## What Is Encryption, and How Does It Work?

Encryption has a long history dating back to when the ancient Greeks and Romans sent secret messages by substituting letters only decipherable with a secret key. Join us for a quick history lesson and learn more about how encryption works.

In today’s edition of HTG Explains, we’ll give you a brief history of encryption, how it works, and some examples of different types of encryption—make sure you also check out the previous edition, where we explained why so many geeks hate Internet Explorer.

Image by xkcd, obviously.

### The Early Days of Encryption

The ancient Greeks used a tool called a Scytale to help encrypt their messages more quickly using a transposition cipher—they would simply wrap the strip of parchment around the cylinder, write out the message, and then when unwound wouldn’t make sense.

This encryption method could be fairly easily broken, of course, but it’s one of the first examples of encryption actually being used in the real world.

Julius Caesar used a somewhat similar method during his time by shifting each letter of the alphabet to the right or left by a number of positions—an encryption technique known as Caesar’s cipher. For instance, using the example cipher below you’d write “GEEK” as “JHHN”.

```Plain:  ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC```

Since only the intended recipient of the message knew the cipher, it would be difficult for the next person to decode the message, which would appear as gibberish, but the person that had the cipher could easily decode and read it.

Other simple encryption ciphers like the Polybius square used a polyalphabetic cipher that listed each letter with the corresponding numeric positions across the top and side to tell where the position of the letter was.

Using a table like the one above you would write the letter “G” as “23”, or “GEEK” as “23 31 31 43”.

Enigma Machine

During World War II, the Germans used the Enigma machine to pass encrypted transmissions back and forth, which took years before the Polish were able to crack the messages, and give the solution to the Allied forces, which was instrumental to their victory.

### The History of Modern Encryption

Lets face it: modern encryption techniques can be an extremely boring subject, so instead of just explaining them with words, we’ve put together a comic strip that talks about the history of encryption, inspired by Jeff Moser’s stick figure guide to AESNote: clearly we cannot convey everything about encryption’s history in a comic strip.

Back in those days, people do not have a good encryption method to secure their electronic communication.

Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM.

The Data Encryption Standard (DES) is a block cipher (a form of shared secret encryption) that was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally.

Concerns about security and the relatively slow operation of DES in software motivated researchers to propose a variety of alternative block cipher designs, which started to appear in the late 1980s and early 1990s: examples include RC5, Blowfish, IDEA, NewDES, SAFER, CAST5 and FEAL

The Rijndael encryption algorithm was adopted by the US Government as standard symmetric-key encryption, or Advanced Encryption Standard (AES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable encryption algorithm.

### Encryption Algorithm Performance

Many encryption algorithms exist, and they are all suited to different purposes—the two main characteristics that identify and differentiate one encryption algorithm from another are its ability to secure the protected data against attacks and its speed and efficiency in doing so.

As a good example of the speed difference between different types of encryption, you can use the benchmarking utility built into TrueCrypt’s volume creation wizard—as you can see, AES is by far the fastest type of strong encryption.

There are both slower and faster encryption methods, and they are all suited for different purposes. If you’re simply trying to decrypt a tiny piece of data every so often, you can afford to use the strongest possible encryption, or even encrypt it twice with different types of encryption. If you require speed, you’d probably want to go with AES.

For more on benchmarking different types of encryption, check out a report from Washington University of St. Louis, where they did a ton of testing on different routines, and explained it all in a very geeky write-up.

### Types of Modern Encryption

All the fancy encryption algorithm that we have talked about earlier are mostly used for two different types of encryption:

• Symmetric key algorithms use related or identical encryption keys for both encryption and decryption.
• Asymmetric key algorithms use different keys for encryption and decryption—this is usually referred to as Public-key Cryptography.

#### Symmetric key encryption

To explain this concept, we’ll use the postal service metaphor described in Wikipedia to understand how symmetric key algorithms works.

Alice puts her secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice’s key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and read the message. Bob can then use the same padlock to send his secret reply.

Symmetric-key algorithms can be divided into stream ciphers and block ciphers—stream ciphers encrypt the bits of the message one at a time, and block ciphers take a number of bits, often in blocks of 64 bits at a time, and encrypt them as a single unit. There’s a lot of different algorithms you can choose from—the more popular and well-respected symmetric algorithms include Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA.

#### Asymmetric Encryption

In an asymmetric key system, Bob and Alice have separate padlocks, instead of the single padlock with multiple keys from the symmetric example. Note: this is, of course, a greatly oversimplified example of how it really works, which is much more complicated, but you’ll get the general idea.

First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice’s open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party (perhaps, in the example, a corrupt postal worker) from copying a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were careless and allowed someone else to copy his key, Alice’s messages to Bob would be compromised, but Alice’s messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.

Asymmetric encryption uses different keys for encryption and decryption. The message recipient creates a private key and a public key. The public key is distributed among the message senders and they use the public key to encrypt the message. The recipient uses their private key any encrypted messages that have been encrypted using the recipient’s public key.

There’s one major benefit to doing encryption this way compare to symmetric encryption. We never need to send anything secret (like our encryption key or password) over an insecure channel. Your public key goes out to the world—it’s not secret and it doesn’t need to be. Your private key can stay snug and cozy on your personal computer, where you generated it—it never has to be e-mailed anywhere, or read by attackers.

### How Encryption Secures Communication on the Web

For many years, the SSL (Secure Sockets Layer) protocol has been securing web transactions using encryption between your web browser and a web server, protecting you from anybody that might be snooping on the network in the middle.

SSL itself is conceptually quite simple. It begins when the browser requests a secure page (usually https://)

The web server sends its public key with its certificate.

The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.

The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.

The web server decrypts the symmetric encryption key using its private key and uses the browser’s symmetric key to decrypt its URL and http data.

The web server sends back the requested html document and http data encrypted with the browser’s symmetric key. The browser decrypts the http data and html document using the symmetric key and displays the information.

And now you can securely buy that eBay item you really didn’t need.

### Did You Learn Anything?

If you made it this far, we’re at the end of our long journey to understanding encryption and a little bit of how it works—starting from the early days of encryption with the Greeks and Romans, the rise of Lucifer, and finally how SSL uses asymmetric and symmetric encryption to help you buy that fluffy pink bunny on eBay.

We’re big fans of encryption here at How-To Geek, and we’ve covered a lot of different ways to do things like:

Of course encryption is far too complicated a topic to really explain everything. Did we miss something important? Feel free to lay some knowledge on your fellow readers in the comments.

Zainul spends his time trying to make technology more productive, whether it’s Microsoft Office applications, or learning to use web applications to save time.

• Published 11/5/10

1. Abhishek K. Pandey

Nice comic way.

2. rino

nice article. with the advent of firesheep, i hope everyone on the Net will start using https most especially those who post personal details on social networks.

3. Jordan CP3

Thanks for sharing your great website with us. i am really love it. Welcome to visit our website at anytime too.

4. Hatryst

I always wanted to understand encryption this way :D

5. asdf-chan

@rino
– i hope everyone on the Net will start using https most especially those who post personal details on social networks. –

I guess you didn’t understand the concept of SSL/TLS.

As an example: If htg had SSL-encryption that would mean, that if you send data frome your computer/browser to this website, by posting something or writing a private message, the text will be transefered encrypted. The actuall post is not stored encrypted.

And to get things right. Social networks are not different from that. Hiding your Facebook account (Myspace, etc) has nothing to do with encryption. The requests (from your computer/browser) and/or responds (from the server) is encrypted. Meaning that if i want to sniff your networktraffic i could capture each package and analyze the plain text, which is easy because it’s just a human language I must undestand. If the text is encrypted i am pretty much f**cked and my evil plan using your creditcardnumber is useless, because i can’t read the text that is transfered.

Also there are different types of usage for SSL.

6. mark

You have the funniest nerd comics I’ve ever seen. I never laugh out loud at my computer but that was damn funny. Liked the Sudo comic too.

7. Ugo

thanks for this. I (personally) didn’t understand Asymmetric Encryption though, could there be a way to make it simpler – how logically could I use somebody’s information (open padlock) to encrypt data – when is the data exchanged and could somebody intercept the “open padlock” transmission prior to the sending and use it to decrypt?
Also (please note – to me, a beginner) it’s not clear the relationship between a public and a private key. If it’s a public one, why would there be any key at all? And if I use a public code to encrypt, why would somebody need a private to decrypt? I’m sure it’s really complicated, thanks for your efforts

8. asdf-chan

@Ugo
Read this to understand the public and private key method. One of the best explanation i ever read.

http://www.gpg4win.org/doc/en/gpg4win-compendium.html

9. Davide

for Ugo

think the Public Key as a Public Box, you can give the Public Box to anyone, for example to me :)
I can put a “secret” message in the Public Box, close it.. and than send back to you.
You are the only one can open this box, with your private key, I can not even open the box has been closed (cripted).

bye

10. Humberto

Nice post ! :)

11. enigmAZ

thank you for this R.I.A.rticle

12. Sai Kishore K.

@Ugo (& Others who want a clear understanding of the Public/Asymmetric Key Cryptography):

I hope the following explanation on Public/Asymmetric Key Cryptography will make things clear for you. I’m going to do this in a metaphorical way. It’s gonna be this way:

Sweets >> The data that you want to send securely
A Key >> The Encryption Algorithm being used

First let us consider the case of Private/Symmetric Key Cryptography:

Suppose that someone wants you to send some sweets. You may get them in two ways. The first way, the person will lock sweets in a box with a key and send them to you through a normal courier and the key through a secure courier, or the key might have been already delivered to the concerned person, as in, in a face-face meeting maybe. If someone can intercept the secure channel or might have eavesdrop on your face-face conversation that you had, have an access to the key, though a hard thing to do, it can be done. Now that someone, with the access to this key, can easily have the sweets.

Now let us see what’s so special when it comes to Public/Asymmetric Key Cryptography:

In this method, the problem is the same, ‘someone’ still wants to send you some sweets. You can be a real smart ass and design two sorts of keys. One, a Private Key or the Master Key, which will only be one in number and will stay only with you and then the other, a Public Key which will be many in number and which you will leave at any place you want. Anywhere and maybe, Everywhere ;). Now, the person who wants to send sweets can lock the box of sweets with your public key that he might have picked up from some random place where you might have left your public key earlier, or he may have the Public Key from you, in a face-face conversation. Here there’s no problem if an undesired person gets an access to your Public Key, because once the box is locked with your Public Key, it can be only opened by your Private Key, i.e., your Master Key. The undesired person, even if he gets the box of sweets (The data), useless, he can’t open it. So he is less bothered to steal (technically, a copy of) the box of sweets.

The above explanation is an edit of the explanation that I once sent to a friend of mine. It might be informal somewhere, pardon me for it. :)

13. Chirag

Thanks Kishore and Davide For you Simplified explanation :D

14. Camilo Martin

Awesome article!

15. Ugo

@Sai Kishore K. / Davide / asdf-chan

Take the two boxes example – very clear: I send sweets in a locked box.

Symmetric – I take a locked box, that can be opened only by somebody that has a key – this is very understandable. I should be careful who I give my key to.

Asymmetric – Inside a locked box like above, I put a second box, a private key one that can be opened only with my RECIPIENT private key. So, if anybody gets a public key, no problem, he can open the first box but won’t have a private key to open the second one.
And even if he stole my recipient’s private key, he would be able to see my sweets to him, but not my other sweets I’m sending to other people or people’s sweets for me.

The thing I don’t get is more on a “logical” level: if I don’t know his private key, HOW CAN I SHAPE A LOCK for him? There must be some data exchange BEFORE I encrypt/lock the inner box. Otherwise, if I would do the same operation for every recipient, everyone should have the same private key to open..

I hope my doubts are clearer (!) and thanks! ;)

16. asdf-chan

Look at it more abstract. Like if you have cake that is split in two pieces, every half is a piece but together those pieces are one cake

17. pg

A primer on encryption “in the cloud”, e.g. hushmail, threetags, etc., could be useful.

18. asdf-chan

@pg

No. What you mean are services that claim to be secure. It’s not related to the functioning of encryption itself.

Both services are now days easy to make yourself. Renting server, installing OS, installing mail-software, installing ssh. Done

19. Sai Kishore K.

@Ugo:

The thing is you don’t design any lock as you have said. The intended recipient, the person you want to send the message to, has designed the lock. The Public Key and Private Key are both his creations. Public Key every one knows about it, anyone can get hold of it, but the private key is only with that one person.

I hope the following elucidation, will make it completely clear for you.

Think the public key of the recipient as of a click pad-lock, where you don’t need a key to lock it. You just click the lock, and boom it’s locked. But to open it, you need a key, think of this as the private key, which only the recipient has.

In asymmetric cryptography, it’s like the recipient, the one who wants to receive boxes of sweets (data from others) distributes his similar looking click pad-locks (many copies of his public key) to anyone who wants them (to anyone who wants to send him an encrypted message) and once when those people who want to send him the boxes of sweets (data), lock the boxes with those click pad-locks, they can only be opened by one key (the private key), that’s with the person who was distributing the (copies of his public key) click-pad locks (i.e., The recipient of the message.)

20. Sai Kishore K.

@Ugo:

And hey, in Asymmetric Cryptography, they don’t have two boxes.. only one box.. and inside sweets that’s all. Hope you have understood this by now, by reading the above comment :)

### More Articles You Might Like

• Get exclusive articles before everybody else.