Data encryption is a fundamental building block of cybersecurity, ensuring that data cannot be read, stolen, or altered either at rest or in transit. As more data moves online, data encryption plays an increasingly crucial role in cybersecurity. This is especially applicable to sectors dealing with sensitive data, including finance, healthcare, and government.
In this post, we’ll provide an overview of data encryption—what it is, the benefits it brings, and the different types of data encryption in use today.
What Is Data Encryption?
Data encryption converts plain text into an encoded format to protect against unauthorized access to data. In other words, it employs cryptographic algorithms to encode a readable format into an incomprehensible form, so that parties without the corresponding decoding key will be unable to make sense of it. To outside parties, the encoded form (ciphertext) appears random and is difficult to decode via a brute force attack.
What Are the Benefits of Encrypting Data?
Data encryption is essential in maintaining data privacy, protecting confidentiality, and complying with regulations. First, data encryption keeps sensitive information safe from unauthorized parties. Ciphertext is unreadable without encryption keys; even if this data was stolen via a data breach or accidental leak, it would be unusable by attackers. Thus, data encryption helps to mitigate the risk of data theft and loss.
Second, encrypting data helps protect confidentiality. For example, virtual private networks (VPNs) use encryption to protect users’ online activity, preventing internet service providers from deciphering or tracking users’ activity. In other industries, such as healthcare, encrypted data helps keep private information safe.
Last, data encryption helps organizations dealing with sensitive data to comply with regulatory provisions applicable to their sector. In the U.S., for example, organizations that process information online are subject to System and Organization Controls (SOC 2) audits. Remaining compliant with SOC 2 entails encrypting sensitive data.
That said, even if compliance measures weren’t required, organizations would still benefit from encryption. Organizations that want to build customer trust must take data protection seriously, which is where robust encryption standards play a significant role.
Symmetric and Asymmetric Data Encryption
There are two major types of encryption, symmetric and asymmetric. The core difference between the two is whether the key used for encryption is the same as the key used for decryption.
Symmetric encryption uses the same key to both encrypt and decrypt data. Typically, symmetric encryption is faster. However, the main disadvantage of this method is that a malicious attacker who can steal the encryption key will be able to decrypt all the encrypted messages. In addition, symmetric encryption does not provide authentication or integrity checks—it cannot verify the sender of the encrypted message or whether it has been altered.
Examples of symmetric encryption algorithms include the Advanced Encryption Standard (AES) and the Data Encryption Standard (DES).
On the other hand, asymmetric encryption uses two different keys (one public and one private) to protect data. The public key is used to encrypt the data, and the corresponding private key is used to decrypt the data.
As asymmetric encryption uses multiple keys linked through complex mathematical procedures, it’s slower than symmetric encryption. However, since public keys are only used for encryption, they can be freely shared without risk. As long as the holder of the private key keeps it secure, that person will be the only party able to decrypt messages.
Additionally, asymmetric encryption facilitates sender identity and message integrity verification through digital signatures. Digital signatures work by having the sender create a unique hash of the message and then sign it with their private key. The recipient verifies the signature using the sender’s public key, which ensures the sender’s identity and confirms the message’s integrity.
Examples of asymmetric encryption algorithms include Rivest–Shamir–Adleman (RSA) and Elliptic-curve cryptography (ECC). While the concepts of asymmetric and symmetric encryption concern how data is encrypted, there is also the question of when data ought to be encrypted. On this question, you will often encounter the terms “encryption in transit” and “encryption at rest.”
Encrypting Data in Transit versus at Rest
Protecting data in transit (as it’s being transferred) is as important as protecting it at rest (when it’s stored).
Encryption in transit protects data as it moves between two systems. A common example is an interaction between a web browser and a web server. As requests from the browser propagate to the server, protocols like Transport Layer Security (TLS) are used to encrypt data. TLS is a complex protocol that offers other security measures in addition to encryption:
- Server and client authentication through public/private keys and the exchange of digital certificates.
- Encryption through a combination of symmetric and asymmetric encryption algorithms.
- Data integrity verification by calculating a message digest.
Websites that are secured with HTTPS use TLS, ensuring a secure data exchange between the browser and the server, exemplifying the concept of encryption in transit.
Encryption at rest protects data when it’s stored. For example, a healthcare or financial services provider may use databases to store medical records or credit card data. However, in today’s digital age, data is stored in an array of locations beyond just databases and end-user devices. These include cloud storage services, backup disks, offsite storage, and more.
Unstructured data, by not following a predefined data model and often not residing in databases, presents an additional challenge. Unstructured data includes information like emails, text documents, images, and videos. This type of data is commonly stored in the cloud or in diverse network locations, and it can often comprise a significant portion of an organization’s valuable assets. If this form of sensitive data is accessed by unauthorized individuals, an organization could suffer significant damage or loss. As such, protecting unstructured data is critical.
Organizations may adopt several different techniques to protect data at rest:
- File-level encryption, which encrypts individual files.
- Storage-level encryption, which encrypts entire storage devices.
- Database encryption, which is typically used for encrypting structured data.
- Data tokenization, which replaces sensitive data with opaque tokens.
- Cloud storage encryption, which is commonly offered by cloud service providers to encrypt data on a per-file or per-bucket basis.
Data Encryption Standards
Numerous data encryption standards exist, with new algorithms developed all the time to combat increasingly sophisticated attacks. As computing power increases, the likelihood of brute force attacks succeeding poses a serious threat to less secure standards. Therefore, it’s important to use more recent—and therefore more secure standards—for your software.
The Data Encryption Standard (DES)
DES is a symmetric encryption algorithm developed by IBM in the early 1970s and adopted by the National Institute of Standards and Technology (NIST) as a federal standard from 1977 until 2005. It uses a 56-bit key to encrypt a 64-bit block of plaintext via a series of complex operations. However, its relatively small key size makes it vulnerable to brute-force attacks and so it’s no longer considered secure.
The Triple Data Encryption Algorithm (3DES)
3DES (or Triple DES) is a variation of the DES protocol, where the DES cipher algorithm is applied three times. While this improves the security of DES, a Common Vulnerabilities and Exposures (CVE) released in 2016 disclosed a major security vulnerability in 3DES which would allow a man-in-the-middle attacker to access some of the plaintext data. Thus, 3DES became deprecated in favor of AES.
Advanced Encryption Standard (AES)
Also known as the Rijndael block cipher, named after Belgian cryptographers Joan Daemen and Vincent Rijmen, AES uses a larger key and block sizes of 128 or 256 bits (AES-128 and AES-256, respectively). AES works by utilizing a substitution-permutation network to encrypt data symmetrically.
RSA is one of the oldest asymmetric algorithms, first introduced to the public in 1977. The RSA system creates a private key based on two large prime numbers. A public key is then derived with an auxiliary value with those prime numbers. RSA is a slow algorithm, so it’s often used to encrypt the shared symmetric key that is then used for faster encryption processes.
A symmetric key block cipher with a 128-bit block size. The key size can be up to 256 bits, but the variability of key size provides different levels of security depending on an application’s requirements. Twofish is considered quite secure, and it has an open-source design which makes it accessible to the public domain.
In this post, we’ve covered many of the basic concepts around data encryption, which is a vast topic. We’ve explained what data encryption is, along with its benefits for business applications. In addition, we’ve covered specific details surrounding symmetric versus asymmetric encryption, the concepts of encryption in transit and encryption at rest, and also several well-known encryption standards used today.