You are on page 1of 8

ENCRYPTION: A GUIDE FOR

BUSINESS LEADERS
By Brandon Vigliarolo

COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.


ENCRYPTION: A GUIDE FOR BUSINESS LEADERS

INTRODUCTION
Data: It’s everywhere, and it has to be protected.

Professionals are concerned about digital data—confidential emails, budget spreadsheets, private messages,
bank records, and a multitude of other types of sensitive information that is stored or transmitted online. That
data is protected with encryption.

However, knowing that encryption exists and understanding what it is are two different things, and the answer
can be complicated. Having a basic knowledge of encryption is important for professionals who deal with
private data, even if you don’t deal with the particulars yourself.

WHAT IS ENCRYPTION?
Encryption is far more than just scrambling an email to protect it from prying eyes—it’s a practice that goes
back well into the analog days. In essence, anything that is encoded using an algorithm is encrypted.

Most everyone has experience with simple encryption, like substitution ciphers that alter the letters of the
alphabet using a particular rule, like A=Z, B=Y, C=X, and so on.

Even a simple cipher like mixing up the letters of the alphabet presents an enormous number of potential
solutions because of the factorial nature of encryption. Take the English alphabet, for example. It has 26
letters, which means there are 26 factorial ways to mix it up. Mathematically that means 26 x 25 x 24 x 23 x 22 x
21... x 1 possibilities.

26 factorial, or 26!, means a simple substitution cipher of the English alphabet has 403,291,461,126,605,700,00
0,000,000 possible solutions. Ideally this would mean an English substitution cipher would be difficult to solve,
but it isn’t, really. All a good cryptanalyst needs to do is look for recurring characters to start making educated
guesses to solve the cipher quickly.

The minds behind modern encryption know how easy solving simple ciphers can be, especially given the raw
power of modern computers—if a human can crack it with any degree of speed a computer can probably
do it faster.

To prevent cracking, modern encryption has to be more complicated, use more tricks to scramble data, and
make it (practically) computationally impossible for an attacker to break the encryption.

Today the Advanced Encryption Standard (AES) is used worldwide. AES makes multiple encryption passes
that scramble an already scrambled chunk of data over and over again, making it more and more difficult to
break encryption.

2
COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
ENCRYPTION: A GUIDE FOR BUSINESS LEADERS

The more bits used to encrypt something with AES the more guesses it will take, and at a certain point it
becomes computationally impossible, at least on a practical level, to break that encryption. 128-bit AES
encryption, for example, would take around 500 billion years to crack with brute force.

Additional resources
• 43% of enterprises have adopted an encryption strategy (TechRepublic)
• Encryption policy (Tech Pro Research)
• How blockchain encryption works: It’s all about math (TechRepublic)

WHAT IS AN ENCRYPTION KEY?


Anything that is encrypted must have a key to decrypt it.

A key could be the alphabet shifted by a couple letters, a numerical substitution, or in the case of modern
encryption, a string of random characters.

Keys are used by the individual encrypting data and by the individual decrypting it, and come in two varieties:
symmetric and asymmetric.

Symmetric keys are easy to explain, and the best analogy to use is a locked box with a single key that can unlock
it. As long as you and another person have a copy of that key, you can store objects in the box and pass them
securely to one another.

But it’s easy to see how insecure symmetric keys are, whether physical or digital. Anyone with a copy of the key
can decrypt the data or open the locked box.

Asymmetric keys, on the other hand, are a bit more complex. In this scenario there are two keys: a private key,
known only to the individual doing the encryption, and a public one that is freely available.

Anyone with a copy of a public key can encrypt data that can be decrypted only using the matching private
key—that includes the person who knows the private key. Conversely, data that is encrypted using the private
key can be decrypted by anyone with the public key.

Neither a public nor a private key alone can be used to decrypt data—it takes the opposite key to decode it. In
most cases, a public key will be used to encrypt data, as only the person holding the private key can decrypt it.

Private-to-public decryption is used as the basis of digital signatures and other forms of identity verification. If
the public key can successfully decrypt a chunk of data, it could only have come from the person who knows
the private key.

3
COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
ENCRYPTION: A GUIDE FOR BUSINESS LEADERS

Keep in mind that an encryption key is secure only as long as the person who holds it keeps it secret. If a
private or symmetric key is stolen or lost, it’s best to consider it broken immediately. Always keep keys safe.

Additional resources
• Will Google’s Titan security keys revolutionize account security? (TechRepublic)
• How Cloudflare uses lava lamps to encrypt the Internet (ZDNet)
• Enigma: Why the fight to break Nazi encryption still matters (CNET)
• Report: Only 40% of data stored in cloud secured with encryption, key management (TechRepublic)
• The myth of responsible encryption: Experts say it can’t work (CNET)

WHY IS ENCRYPTION SO IMPORTANT?


Encryption won’t stop your data from being stolen. There’s no reason a malicious entity couldn’t sniff out your
internet traffic or steal data from your hard drive—that’s not encryption’s job. We encrypt data so that if and
when it’s stolen, it’s useless without the key.

Data at rest and data in transit over the internet are at risk to hijacking. Data breaches are a constant threat
faced by individuals and businesses of all sizes.

Using encryption to secure data that is at rest or otherwise not being actively transmitted over the internet is
one thing, but protecting it while in transit is a whole other challenge. It’s difficult to protect data in transit, and
there isn’t a good way of knowing how much data is stolen while it’s streaming over the internet, in the air over
Wi-Fi, or moving between a smartphone and a signal tower.

Data in transmission should always be considered unsecured. Continuing the locked box analogy from above,
think of transmitting data like handing a package off to the post office; it’s probably safe, but if that data is
sensitive, you need to take extra steps to be sure no one tampers with it between its origin and destination.

It’s critical for organizations and individuals to encrypt everything, no matter how innocuous the content of an
email, file, or piece of code. Consider all data—no matter what it is or where it’s stored—to be at risk.

Properly applied, encryption renders stolen data useless: If the thief doesn’t know the key, they’re left with a
bunch of junk that will (ideally) take them years to decrypt.

4
COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
ENCRYPTION: A GUIDE FOR BUSINESS LEADERS

Additional resources
• 5 workplace technologies that cause the most employee data breaches (TechRepublic)
• Russia moves to block Telegram after encryption key denial (ZDNet)
• Pixel 2 encryption is so good it can even fend off insider attacks, Google says (TechRepublic)
• As devastating as KRACK: New vulnerability undermines RSA encryption keys (ZDNet)
• Why citizens need encryption as a fundamental human right (TechRepublic)

WHAT ARE THE CURRENT ENCRYPTION STANDARDS?


In 2001, the US Department of Commerce’s National Institute for Standards and Technology (NIST) adopted
the Advanced Encryption Standard (AES) as the standard for government encryption (PDF). Since its
adoption, AES has become a standard part of cryptography around the world, both in government and
civilian applications.

AES is a form of symmetrical encryption and can be used to generate 128-bit keys, 192-bit keys, and 256-bit
keys, depending on the number of encryption rounds data is subjected to. AES creates blocks of 16 bytes that
are shifted, mixed, and substituted each round, as described in this comic by software developer Jeff Moser.

AES is incredibly secure, so much so that the US government considers AES128 sufficient to secure data
classified as secret, and AES192 and AES256 safe for top secret data. AES is effectively unbreakable, and it’s
easy to see why mathematically. A 128-bit encryption has 2 128 potential solutions, a 192 bit 2192, and a 256
has 2256 possible solutions. Do a quick calculation, and you’ll see why it would take even the most powerful
computers an impossibly long time to crack it.

As for asymmetrical encryption, there’s currently no single standard in place. There is a long list of asymmetric
encryption methods, but the most commonly used one by far is RSA. A variety of encryption systems make use
of asymmetric encryption, such as DSA, Diffie-Hellman key exchange, ElGamal, and YAK.

Additional resources
• Why PGP is fundamentally flawed and needs to be fixed (TechRepublic)
• Encryption debate reminiscent of climate change arguments: Senetas (ZDNet)
• How 85% of mobile apps violate security standards (TechRepublic)
• PGP encryption won’t protect your data. But PURBs can. (ZDNet)

5
COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
ENCRYPTION: A GUIDE FOR BUSINESS LEADERS

DOES UNBREAKABLE ENCRYPTION EXIST?


Even when used correctly, the strongest encryption can theoretically be broken, and as computers become
faster, unsolvable algorithms will turn into simple challenges.

There is a form of encryption considered unbreakable, when applied correctly, and it’s over 100 years old: The
one-time pad.

One-time pads are a symmetric encryption that has specific instructions to ensure the encryption is
unbreakable. To be successful, a one-time pad has to:

• Be made up of completely random numbers


• Have only two existing copies
• Be used only once
• Be destroyed immediately after use
One-time pads are impractical for use in the digital encryption world because of the difficulty that comes with
a single-use encryption key. It’s hard to keep the key limited to exactly two copies, and destroying it after use is
difficult if it’s stored digitally.

While they may not be used for digital encryption, one-time pads do demonstrate an important thing about
encryption: Key security is paramount. A strong, computationally impractical to break key may as well be
unbreakable unless it’s used improperly or stolen.

Additional resources
• Why nearly 50% of organizations are failing at password security (TechRepublic)
• IBM warns of instant breaking of encryption by quantum computers: ‘Move your data today’ (ZDNet)
• Why the encryption on your SSD in Windows 10 may be failing (TechRepublic)

WHAT ARE POPULAR ENCRYPTION APPS?


Computers and mobile devices all have built-in encryption software that can be enabled by taking a few minutes
and following these steps: Windows 10, macOS, iOS, and Android (the Android steps indicate they are for Pixel
devices, but they have been tested and work on other non-Pixel Android devices as well).

In cases where the built-in encryption methods aren’t sufficient or aren’t available (some versions of Windows
10 don’t include BitLocker), there are a variety of third-party encryption apps that suit numerous purposes.

6
COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
ENCRYPTION: A GUIDE FOR BUSINESS LEADERS

• VeraCrypt is the gold standard of Windows encryption apps. It offers everything Windows users need to
encrypt their hard drives, and even reportedly offers immunity to brute-force attacks.

• Signal, a free messaging app for iOS, Android, Windows, and macOS, encrypts text messages, multimedia
messages, and phone calls. It’s open source and grant funded, so there are no in-app purchases or
hidden fees.

• ProtonMail, a free webmail service developed by CERN scientists, is an end-to-end encrypted webmail
service that looks and feels like other popular webmail applications. Users of Office 365 and Gmail who
don’t want to migrate can enable encryption on both of those services as well.

Be sure to check out TechRepublic sister site Download.com’s list of popular encryption applications for more
ways to protect your Windows, macOS, iOS, and Android devices. No matter which route you choose to take,
built-in or third-party, it’s essential to encrypt your data.

Additional resources
• Microsoft’s BitLocker encryption program: A cheat sheet (TechRepublic)
• Microsoft delivers promised end- to-end Skype encryption option (ZDNet)
• Protect sensitive data with these five free encryption apps (TechRepublic)
• How to enable the encrypt/decrypt menu option in the Ubuntu file manager (TechRepublic)
• How to create an encrypted vault with KDE Vaults (TechRepublic)

7
COPYRIGHT ©2019 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
CREDITS
Editor In Chief ABOUT TECHREPUBLIC
Bill Detwiler
TechRepublic is a digital publication and online community
Editor In Chief, UK that empowers the people of business and technology. It
Steve Ranger
provides analysis, tips, best practices, and case studies
Associate Managing Editor aimed at helping leaders make better decisions about
Mary Weilage technology.

Senior Editor DISCLAIMER


Alison DeNisco Rayome
The information contained herein has been obtained
Editor, Australia from sources believed to be reliable. CBS Interactive Inc.
Chris Duckett
disclaims all warranties as to the accuracy, completeness,
Senior Features Editor or adequacy of such information. CBS Interactive Inc. shall
Jody Gilbert have no liability for errors, omissions, or inadequacies in
Senior Writer the information contained herein or for the interpretations
Teena Maddox thereof. The reader assumes sole responsibility for the
selection of these materials to achieve its intended results.
Chief Reporter
Nick Heath The opinions expressed herein are subject to change
without notice.
Staff Writer
Macy Bayern

Associate Editor
Melanie Wachsman
Copyright ©2019 by CBS Interactive Inc. All rights reserved. TechRepublic
Multimedia Producer and its logo are trademarks of CBS Interactive Inc. ZDNet and its logo are
trademarks of CBS Interactive Inc. All other product names or services
Derek Poore identified throughout this article are trademarks or registered trademarks of
their respective companies.
Cover Image
iStock/nantonov