With the near 99% Remote Workforce now becoming a reality for the long haul, Corporate America has learned some harsh lessons about Cybersecurity during the COIVD-19 pandemic. One lesson is that of the need for encryption, especially when employees are transmitting confidential information and data back forth, from their remote devices. This is the focal point of this article.
What Is Encryption?
A technical definition of encryption is as follows:
“It is a way of translating data from plaintext (unencrypted) to ciphertext (encrypted). Users can access encrypted data with an encryption key and decrypted data with a decryption key.” (Source 1)
There are a number of key terms in this definition. Whenever you type a message that can be easily interpreted without any additional effort, this is known as the “Plaintext.” A typical example of this might be an Email message you have just written, or even the text that you have sent over in the chat window in a video conferencing tool.
Obviously, there is no protection with this, so if a message were to be intercepted by a malicious third party, they could create all kinds of havoc with it. To protect this message, it must be encrypted. This simply means that the content must be scrambled so it is rendered useless if intercepted. This is where the process of encryption comes into play. Once the message is translated into a garbled format (via an encryption key), it has become “encrypted,” and this undecipherable state is now known as the “ciphertext.”
Once the message has been transmitted, there is now some guarantee that it will be safe while in transit. But once it reaches its destination, it must somehow be translated back into its decipherable format so that the end user can make sense of it. In order for this to happen, the recipient must have the appropriate key to unlock the message and unscramble it back its normal state. This is done with what is known as the decryption key.
The Types of Encryption Keys
When encrypting the message in the first instance, a Private Key can be used. This same key can be used to decrypt it as well. However, the main problem with this approach is that if another entity intercepts this particular key, they can unscramble the message even before it reaches its intended destination.
To prevent this situation from happening, a second type of key, known as the Public Key, can be used. Although this can be known to the outside world, it is typically used by the sending party to encrypt the message. Now once this message has been transmitted to the receiving end, then the recipient can use the Private Key to decrypt the message. The advantage of this approach versus using the Private Key alone is that the latter will only be known to the end user, so there should be no interception of it by a third party.
The Two Types of Encryption Models
It should be noted that in the world of encryption, there are two primary models:
- Asymmetric Cryptography: This is the kind of infrastructure that makes use of the two keys, the Public and the Private. It is very important to keep in mind that it is not just one pair of this model that is being used, but rather, there could be hundreds or even thousands of these key pairs in use. A lot depends upon the application that it is being used for. For example, a small business may only make use of two or three pairs of keys, whereas a much larger organization could be using many more of them. For this kind of encryption model, it is the Public Key Infrastructure (also known as the “PKI”) that is used most often. In this kind of setup, there are central points which manage the issuance and distribution of the Public and Private Key pairs, in order to maintain efficiency and a seamless flow of operations.
- Symmetric Cryptography: In this type of infrastructure, only one key is used, which is typically the Private Key. Given the security weaknesses of this model, it is rarely used by itself. If it used at all, it is used in a hybrid approach, in which it is actually a subset of the Asymmetric Cryptography Infrastructure, so that some degree of security can be ensured.
The Functionalities of Encryption
A good encryption key must meet the following standards:
- Confidentiality: This provides assurances that only the intended recipient can decrypt and unscramble the message that has been sent to them from the sending party.
- Integrity: This guarantees that message, while in transit, has indeed remained intact, with no covert alterations made to it by a malicious third party.
- Authentication: With this, the end user (also the receiving party) can be guaranteed that the message sent to them was from a legitimate source that can be easily verified. This is especially useful when confirming the point of origination of an Email message, if there is any suspicion that it could be Phishing-based.
- Non-Repudiation: Once a message has been transmitted by the sending party, they cannot deny sending it, because of the audit trail that has been created.
Typical Examples of Encryption
Encryption can also be used to protect the three different states of data, which are as follows:
- Data At Rest: This is the state where data is being stored and is not being used or accessed by anybody. The typical example of this are the records that are stored in a database. Although this data is in a silent state, it is still nevertheless very important to encrypt it, as this is huge target for Cyberattackers.
- Data In Transit: This is data is in motion from the point of origination to the point of destination. This is the most common scenario that comes to mind when people about encryption.
- Data In Use: This is data that is being processed and analyzed. Many companies today outsource this part of their business function to external, third parties, so the need to encrypt the data involved here becomes of paramount importance at all levels.
A future article will provide a technical deep dive into some of the encryption algorithms that are being used today.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.