What is “encryption?”
As more and more of our private lives are transferred to the digital world — bank accounts, healthcare information, entire photo libraries synced from our phones — it becomes increasingly important to understand how these valuables are protected. What does it mean that something is “encrypted?” When a connection is “secure?” Are you logging into your bank? Or is it just painted there, like the coyote’s tunnel on the wall, a phishing façade?
We’ve written before about digital privacy and the ways in which we understand it (sometimes incorrectly). How should we conceptualize security on the internet, then? Encryption is by no means just a digital phenomenon — nor is it just the enterprise of governments and corporations. Be it Pig Latin or the infamous Enigma from WWII, encryption is the practice of converting plain text to jibberish. With the proper decryption rules — maybe your cereal box decoder ring — the jibberish is translated back into plain text for reading.
Symmetric and Asymmetric Encryption
Before beginning, there is one big division in encryption that needs explaining: symmetric versus asymmetric. In symmetric encryption, the same key that opens the lock can also close the lock. It is a simple, lightweight, and fast approach to encryption.
In asymmetric encryption, two keys are generated: a public key and a private one. The public key can, as its name suggests, be widely disseminated — and often is. It is capable of encoding messages someone wants to send to you while your private key is the only one capable of decoding the messages. The process is a little more complicated and, as such, is a bit more taxing on the devices doing the encryption and decryption.
Encryption, even between two scheming children, is easy enough when both parties know each other and can develop a code together. But what about when the parties meet for the first time? What if someone attempts to check their bank info from a new internet connection? How can you develop a code together and over a public channel, ensuring that no eavesdroppers learn what they shouldn’t?
HTTPS, the more secure upgrade to HTTP, solves this problem using the Diffie-Hellman exchange. It’s a clever bit of math — if it loses you, there’s a similarly clever metaphor to follow. First, both parties publicly decide on a long, long, 300+ digit prime number and a modulo (more on that in a second). Then, secretly and individually, they then decide on their own personal 100+ digit prime number. Each party then multiplies the public number my their individual private number, and then applies the modulo operation.
Think of a modulo operation like a clock face, which uses a modulo of 12. 26 hours after 3:00, the clock doesn’t read 29:00 — it reads 5:00. A modulo operation is like keeping the the remainder after dividing. 29 mod 12 is 5 because 12 goes into 29 twice, making 24 and leaving 5 as the remainder. This is useful in encryption because, without the knowledge of the original numbers, 5 could easily be the answer to 5 mod 12, 17 mod 12, or even 147 mod 12.
After performing this operation, both parties swap their multiplied and modulo’d numbers publicly and do the same routine again with their private number. Ultimately, they end up with exactly the same number! A symmetric key was exchanged in a secret way. For the confused, consider this great paint-mixing metaphor from A.J. Han Vinck:
Both parties agree on a public color (in this case, yellow) and, privately, secret colors (red and green, respectively). Each mixes the public color with their private color, swapping the results after. They do the whole dance again, ultimately ending up with the same color paint. In this way, a symmetric code can be established on a public channel — even if someone is listening, the important pieces of the key-creation are kept private.
When communicating or sending files over an encrypted channel, it’s prudent to consider who has the keys to decrypt your data. Hosting files on your cloud and sharing them with a few recipients may seem safe enough, but remember that your cloud provider also has a key that could be compromised.
End-to-End encryption, a service offered by the likes of Signal and Whatsapp, solves this by having the encryption and decryption processes occur only on the devices at either end of the communication. Using two sets of asymmetric keys, each party can encode messages with the other’s public key and decode with their own private key. The service provider’s servers are effectively illiterate — they only pass along the jibberish encoded by the end users. Anyone who managed to crack into Whatsapp’s servers is just as illiterate.
Safe Browsing, Safe Transferring
Modern browsers are often equipped with measures to promote safe internet use, but there’s no substitute for personal awareness. When dealing with personal information online, it is crucial to make sure you are using HTTPS with a certified website — you’ll know this by the green padlock symbol that will show up in your browser’s address bar. Clicking this symbol will give you in depth information about who you are patronizing and the type of connection you have. Though most trustworthy sites will use it by default, plugins like the EFF’s HTTPS Everywhere is a good way to force HTTPS connections when possible.
If you need to transfer sensitive files — tax documents, signed contracts, et cetera — it’s important to consider how you are sending them. Is the connection secure? Is the file itself encrypted? Can you check if the documents made it to the recipient? Are you just sharing a public link to your cloud storage, or is there a smarter way to connect?