For the past twenty years, the Internet went from an invention to a recognized human right.
That fact in and out of itself should speak about the exponential increase of its role in our lives. From being a luxurious technology, through window-to-other-worlds, to an information medium, and finally into a need-to-exist.
We constantly find new ways to incorporate technology in every aspect of business, government, and human relationships. It bridges continents, brings people together, helps the environment, popularizes ideas that change the world.
Users log on to read the news, learn skills, work, shop, vote, communicate and have fun.
The internet houses large amounts of information and traffics a significant portion of it every day. The question of access is becoming crucial.
When you live your life online, you need to protect your communication with the network.
You probably largely leave your protection up to the creators of your operation system, your app, the default security protocols and devices you are using.
Here is some news though: not every encryption method is equally reliable. Read the article to learn more about the most popular encryption methods and their relative security.
THE IMPORTANCE OF ENCRYPTION
With using more and more technologies in our lives we are generating large amounts of data, a great share of which is sensitive data. If someone else gets hold of that data you may be at risk of financial fraud or identity theft.
Let us draw a parallel with real life.
Let us say you are going shopping. You visit the store whenever you want, some of the staff may or may not know your name if you are a regular. You choose your products and proceed to the checkout. No one from the store can get a hold of your money until you draw out your wallet and you hand the cashier your cash. In this situation you are relatively safe.
Only if you have a thief in your close vicinity, they may get a hold of your wallet. Stealing your wallet will give them access to your cash which they can use with little consequence.
In the digital world, you may visit the online store whenever you want, but if you have shopped there before they probably have your personal information already – name, address, and quite possibly your phone number. They have it regardless of whether you are logged in or you are not.
If you have saved your credit card with that shop they have your financial information at all times, too (whereas when you shop in a brick and mortar store your wallet will only be at risk while you are there, shopping).
Instead of your money being at risk only from people in your immediate vicinity, you are now at risk from any hacker, who has access to the network, and at all times.
Encryption changes your information so that it is incomprehensible and therefore unusable to anyone who does not have the key.
Let’s say someone tries to steal your personal information, your name, if it was encrypted. It would be the equivalent of going into the store and asking for your name, but anyone who can give them your name speaks another, unknown language.
If they get a hold of your digital wallet it would be the equivalent of acquiring your cash, but your banknotes are in a currency they cannot use unless they go to the exchange bureau that you own, to convert it.
HOW ENCRYPTION WORKS
Encryption works by manipulating a message via a rule to the point the original message is unrecognizable. The ‘rule’ is the key.
Here is a very simple example of encryption:
Let’s say you want to encrypt the message ‘Hello’. One rule you can use is substitute each letter with the next letter from the alphabet. Your message will then become ‘Ifmmp’. Because you are adding +1 to the alphabetical sequence, your keyword will be ‘1’. If you were substituting each letter with the letter standing 3 spaces behind it, your message would end up looking like ‘Ebiil’ and your key would be ‘-3’. If you consecutively applied both rules, your key would look like this ‘1-3’
And while to you that change would be major and you cannot probably decipher that message immediately, when someone has an incentive to break your cypher, and they know anything about cryptography, they can get to your message in a few seconds, just by using pen and paper.
What is more, there is software that will try the most popular keys (starting with 1-digit codes) to decipher your message.
The point is, the more sensitive the information is, the more complex encryption is required. Especially if revealing the information bears financial risk.
5 TOP ENCRYPTION ALGORITHMS
Triple DES or 3DES is the successor to the DES algorithm, or the Data Encryption Standard.
DES is an obsolete symmetric-key method of data encryption. It was phased out because of its over-exploited vulnerabilities.
Originally, DES used to be a very popular encryption method. It is a creation of the engineers in IBM, from back in 1970. In 1977 it was adopted by the government of the USA as an encryption standard – the Federal Information Encryption Standard. DES was used for protecting unclassified but sensitive data.
It was the first algorithm approved by the federal government for public disclosure. It gained popularity fast among businesses dealing with confidential information – financial institutions, telecommunication companies, other software and Internet providers, etc.
DES encrypts data by grouping it into blocks and encoding them simultaneously by applying the key to the entire block – instead of bit by bit. The blocks are always 64-bit.
The key could be applied to all blocks simultaneously or another model could be used where the encryption of one block is made dependent on the result of the previous one.
In DES, the same key is used to encipher and decipher the message. Decoding is nothing more than applying the same steps in reverse direction and reverse order.
What is more, the key options are limited. The keys are always 64-bit, however, 8 parts of the key will be limited in variation in order to be used for key validation, which makes it an equivalent of a 56-bit key. Which means, the choice of encryptions keys is limited and therefore all information, encrypted via DES is prone to brute force attacks.
Because of this serious flaw, scientists had concerns about DES being adopted as the standard even in the 1970’s. However, it remained a very popular encryption method until the late 1990’s.
The progress in technology, and more specifically in processing power made it possible for a DES-encrypted message to be brute force hacked in less than 24 hours.
It is important to state that some systems still rely on DES encryption only, and using those systems is to be avoided.
3DES is one of the successors of DES, and the one which to the greatest extent preserves its original functionality. It was first made public in 1998 and is a simple variation of DES, where each block is encrypted via DES three times each. Triple DES uses three independent keys, with three separate 56-bit DES keys, or a total of 168 bits. Because of the consecutive encryption, there is a meet-in-the-middle vulnerability, which decreases the protection to the equivalent to a 112-bit key.
With its more complex way of working, the 3DES encryption method is slower.
Still, the effectiveness of 3DES is considered to give enough security that it is approved to be used up until 2030.
Triple DES is used for online payments, by apps in the Microsoft Office package, as well as by Mozilla’s Firefox and Thunderbird.
The algorithm is named after its designers. In the 1970’s Ron Rivest, Adi Shamir, and Leonard Adleman: Rivest-Shamir-Adleman came up with the encryption method while working for the Massachusetts Institute of Technology.
In contrast to DES, RSA is asymmetric, which means the system is not using the same key for decryption and encryption. The algorithm works via generating a public and a private key. The public and private key are not identical, but are linked to each other.
There is no difference which key is used for encryption and which is used for decryption. Both the private and the public key can be used to encode the message and the opposite key will have to be applied to decode it.
In fact, the difference is elsewhere: the public key, as its name suggests, can be introduced to the public, while the private key is the ‘secret‘.
The high level of security RSA provides is ensured by the difficulty of factoring long strings, the product of factoring two large prime numbers.
Both the private and the public keys are generated via multiplying two large numbers, creating a modulus. The modulus is used by both the public and the private key. The public key is created via the modulus, adding a public exponent, usually 65537. And the private key is created by the modulus, and a private exponent.
The computational difficulty of large integers makes RSA significantly safer than DES. As explained earlier, DES works with keys, equivalent to 56-bit, 3DES works with keys, equivalent to 112-bit, and RSA works with keys that are 1024- or 2048-bits long. Still, experts think 1024-bit keys are relatively vulnerable. The government and the IT industry recommend using 2048-bit keys only.
RSA is used for SSH authentication, for SSL encryption, and for protecting sensitive data in various browsers.
Blowfish is considered an alternative to the DES and RSA encryption methods. It was designed back in 1993 by Bruce Schneier as a general-purpose algorithm, with that exact intend. The security of the cipher has been tested and proven in time.
Like DES, the technology of Blowfish is symmetric, which means one private key (or just key) is used to encrypt an entire block of data. The size of the blocks is 64-bit, and he length of the key may vary from a 32-bits to a 448-bit key. A full encryption has never been broken.
With the ability to use shorter keys, the Blowfish method is an alternative that is considerably faster than its two competitors. The exception is changing keys. Each change of the key requires a pre-processing, taking resources equivalent to encrypting 4KB of text.
Blowfish is not patented. Its flexibility, speed and security gives it a competitive edge against its alternatives. It is can be used and explored free of charge. Therefore it is highly popular in cryptographic software.
Twofish is a successor of another favorite encryption method – Blowfish. It is a brain-child of the same designer, Bruce Schneier, and it is another candidate to replace the Data Encryption Standard.
Twofish, like its predecessor Blowfish, uses block cyphering. It symmetric, which again means the same key is used for enciphering and deciphering. Twofish divides the message that needs encryption into 128-bit blocks and applies the key simultaneously to all blocks. The size of the block is yet another difference with Blowfish.
Unlike its predecessor, Twofish only uses keys for the encryption of data of up to 256-bit. Each block’s encryption put into a complex relation to the result of the encryption of the previous block.
‘The algorithm might look haphazard, but we did everything for a reason’. – says Bruce Schneier, the co-founder – ‘Nothing is in Twofish by chance. Anything in the algorithm that we couldn’t justify, we removed. The result is a lean, mean algorithm that is strong and conceptually simple.’
Encoding with Twofish is popular for software and devices that have relatively low processing resources at their disposal, such as SIM cards.
Brute-forcing a Twofish encrypted message is considered to be unreasonable and impractical. Meaning the efforts, resources and time the hacker would have to allocate would not be worth the end result.
Twofish is considered to be fast, flexible, and at the same time, to have a conservative design.
Just like Blowfish, the encryption method has not been patented and is free to use.
The Advanced Encryption Standard was originally named Rijndael. It was designed by the Belgian cryptographers Vincent Rijmen and Joan Daemen back in 1998 and it is named after them.
In 1997, the National Institute of Standards and Technology (NIST) opened a contest for cryptographers to come up with algorithms to substitute the so-far popular standard (DES) because of the increasing concerns of the level of protection it guarantees, with the raising level of processing power and its vulnerability from brute-force attacks due to the limited choice of encryption keys.
NIST elected Rijndael as the new standard. It was declassified and was deemed ‘capable of protecting sensitive government information well into the next century’.
It became popular for its easy implementation in hardware, as well as restricted environments.
AES is yet another symmetric encryption algorithm. NIST’s requirements for the contest contributed to several specifics of AES. For example:
- Each contestant was supposed to be able to accept keys sized at 128, 192, and 256 bits.
- The algorithm was supposed to be open for public analysis and comments
- It was pre-tested for withstanding attacks. Each competitor was scored against the competition, with the security score having the heaviest weight for winning the contest.
- High computational and memory efficiency – if the algorithm was to be released as the standard it was supposed to come at low cost.
- Flexibility, easy implementation and simplicity.
Rijndael was elected the winner and was suggested in 2000 to become the new federal government standard. Since 2002 Rijndael, Advanced Encryption Standard, became the new standard.
AES is considered to be more effective than its predecessors, DES and 3DES, using a more complex algorithm and a longer key. The decryption works faster, which makes it a better alternative for a cypher in routers, firewalls, security protocols and in general any applications that use encryption.
AES is similar to Twofish in the sense it is symmetric and it works with 128-bit blocks. Each cypher – the AES-128, -192, and -256 uses respectively 128-, 192-, and 256-bit keys. Originally Rijndael could work with different block sizes and key sizes, but this flexibility was not included when it was introduced as the standard.
AES works with enciphering rounds. Each round is a sequence of a number of processing steps, which could be a combination of substitution, transposition and creating relationships between the input plaintext and output.
The number of applicable rounds vary with 10 rounds applied with 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys.
The AES encryption cipher is using table-based substitution of data by rows and columns. The substitution rule is dictated by different part of the encryption key.
Ever since its recognition as the new standard, the AES has been explored for its vulnerabilities. Brute-force attacks and new techniques have been employed to discover new ways to attack the algorithm. Some attacks have been successful against the more simple versions of Rijndael – shorter keys, fewer rounds.
AES is widely accepted to be a reliable and practical. IDEA is a newer version of a previously used cipher – the Proposed Encryption Standard (PES).
Watch this fun video to learn more about the evolution of cryptography from simple substitution to the future of encryption – quantum cryptography:
The International Data Encryption Algorithm (IDEA) was created by Xuejia Lai and James Massey and is another symmetric encryption algorithm, first described in 1991.
It uses 64-bit blocks and 128-bit keys. Like AES, IDEA uses rounds of encryption. Unlike AES, IDEA also adopts a methodology called half-rounds. Each round uses 6 16-bit sub-keys. Each of the half-rounds uses 4 sub-keys. The first 8 sub-keys are directly extracted from the encryption key, while the other 8 are created based on rotation.
Because of the essence of IDEA’s schedule, it naturally generates a certain amounts if zero-rich keys which lead to randomly weak encryption. Those are reasonably rare, which, in practice leave the algorithm pretty safe. The probability of generating a weak key is considered to be negligibly low.
Bruce Schneier, the founder of Blowfish and Twofish agrees:
‘In my opinion, it is the best and most secure block algorithm available to the public at this time.’
Unlike most of our 5 winners, the IDEA algorithm has been patented and has only been available for free for non-commercial rules.
Secure Hash Algorithm 1 was created in 1995 but has never been implied as a standard because its vulnerabilities became well known as early as 10 years after its creation.
The NIST, the same organization that applied AES as the standard, banned using SHA 1 by federal agencies back in 2010, and no digital signature agency can use the algorithm since 2016.
As far back as 2012, researchers in cryptography have taken into account the raising level and decreasing price of processing power and estimated that one practical attack against the algorithm could cost the hackers as little as $700 thousand simply using commercial cloud computing services in 2015 and $173 thousand in 2017 which makes the attack reasonably affordable. If the incentive holds a greater potential gain than, say, $200 thousand, one could argue it is worth the effort.
As Computerworld reports,
’ …despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.’
According to the Ponemon Institute and a study, including a survey, funded by IBM, stolen data has cost the companies an average of $3.5 million in 2014, which is a 15% increase from the previous 2013.
The institute recommends implementing preventative measures and to be ready for incident response and crisis management.
Most often, the source of the damage would be an insider or a malicious attack. Malicious code and sustained probes are also becoming a popular concern because of the increased number of those threats.
‘Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.’
When the respondents of the survey were asked about the amount of investment they are pouring into security, the response was it costs an average of $7 million a year, even though the companies would like to increase it to $14 million a year to experience more confidence in fulfilling their strategies and mechanisms.
Complex encryption is a relatively easy way to bring down the cost and minimize the damages of data breaches.