important in terms of ensuring encryption strength, they are not significant in real-world use, often requiring unrealistic assumptions such as unfettered physical access to a server. Successful attacks on modern strong encryption thus center on unauthorized access to keys.
How Can Encryption Help Your Company?
Data encryption is a key element of a robust cybersecurity strategy, especially as more businesses move towards the cloud and are unfamiliar with cloud security best practices.
CyberRes, a Micro Focus line of business, and its Voltage Data Privacy and Protection portfolio enable organizations to accelerate to the cloud, modernize IT, and meet the demands of data privacy compliance with comprehensive data encryption software like Voltage SecureData and Voltage SmartCipher. CyberRes Voltage portfolio solutions enable organizations to discover, analyze, and classify data of all types to automate data protection and risk reduction. Voltage SecureData provides data-centric, persistent structured data security, while Voltage SmartCipher simplifies unstructured data security and provides complete visibility and control over file usage and disposition across multiple platforms.