A Definition of Data Encryption
A Definition of Data Encryption
A Definition of Data Encryption
Data encryption translates data into another form, or code, so that only people with access to a
secret key (formally called a decryption key) or password can read it. Encrypted data
is commonly referred to as ciphertext, while unencrypted data is called plaintext. Currently,
encryption is one of the most popular and effective data security methods used by organizations.
Two main types of data encryption exist - asymmetric encryption, also known as public-key
encryption, and symmetric encryption.
Data encryption is a security method where information is encoded and can only be accessed or
decrypted by a user with the correct encryption key. Encrypted data, also known as ciphertext, appears
scrambled or unreadable to a person or entity accessing without permission.
What is encryption?
Encryption is a way of scrambling data so that only authorized parties can understand the
information. In technical terms, it is the process of converting plaintext to ciphertext. In simpler
terms, encryption takes readable data and alters it so that it appears random. Encryption requires
the use of an encryption key: a set of mathematical values that both the sender and the recipient
of an encrypted message know.
Although encrypted data appears random, encryption proceeds in a logical, predictable way, so
that a party receiving the encrypted data and in possession of the key used to encrypt the data can
decrypt the data, turning it back into plaintext. Truly secure encryption will be complex enough
that a third party is highly unlikely to decrypt the ciphertext by brute force – in other words, by
guessing.
Data can be encrypted "at rest," when it is stored, or "in transit," while it is being transmitted
somewhere else.
In symmetric encryption, there is only one key, and all communicating parties use the same key
for encryption and decryption. In asymmetric, or public key, encryption, there are two keys: one
key is used for encryption, and a different key is used for decryption. Either key can be used for
either action, but data encrypted with the first key can only be decrypted with the second key,
and vice versa. One key is kept private, while one key is shared publicly, for anyone to use –
hence the "public key" name. Asymmetric encryption is a foundational technology for SSL
(TLS).
Why is data encryption necessary?
Privacy: Encryption ensures that no one can read communications or data at rest except the
intended recipient or proper data owner. This prevents cyber criminals, ad networks, Internet
service providers, and in some cases governments from intercepting and reading sensitive data.
Security: Encryption helps data breaches, whether the data is in transit or at rest. If a corporate
device is lost or stolen and its hard drive is properly encrypted, the data on that device will likely
still be secure. Similarly, encrypted communications enable the communicating parties to
exchange sensitive data without leaking the data. Encryption also helps prevent malicious
behavior such as man-in-the-middle attacks.
Authentication: Public key encryption, among other things, establishes that a website's origin
server owns the private key and therefore was legitimately issued an SSL certificate (see What is
public key encryption? to learn more).
Regulations: For all these reasons, many industry and government regulations require companies
that handle user data to keep that data encrypted. Examples of regulatory and compliance
standards that require encryption include HIPAA, PCI-DSS, and the GDPR.
Benefits of encryption
The primary purpose of encryption is to protect the confidentiality of digital data stored on
computer systems or transmitted via the internet or any other computer network. A number of
organizations and standards bodies either recommend or require sensitive data to be encrypted in
order to prevent unauthorized third parties or threat actors from accessing the data. For example,
the Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt
customers' payment card data when it is both stored at rest and transmitted across public
networks.
Modern encryption algorithms also play a vital role in the security assurance of IT systems and
communications as they can provide not only confidentiality, but also the following key elements
of security:
Protecting sensitive data both in transit and at rest is imperative for modern enterprises as
attackers find increasingly innovative ways to compromise systems and steal data.
When data collects in one place, it is called data at rest. For a hacker, this data at rest — data in
databases, file systems, and storage infrastructure — is probably much more attractive than the
individual data packets crossing the network. Data at rest in these environments tends to have a
logical structure, meaningful file names, or other clues, which betray that this location is where
the “money” is — that is, credit cards, intellectual property, personal information, healthcare
information, financial information, and so on.
Of course, even data “at rest” actually moves around. For a host of operational reasons, data is
replicated and manipulated in virtualized storage environments and frequently “rests” on
portable media. Backup tapes are transferred to off-site storage facilities and laptops are taken
home or on business trips all of which increases risk. Regardless of whether the information has
actually been compromised, organizations can take no chances and must act on a potential
breach, which often results in significant cost and, in some cases, mandated public disclosure,
corporate embarrassment, and customer dissatisfaction.
Data Encryption in-transit
As the name implies, data in-transit should be seen much like a transmission stream: a great
example of data in-transit is a typical web page we do receive from the internet whenever we
surf the web. Here’s what happens under the hood in a nutshell:
1. We send a HTTP (or HTTPS) request to the server hosting the website we’re visiting.
2. The web server accepts our request, processes it by finding the (static or dynamic) content
we’ve asked for, then sends it to us as a HTTP (or HTTPS) response over a given TCP port
(usually 80 for HTTP and 443 for HTTPS).
3. Our client, usually a web browser such as Google Chrome, Firefox or Edge, receives the HTTP(s)
response, stores it on its internal cache and shows it to us.
As we can see, there clearly is a data trasmission going on between the server and the client:
during that trasmission, the requested data (the web page HTML code) becomes a flow that goes
through least five different states:
Reasons to use it
Now, let’s take for granted that both the server and client have implemented a strong level of
data encryption at-rest: this means that the first and the fifth state are internally safe, because any
intrusion attempt would be made against encrypted data. However, the third state – where the
data is in-transit – might be encrypted or not, depending on the protocol the server and the client
are actually using to transmit the data.
Here’s what usually happens under the hood when the HTTP protocol is being used:
As we can see, the security issue is quite evident: when the web server processes the incoming
request and transparently decrypts the requested data, the channel used to transfer it to the web
client (HTTP) is not encrypted: therefore, any offending party that manages to successfully pull
off a suitable attack (see below) could have immediate access to our unencrypted data.
If you’re curious about which kind of attacks can be used against a unencrypted TCP-based
transmission protocol such as HTTP, here’s a couple of threats you should be aware of:
Eavesdropping: a network layer attack that focuses on capturing small packets from the
network transmitted by other computers and reading the data content in search of any type of
information (more info here).
Man-in-the-Middle: a tampering-based attack where the attacker secretly relays and/or alters
the communication between two parties to make them believe they are directly communicating
with each other (more info here).
Implementing proper encryption in-transit protocols to secure our critical data transfer endpoints
will definitely help us preventing these kind of threats.