Today, Im writing about something that was first used by the Ancient Mesopotamians. It used to be illegal to export under weapons trafficking treaties, and it is frequently bemoaned by law enforcement. Its also a critical component of almost every electronic device, and without it, the global economy would come to a screeching halt. Im talking, of course, about encryption algorithms.
Encryption is technically a subset of cryptography, which is the study of how to communicate securely in the presence of an adversary (who might try to eavesdrop, edit, or disrupt said communication). To encrypt something is to take some information, like my password is 1234, and combine it with a key (a chunk of hopefully random data) via some encryption algorithm such that it becomes unreadable gibberish. Said gibberish is only decipherable by providing an identical key, or a key thats mathematically related to the original key in a complicated way.
The kind of encryption youre most likely familiar with is symmetric encryption: encrypt a message with one key, and decrypt it with the same key. Symmetric encryption dates back to ancient times; Julius Caesar invented (or popularized) a cipher where the letters of the alphabet were simply shifted some number of places down (e.g. A becomes C, B becomes D, and so on). But cryptography didnt really take off until the early 20th century, with the advent of technologies like radio, which enabled longer-range communication at the cost of being trivially easy to eavesdrop on. World War II saw use of the Enigma Machine, a fascinatingly complicated electromechanical device that was only decoded by the Allies after a Herculean effort. These days, though, encryption generally refers to modern computerized algorithms like AES.
AES is short for Advanced Encryption Standard and has been the standardized encryption method for the U.S. governments classified information since 2002. Its also used for most web traffic, disk encryption on iOS and macOS, password managers, end-to-end encrypted chat applications, and a zillion other things. In fact, most modern processors have specific hardware components just to encrypt and decrypt AES data. But symmetric encryption still has a flaw: you need both parties to have the same key for them to talk to each other. How does that happen when theres no secure communication channel, like when accessing a website over the Internet? It would obviously be impractical for every computer to come pre-programmed with what would be millions or billions of different encryption keys for everything. So, we need a way for two parties, communicating solely over an insecure communication channel, to have a conversation thats impervious to eavesdropping. It sounds impossible, but as it turns out, its perfectly achievable with a bit of sorcery known broadly as asymmetric-key encryption.
Its not particularly an exaggeration to say that without asymmetric-key encryption, the Internet wouldnt exist anywhere near its current form. It would be impossible to transmit any sensitive information like credit cards, passwords, or private email, unless you obtained an encryption key offline (which kind of obviates the entire point). Its hard to speculate on exactly what an Internet in this world would look like, or whether it would exist at all, but I can safely say that it would be a lot worse than it is now.
So how does asymmetric-key encryption work? The first hint is in a more common name for it: public-key cryptography. Instead of one key that encrypts and decrypts (symmetric encryption), asymmetric encryption uses a pair of keys: a public key and a private key. If you encrypt a message with the public key, it can only be decrypted with the corresponding private key, and theres no way you can figure out the private key from just the public key. So, you can make the public key as public as you want: transmit it over a public WiFi network, give it to your friends, even post it on social media. Meanwhile, the private key is private only to you. If someone wants to send you a message, all they have to do is encrypt it with your freely available public key and transmit it to you through any channel, even an insecure one. You can think of public-key cryptography as like a safe with two separate keys one key can only lock, and the other one can only unlock. You can duplicate the locking key as much as you want, and anyone can use it to put stuff in the safe and then lock it. But to access whats inside after the safe has been locked, youd need your secret unlocking key.
But the lock analogy breaks down at a certain point, because theres no difference in principle between the public and private key. If I encrypt something with my private key, it can only be decrypted with the corresponding public key. This is useful for identity verification through something called a digital signature. If I take a message, encrypt it (or sign it) with my private key, and publish the encrypted and original messages together, then you can verify the encrypted message decrypts successfully to the original. If they match, then you know I am who I say I am. (This concept, by the way, is key to the security of blockchain-based cryptocurrency: transfers out of a specific account are only accepted by the rest of the network if they have a valid digital signature proving that whoever submitted the transfer possesses the private key for said account.)
The specific mathematical underpinning behind public-key cryptography is sort of complicated and varies based on the specific algorithm. For many algorithms, we rely on the fact that multiplying very large numbers together is relatively easy, while finding the factors of a very large number is very, very hard. (For performance reasons, some modern algorithms use things that are kind of similar to large numbers like elliptic curves, but we can safely ignore that.) Either way, though, the mathematical details of public-key cryptography are somewhat less interesting than the fact that it exists and you can do things with it.
Almost everything you do on the Internet nowadays relies on public-key cryptography. If youre reading this on a computer, the webpage was transmitted via the HTTPS protocol, which (to simplify things) means your computer transmitted an encrypted request using The Phoenix websites public key, which lets your computer talk to the server through a private channel. If youre reading this in the print edition, then public-key cryptography was still involved I send in these articles via email, which involves my computer making a secure connection to my mail server using its public key via the same method. (Technically, asymmetric encryption is generally used just to secretly transmit a key for symmetric encryption, since symmetric encryption is considerably faster.)
But why does any of this matter, aside from it being really cool and interesting? Well, Ive previously written about why HTTPS makes paying for a VPN somewhat unhelpful for a lot of people. Today, though, Im going to cover end-to-end encryption, which is a fascinating application of cryptography and an interesting thing to be aware of in your own life.
When you send an email, its (usually) encrypted in transit via the methods I talked about above: if someone is eavesdropping on your Internet traffic, they cant read your mail. But once it reaches your mail server, its decrypted and is readable by your mail provider (e.g. Gmail). Its important to note that readable doesnt mean someone at Google is regularly snooping through your mail to learn all your secrets, it just means that Googles systems can process the plain contents of messages. This can be for innocuous reasons: checking whether messages are spam, for instance, or automatically adding a booking to your calendar based on a confirmation email. But theres nothing technically stopping Google from scanning your email to target advertisements. (Google explicitly says that they dont do this. Sometimes it might seem like they do, but those are often cases where, e.g., you search for winter coats, spend an hour browsing winter-coat-related websites, and then see an ad for winter coats next to an email you sent to a friend asking about coat recommendations.)
But the fact that Google could read your email if they wanted to is more important in a different way: if Google can theoretically do it, then the government can too. If youre worried about government surveillance (from any government), then you dont care what a company says they will or wont look at, you want a cryptographic guarantee that they cant provide data to anyone even if they were made to by a court order, subpoena, or police raid. This is where end-to-end encryption comes in.
End-to-end encryption is when your data stays encrypted all the way from you to the person or people youre talking to. Most commonly, this is in the context of chat applications like WhatsApp or iMessage. To secure your messages, instead of the server publishing its public key, everyone on the service publishes a public key. The private keys never leave each persons device. If you want to send a message to your friend, you ask the server for your friends public key and use it to encrypt the message. The server here just passes encrypted messages back and forth, so all it can possibly know is when you send messages and who you send them to. (Through a little bit more cryptography, its actually also possible to also obscure the fact that youre sending the messages kind of like dropping a letter in a mailbox without writing a return address.) Actual end-to-end encryption as implemented also uses a bit more stuff on top of the public/private key business, via something called a double ratchet: the two parties constantly change their public and private keys via an agreed-upon method. This means that if a private key is compromised, an attacker can only view a few messages before the keys are regenerated.
Full end-to-end encryption (or at least, end-to-end encryption that didnt suck) was pioneered in 2013 by what would eventually become Signal. Signal was the first end-to-end encrypted messaging app that tried to be usable by non-computer-nerds while still being secure, and as a result has seen extensive use among whistleblowers, journalists, and any social movement you care to name. But whats had an even bigger impact is the Signal Protocol that the Signal app was built on. The protocol defines a standardized and secure method for sending text and other communication completely securely between two or more parties. In 2016, WhatsApp, the most popular messaging application in the world, switched over to the Signal Protocol for all of its messages and data. This means that every text sent on WhatsApp is unreadable to WhatsApp, its parent company Facebook, or anyone else, except the intended recipients. (Unlike Signal, however, WhatsApp does collect and use data about when and to whom messages were sent, and might use that information to target advertisements.)
So, if end-to-end encryption is so easy to use, why isnt it used for everything? Mostly because it turns out that not having a usable copy of your data stored on a companys servers is annoying from a usability standpoint for anything more complicated than simple text chat. You may have experienced this yourself if youve ever been added to a WhatsApp group chat in progress: since previous messages were only encrypted with the previous participants keys, you cant read them and miss any context that happened before you got there. End-to-end encryption also means that mirroring messages or conversations between multiple devices is difficult: since only your phone holds the keys to decrypt the messages, keeping chat records consistent between your laptop and phone requires awkward relay setups. Finally, its sort of pointless for public-facing things like social media where everyone is supposed to be able to read it anyway.Notice that in this article I havent really talked about any possibility of breaking a key. Thats because modern encryption algorithms are, for all intents and purposes, unbreakable: cracking a single 256-bit AES key with every computer on the planet would take about 14 thousand trillion trillion trillion trillion, or 14,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, years.
Its impossible to even begin to give a perspective on how big that number is. If you try to express it in terms of multiples of the age of the universe, another mind-bogglingly big number, you get another number thats still too big to properly express. (About 900 thousand trillion trillion trillion times the age of the universe, if youre wondering.) But the fact that properly implemented AES encryption is effectively impossible to break via computational brute force doesnt mean that your secrets are necessarily safe from, say, regular brute force (as a classic xkcd comic illustrates). One of the fundamental lessons of encryption (and indeed of all computer security) is that the humans that use encryption algorithms are almost always more vulnerable to deception, persuasion, or blunt force trauma than the algorithms themselves. It doesnt matter how big your encryption key is if the password used to generate said key is just the word password.
- UK Government Apparently Hoping It Can Regulate End-To-End Encryption Out Of Existence - Techdirt - January 12th, 2022
- Android Encryption on the rise: Do I need To encrypt my smartphone? - Phandroid - News for Android - January 12th, 2022
- The Next Evolution of the Database Sharding Architecture - InfoQ.com - January 12th, 2022
- Encryption Software Market Scope and overview, with Highest growth in the near future by leading key players - Taiwan News - January 12th, 2022
- CGV Research | Why Solana May Become the iOS of the Encrypted World? - NewsBTC - January 12th, 2022
- Swiss Army Bans WhatsApp And Other Foreign Encrypted Messaging Services - Lowyat.NET - January 12th, 2022
- Organic aggregates: new insights on white light - EurekAlert - January 12th, 2022
- You'll have to spell out an encryption law - BollyInside - January 12th, 2022
- NEC develops secure biometric authentication tech to enable certification with encrypted face information - Japan Today - December 22nd, 2021
- Experts warn against Originator Traceability Proposals that weaken Encryption - ThePrint - December 22nd, 2021
- Encrypt your emails from end to end for a lifetime with this software - TechRepublic - December 22nd, 2021
- Barrowford man who used encrypted phones to deal drugs jailed for more than 11 years - Burnley Express - December 22nd, 2021
- 'I'm a big believer in encryption technology,' says the former chairman of the US SEC. - BollyInside - December 22nd, 2021
- 5 upcoming WhatsApp features: New call interface, quick replies and more - The Indian Express - December 22nd, 2021
- Cloud Encryption Technology Market Growth Opportunities, Driving Factors by Manufacturers, Regions, Type and Application, Forecast Analysis to 2027 -... - December 22nd, 2021
- Metas Biggest Encrypted Messaging Mistake Was Its Promise - WIRED - December 3rd, 2021
- VeraCrypt 1.25 drops Windows 8.1 and 7, and Mac OS 10.8 and earlier support - Ghacks Technology News - December 3rd, 2021
- GBT is Enhancing qTerm's Cybersecurity Technology to Provide a Higher Level of Data Protection For its Users - GlobeNewswire - December 3rd, 2021
- What is Encryption? Definition, Types & Benefits | Fortinet - November 29th, 2021
- Decentralising end-to-end encryption with a new security protocol - The Hindu - November 29th, 2021
- Device encryption in Windows - November 29th, 2021
- How to Enable end-to-end Encryption for one-to-one Calls in Microsoft Teams - BollyInside - November 29th, 2021
- How the 5G industrial IoT will change different verticals - IT Brief New Zealand - November 29th, 2021
- Boxcryptor protects business data in Microsoft Teams with end-to-end encryption features - Help Net Security - November 25th, 2021
- NordLocker goes mobile: Encrypt your files on iOS and Android now with 60% off - GlobeNewswire - November 25th, 2021
- How Does End-To-End Encryption Works In WhatsApp? - Wales247 - November 25th, 2021
- Email Encryption Market Research Report by Type, by Component, by Industry, by Deployment, by Region - Global Forecast to 2026 - Cumulative Impact of... - November 25th, 2021
- Yes, ransomware is your number one security nightmare. But heres how to sleep easy - The Register - November 25th, 2021
- How to Encrypt WhatsApp Chat Backups with End-to-End Encryption in iCloud - BollyInside - November 20th, 2021
- Vaultree's Executive Team and Advisors Drive Innovation in the Cybersecurity Industry - Yahoo Finance - November 20th, 2021
- Will you be ready when quantum breaks encryption? Steps to take now to prepare - Lexology - November 17th, 2021
- If cybercriminals cant see data because its encrypted, they have nothing to steal - The Register - November 17th, 2021
- Why You Should Encrypt Your WhatsApp Backups in iCloud - Lifehacker - November 17th, 2021
- Cape Privacy Forges Partnership with Snowflake, Enabling Financial Services Organizations to Use Encrypted Data for Predictive Modeling in the Cloud -... - November 17th, 2021
- UK Government awards 555k to help fund new ways to protect children within end-to-end encrypted environments - ResponseSource - November 17th, 2021
- WhatsApp starts rolling out end-to-end encryption for ... - November 15th, 2021
- Quantum Xchange Collaborates with Thales to Enable Quantum-Safe Key Delivery Across Any Distance, Over Any Network Media - Yahoo Finance - November 15th, 2021
- Thrio Reduces Risk of Data Loss with Global Redaction and Encryption - WFMZ Allentown - November 15th, 2021
- When it comes to securing systems against quantum computers, there is no one-size-fits-all solution - Help Net Security - November 15th, 2021
- Hacking group says it has found encryption keys needed to unlock the PS5 [Updated] - Ars Technica - November 15th, 2021
- Opposition Parties 'Surprised' by Lack of Encryption Amid Cyber Attack - VOCM - November 15th, 2021
- Everything Blockchain Announces OEM License of Its Zero Trust Data Access Platform - GlobeNewswire - November 15th, 2021
- Alexander: Turn off the more complex encryption in Windows 11 Pro - Minneapolis Star Tribune - November 8th, 2021
- Encryption, inequality and Zero DOM: 6 pocket listing takeaways - Inman - November 8th, 2021
- Apple Can Secretly Read Your WhatsApp MessagesThis Is How To Stop It - Forbes - November 8th, 2021
- The double-edged sword of encryption - TechRadar - November 8th, 2021
- An Open Letter to City Council and the City Manager on Police Encryption. Category: Public Comment from The Berkeley Daily Planet - Berkeley Daily... - November 8th, 2021
- PSD2 & Open Banking Biometric Authentication Market Research Report by Function, by End Users, by Region - Global Forecast to 2026 - Cumulative... - November 8th, 2021
- WhatsApp to alert users with new security code. Read why - Mint - November 8th, 2021
- Cloud Encryption Service Market Size and Overview: 2021, Industry Share, Key Developments, Geographic Comparison, and Drivers till 2028 Bolivar... - November 8th, 2021
- Cloud Encryption Market Revenue, Share, Size and Trend Analysis 2021 to 2027 LSMedia - LSMedia - November 8th, 2021
- RCMP wants to use AI to learn passwords in investigations, but experts warn of privacy risks - The Globe and Mail - November 8th, 2021
- EXPLAINED: Why End-To-End Encryption May Not Mean That Nobody Can Read Your WhatsApp Chats - News18 - October 30th, 2021
- Only 17% of US Companies Encrypt Over Half of Their Cloud Data - WebProNews - October 30th, 2021
- Database Encryption Market To Witness the Highest Growth Globally in Coming Years 2020-2025 | Intel Security (Mcafee), Microsoft Corporation,... - October 30th, 2021
- Encryption Software Market Size To Record A Substantially CAGR Over 2017-2030 Puck77 - Puck77 - October 30th, 2021
- Growth Prospects of Cloud Encryption Gateways Market: Business Outlook 2021-2026 by Oracle, IBM, Microsoft, Salesforce, Vormetric, Ciphercloud, and... - October 30th, 2021
- Homomorphic Encryption Market Growth Overview of Top Companies : Microsoft,IBM Corporation,Galois,CryptoExperts,Enveil,Duality... - October 30th, 2021
- Messenger: from now on, voice and video calls will have end-to-end encryption MRT - Market Research Telecast - October 30th, 2021
- Encryption Key Management Market Growth Overview of Top Companies : Thales Group, IBM, Egnyte, Google, Alibaba Cloud Computing, Box, Amazon,... - October 30th, 2021
- Google Drive Alternatives: Improving Privacy and Security - TechSpot - October 30th, 2021
- Future Growth Of IoT Security Solution for Encryption Market by New Business Developments, Innovations, And Top Companies - Forecast To 2026 -... - October 30th, 2021
- If WhatsApp chats are end-to-end encrypted, how are personal chats of celebs leaking? - BGR India - October 30th, 2021
- WhatsApp rolls out encryption for chats backed up in the cloud - Mashable - October 17th, 2021
- WhatsApp now lets users encrypt their chat backups in the cloud - TechCrunch - October 17th, 2021
- Meet the Alliance for Encryption in Latin America and the Caribbean - EFF - October 17th, 2021
- Apples plan to scan images will allow governments into smartphones - The Guardian - October 17th, 2021
- WhatsApp to bring in encryption for backup chats after privacy fears - The Guardian - October 15th, 2021
- WhatsApp end-to-end encrypted backups are rolling out on both Android and iOS - GSMArena.com news - GSMArena.com - October 15th, 2021
- Encryption: Why security threats coast under the radar - Philstar.com - October 15th, 2021
- Encryption Management Solutions Market 2021 : Industry Analysis ,Size, Share, Revenue, Prominent Players, Developing Technologies, Tendencies and... - October 15th, 2021
- TLS Support Redis - October 12th, 2021
- Signal >> Documentation - October 12th, 2021
- Encryption Consulting announces their first-ever virtual conference - "Encryption Consulting Virtual conference 2021." - Tyler Morning... - October 12th, 2021
- [Update: Rolling out] WhatsApp adds end-to-end encryption for Android cloud backups - 9to5Google - October 12th, 2021
- Homomorphic Encryption Market New Coming Industry to Witness Great Growth Opportunities in Coming Years From 2021 to 2027: Microsoft (US), IBM... - October 12th, 2021
- SmartKargo Incorporates EDIfly Advanced Aviation Messaging At No Cost for Customers of its E-Commerce Logistics Solution - Yahoo Finance - October 12th, 2021
- No outages, no data leaks: The new WhatsApp killer built on the blockchain creates privacy-focused encrypted messenger - Cointelegraph - October 12th, 2021
- Mosyle's $ 16M Series A Drives Growth by Launching the Mosyle Business with the Market's First Encrypted DNS Filtering and Security Solution -... - October 6th, 2021
- Tips to Secure and Encrypt your WIFI Network Security - H2S Media - October 6th, 2021