Data encryption is a fundamental building block of cybersecurityensuring that data cannot be readstolenor altered either at rest or in transit. As more data moves onlinedata encryption plays an increasingly crucial role in cybersecurity. This is especially applicable to sectors dealing with sensitive dataincluding financehealthcareand government.
In this postwe’ll provide an overview of data encryption—what it isthe benefits it bringsand the different types of data encryption in use today.
What Is Data Encryption?
Data encryption converts plain text into an encoded format to protect against unauthorized access to data. In other wordsit employs cryptographic algorithms to encode a readable format into an incomprehensible formso that parties without the corresponding decoding key will be unable to make sense of it. To outside partiesthe encoded form (ciphertext) appears random and is difficult to decode via a brute force attack.
What Are the Benefits of Encrypting Data?
Data encryption is essential in maintaining data privacyprotecting confidentialityand complying with regulations. Firstdata encryption keeps sensitive information safe from unauthorized parties. Ciphertext is unreadable without encryption keys; even if this data was stolen via a data breach or accidental leakit would be unusable by attackers. Thusdata encryption helps to mitigate the risk of data theft and loss.
Secondencrypting data helps protect confidentiality. For examplevirtual private networks (VPNs) use encryption to protect users’ online activitypreventing internet service providers from deciphering or tracking users’ activity. In other industriessuch as healthcareencrypted data helps keep private information safe.
Lastdata encryption helps organizations dealing with sensitive data to comply with regulatory provisions applicable to their sector. In the U.S.for exampleorganizations that process information online are subject to System and Organization Controls (SOC 2) audits. Remaining compliant with SOC 2 entails encrypting sensitive data.
That saideven if compliance measures weren’t requiredorganizations would still benefit from encryption. Organizations that want to build customer trust must take data protection seriouslywhich is where robust encryption standards play a significant role.
Symmetric and Asymmetric Data Encryption
There are two major types of encryptionsymmetric and asymmetric. The core difference between the two is whether the key used for encryption is the same as the key used for decryption.
Symmetric encryption uses the same key to both encrypt and decrypt data. Typicallysymmetric encryption is faster. Howeverthe main disadvantage of this method is that a malicious attacker who can steal the encryption key will be able to decrypt all the encrypted messages. In additionsymmetric encryption does not provide authentication or integrity checks—it cannot verify the sender of the encrypted message or whether it has been altered.
Examples of symmetric encryption algorithms include the Advanced Encryption Standard (AES) and the Data Encryption Standard (DES).
On the other handasymmetric encryption uses two different keys (one public and one private) to protect data. The public key is used to encrypt the dataand the corresponding private key is used to decrypt the data.
As asymmetric encryption uses multiple keys linked through complex mathematical proceduresit’s slower than symmetric encryption. Howeversince public keys are only used for encryptionthey can be freely shared without risk. As long as the holder of the private key keeps it securethat person will be the only party able to decrypt messages.
Additionallyasymmetric encryption facilitates sender identity and message integrity verification through digital signatures. Digital signatures work by having the sender create a unique hash of the message and then sign it with their private key. The recipient verifies the signature using the sender's public keywhich ensures the sender's identity and confirms the message's integrity.
Examples of asymmetric encryption algorithms include Rivest–Shamir–Adleman (RSA) and Elliptic-curve cryptography (ECC). While the concepts of asymmetric and symmetric encryption concern how data is encryptedthere is also the question of when data ought to be encrypted. On this questionyou will often encounter the terms “encryption in transit” and “encryption at rest.”
Encrypting Data in Transit versus at Rest
Protecting data in transit (as it’s being transferred) is as important as protecting it at rest (when it’s stored).
Encryption in transit protects data as it moves between two systems. A common example is an interaction between a web browser and a web server. As requests from the browser propagate to the serverprotocols like Transport Layer Security (TLS) are used to encrypt data. TLS is a complex protocol that offers other security measures in addition to encryption:
- Server and client authentication through public/private keys and the exchange of digital certificates.
- Encryption through a combination of symmetric and asymmetric encryption algorithms.
- Data integrity verification by calculating a message digest.
Websites that are secured with HTTPS use TLSensuring a secure data exchange between the browser and the serverexemplifying the concept of encryption in transit.
Encryption at rest protects data when it’s stored. For examplea healthcare or financial services provider may use databases to store medical records or credit card data. Howeverin today's digital agedata is stored in an array of locations beyond just databases and end-user devices. These include cloud storage servicesbackup disksoffsite storageand more.
Unstructured databy not following a predefined data model and often not residing in databasespresents an additional challenge. Unstructured data includes information like emailstext documentsimagesand videos. This type of data is commonly stored in the cloud or in diverse network locationsand it can often comprise a significant portion of an organization's valuable assets. If this form of sensitive data is accessed by unauthorized individualsan organization could suffer significant damage or loss. As suchprotecting unstructured data is critical.
Organizations may adopt several different techniques to protect data at rest:
- File-level encryptionwhich encrypts individual files.
- Storage-level encryptionwhich encrypts entire storage devices.
- Database encryptionwhich is typically used for encrypting structured data.
- Data tokenizationwhich replaces sensitive data with opaque tokens.
- Cloud storage encryptionwhich is commonly offered by cloud service providers to encrypt data on a per-file or per-bucket basis.
Data Encryption Standards
Numerous data encryption standards existwith new algorithms developed all the time to combat increasingly sophisticated attacks. As computing power increasesthe likelihood of brute force attacks succeeding poses a serious threat to less secure standards. Thereforeit’s important to use more recent—and therefore more secure standards—for your software.
The Data Encryption Standard (DES)
DES is a symmetric encryption algorithm developed by IBM in the early 1970s and adopted by the National Institute of Standards and Technology (NIST) as a federal standard from 1977 until 2005. It uses a 56-bit key to encrypt a 64-bit block of plaintext via a series of complex operations. Howeverits relatively small key size makes it vulnerable to brute-force attacks and so it’s no longer considered secure.
The Triple Data Encryption Algorithm (3DES)
3DES (or Triple DES) is a variation of the DES protocolwhere the DES cipher algorithm is applied three times. While this improves the security of DESa Common Vulnerabilities and Exposures (CVE) released in 2016 disclosed a major security vulnerability in 3DES which would allow a man-in-the-middle attacker to access some of the plaintext data. Thus3DES became deprecated in favor of AES.
Advanced Encryption Standard (AES)
Also known as the Rijndael block ciphernamed after Belgian cryptographers Joan Daemen and Vincent RijmenAES uses a larger key and block sizes of 128 or 256 bits (AES-128 and AES-256respectively). AES works by utilizing a substitution-permutation network to encrypt data symmetrically.
Rivest–Shamir–Adleman (RSA)
RSA is one of the oldest asymmetric algorithmsfirst introduced to the public in 1977. The RSA system creates a private key based on two large prime numbers. A public key is then derived with an auxiliary value with those prime numbers. RSA is a slow algorithmso it’s often used to encrypt the shared symmetric key that is then used for faster encryption processes.
Twofish
A symmetric key block cipher with a 128-bit block size. The key size can be up to 256 bitsbut the variability of key size provides different levels of security depending on an application’s requirements. Twofish is considered quite secureand it has an open-source design which makes it accessible to the public domain.
Conclusion
In this postwe’ve covered many of the basic concepts around data encryptionwhich is a vast topic. We’ve explained what data encryption isalong with its benefits for business applications. In additionwe’ve covered specific details surrounding symmetric versus asymmetric encryptionthe concepts of encryption in transit and encryption at restand also several well-known encryption standards used today.
Narendran is a Director of Product Marketing for Identity Protection and Zero Trust at CrowdStrike. He has over 17 years of experience in driving product marketing and GTM strategies at cybersecurity startups and large enterprises such as HP and SolarWinds. He was previously Director of Product Marketing at Preempt Securitywhich was acquired by CrowdStrike. Narendran holds a M.S. in Computer Science from University of KielGermany.
