The 411 on encryption

What is encryption, and how is it used in our daily lives to protect our data and protect our conversations from prying eyes?

lock encrypt security
Blue Coat Photos (CC BY-SA 2.0)

We hear it almost every day, splashed on front-pages and buried deep in articles on technology, politics, foreign relations and government operations; each time there is a new exposure of government privacy invasion, or whenever a tragedy strikes a part of the world, the call for and against encryption makes its way to the forefront of the world stage. And for good reasons -- encryption is not a clear-cut issue; it blurs boundaries between political allies and enemies, pits technologists and privacy advocates against governments and world organizations for peace, promises the freedoms of privacy for individuals and instills the fear of closing our collective eyes to malicious actors intent on bringing harm to the world.   

It’s no wonder the average person has no idea what to make of it.   

Decoding encryption

Encryption, in its simplest form, is the art of transforming a message into something decipherable only to its intended recipient. If you’ve raised children, or witnessed parents of children spelling out words like i-c-e-c-r-e-a-m in order to avoid detection before the broccoli has been eaten from the dinner plate, then you’ve engaged in encryption.  

Julius Caesar introduced one of the early forms of encryption in order to communicate with his generals in the field. Dubbed the “Caesar cipher,” this method of encryption shifted letters a certain number of spots in the alphabet left or right, and made for a jumbled set of text that was unreadable unless the recipient knew about the shift operation. This latter piece of knowledge is commonly referred to as the “key,” and knowing or possessing the key means that a sender can “encrypt” a message and, in turn, the recipient could “decrypt” that same message by reversing the operations using the key. So, the operation itself is the “cipher,” and the “key” is the variable secret value that is applied to the cipher in order to encrypt and decrypt the message.

How we use encryption today

There are thousands of examples of ciphers from history, which make for a fascinating look into the ancient world of secrets, espionage and war. But in today’s world, rather than worrying about hiding secrets from warring armies, most of us are more worried about individual protection, and most especially about things like identity theft, blackmail and cyberstalking.

In order to hide our secrets in a world where massive computing power sits at our desk or in the cloud, much more complex and difficult ciphers had to be constructed to make sure secrets could be hidden from the continuous assault of programs and scripts operating 24/7 to target encrypted data and guess at the cipher and key.

Today, when you swipe a credit card or visit a website and enter personal information, you are using encryption. Most websites and payment terminals support a form of encryption that prevents anyone who is attempting to tap into the stream of exchange between you and the backend service from deciphering, or decrypting, the data in that exchange.

In a similar manner, when you configure your smartphone appropriately, the data that is stored locally or in the cloud is encrypted just for you, preventing not only malicious actors -- but the smartphone company, mobile carrier and your Wi-Fi-providers -- from decrypting your data.

Mobile Encryption

Because the smartphone is so powerful and multi-modal, encryption takes on a number of different forms and roles. 

As mentioned before, one way in which encryption occurs is by accessing protected websites, so-called “secure sites” that are often designated by a lock in the address bar and the leading characters “https.” This is “transport layer” encryption, the act of scrambling the details of the data being transported between the mobile and the web service in such a way that only the two endpoints can understand them. The “key” to this encryption is provided by the server to the mobile browser so that both sides can simultaneously encrypt and decrypt the exchange.

[Note: Yes, it is far more complex than I am making it out to be; the details would consume a hundred pages.] 

Another form of smartphone encryption -- used to protect such data as images and personal info stored on the mobile device -- is a method of encryption that uses your password as the basis for the encryption “key.” Using a password means that you, and only you, can decrypt this data (giving you control of your images, videos and personal data). To simplify the operations and avoid total confusion, most new smartphones are designed to allow for everything to be encrypted when the phone is in its locked state, and everything to be decrypted when you unlock the phone using your password, PIN or thumbprint. This form of encryption is known generally as “password-based key derivation” encryption.

[Note: Again, details are vastly more complex than space allows.]

Smartphone operating systems also provide a robust set of libraries which many applications use to create their own encryption schemes. While the tools remain the same, and are standard throughout the industry, the use of these tools can vary from app to app depending on the level of complexity and the sensitivity of the data the app is trying to protect. There are many examples of apps using encryption today, including Open Whispers, OneOne and SplashID that manage to encrypt text and voice communication, store passwords securely and manage local and remote file encryption.

There are even dedicated smartphones in the market that provide complete encryption and privacy solutions, like the BlackPhone from SilentCircle. BlackPhone uses application-specific encryption, within the context the applications themselves, which means that data exchanges using apps are encrypted in one manner, while anything outside of an app may use completely different encryption, or none at all.

Protecting yourself with personal mobile encryption

There are a number of ways in which you can protect yourself by leveraging some of the forms of encryption described above. 

At its most basic level, when you are browsing the mobile web, keep your eye on the “lock icon” and make sure that, if or when you do decide to exchange personal or sensitive information with a mobile website, you are doing so with that lock icon displayed.   

Using a secure passcode or PIN on most new smartphones means that you are using the second form of encryption mentioned, password-based key derivation. You can find the indicator in your iPhone’s “Settings>General>Passcode” screen where a message is displayed indicating "Data protection is enabled." Similar operations are available on Android devices, and you can find myriad options for locking Android devices here. Consider also enabling multiple factors of authentication, such as the thumbprint used in iPhone’s TouchID and Android's Fingerprint Scanner, for an added layer of protection so that malicious actors who get hold of your device cannot open it through brute-force passcode guessing.

If you have a trusted circle of friends or contacts with whom you’d like to communicate, explore the options for downloading a trusted and approved third-party application that encrypts those communications. Messages exchanged between parties using applications like Signal, SureSpot and Wikr that are encrypted endpoint to endpoint, meaning that anywhere in the middle -- including at the third-party’s servers -- the messages are unable to be decrypted because the key is not in their possession.  For a full list of these types of apps and their relative security and privacy profiles, check out the Electronic Frontier Foundation Scorecard.

Encryption’s drawbacks

While encryption promotes the privacy of the individual and makes it difficult for thieves to steal your data and identity, it also means that less information is shared with third-party services that may be trying to create a better experience for you. Information generally collected during a web search, or consumer information shared with a local merchant, is rendered useless when it’s encrypted, so value-added offers and customized services cannot be provided.

While many people might find this a blessing, the truth is the world runs on commerce, and many “free” services we get today are funded by targeted advertising and consumer profiling, so we have to be aware that if we encrypt everything everywhere, we’ll likely also need to live with the consequences of losing opportunities for deals and offers, our relationship with trusted brands, and possibly paying for the same services we get “free” today.

In the end, only you can really define the appropriate level of protection using encryption that is right for your needs.  But hopefully this has given you enough insight into the different methods and applications of encryption in your everyday life to compel you to do a bit more research and help yourself stay safe out there.

Ludovic Ferre of Privacy Canada took the photo of the Lorenz machine at the top of the page.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon