From WikiPedia: encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
While the process of encrypting information is nothing new, encryption technologies are a hot topic in IT recently — with good reason. This article hopes to explain the various types of encryption as used regularly by IT pros.
Data can be encrypted two ways: at rest and in transit.
Refers to data storage — either in a database, on a disk, or on some other form of media.
Note: Indiana law realizes the value of disk encryption — such that a lost/stolen laptop or storage media is not considered a breach IF that media was encrypted (and the encryption key was not available with the device).
Examples of at rest encryption
- PGP Whole Disk Encryption (available at no cost at IU for both Windows and Mac OS X)
- Note: PGP can also create "virual encrypted disks"
- BitLocker disk encryption
- OS X FileVault
- Database encryption
Refers to data which is encrypted as it traverses a network — including via web applications, smart phone apps, chats, etc. In-transit basically refers to the point at which the data leaves the storage drive or database until it's re-saved or delivered to its destination. Protecting information in transit essentially ensures protection from others attempting to snoop or eavesdrop on information as it traverses the network.
Examples of in transit encryption
Please note: employing these two types of encryption safeguards must occur in tandem; it's not automatic. Data encrypted at rest does not guarantee it remains encrypted as it traverses a network. Conversely, data encrypted "over the wire" does not offer any safeguard that the content remains encrypted after it has reached its destination.
The actual process and algorithms by which encryption technologies and software use differ. The current standard specification for encrypting electronic data is the Advanced Encryption Standard (AES). Almost all known attacks against AES' underlying algorithm are computationally infeasible -- in part due to lengthier key sizes (128, 192, or 256 bits). If this argument sounds familiar, see: Passphrases.
Symmetric vs. asymmetric key algorithms
Symmetric key algorithms use related, often identical keys to both encrypt and then decrypt information. In practice, this is known mostly as a shared secret — between two or more parties.
Asymmetric key algorithms, however, use different keys to encrypt and decrypt information; one key encrypts (or locks) while the other decrypts (or unlocks). In practice, this is known mostly as a public/private key; the public key can be shared openly, the private key should not. In most cryptographic systems, it is extremely difficult to determine the private key values based on the public key.
How this encryption works
Using public/private keys, the lock/unlock algorithm can go two ways. Alice can encrypt some bit of information with Bob's public key, and then send it to Bob. Only the holder of Bob's private key should be able to decrypt and read the message. Conversely, Alice could encrypt some bit of information with her own private key — and while anyone else in the world could read the message, they would have to use Alice's public key to do so, meaning that the message must have come from Alice.
Read more about public key cryptography.