You’ve probably seen the term “encryption” used around the internet. So what is it? It might be the most important technology we have. Most digital security measures, everything from safe browsing to secure email, depend on it. Without encryption, we’d have no privacy.

## What Is Encryption?

If you write something down that is important, private, or sensitive you might worry that someone else is going to read it. If you need to give it to a messenger to take to another person, the risk of the wrong people reading that message increases. Encryption changes the composition of a message or data so that only people who know how to return it to its original form can read it. To anyone else, it’ll appear as gibberish or a meaningless collection of characters and symbols.

### The Scytale

Since the earliest times, people have used different techniques of preventing anyone but the intended recipient from reading private messages. The ancient Greeks would wrap a strip of parchment in a tight spiral around a wooden rod called a scytale. They wrote their message along the length of the rod, over the wrapped parchment.

Uncoiled, the writing on the parchment made no sense. A messenger would deliver the parchment to the recipient who would read the message in private having first wrapped it around their own, matching, scytale. This is a form of transposition cipher.

It’s a primitive technique, but it has elements that you’ll find in modern encryption systems. Both the sender and the recipient must know in advance what the encryption scheme is, and how to use it. And they both need matching mechanisms to do so.

### The Polybius Square

Another method used by the ancient Greeks used a Polybius square. This was a five-by-five or six-by-six grid of letters. A letter was referenced by its coordinates, like the game battleships. The first letter in the first row was coded as “11”, the fourth letter on the second row would be written as “42”, and so on.

Of course, there are many ways to fill the grid with letters. Unless you know the layout of the letters, decryption is difficult. This lets you set up a scheme with multiple squares with different layouts. You could create seven squares and use a different square for each day of the week, for example. Schemes that use multiple alphabets are called polyalphabetic ciphers.

A Polybius square is a form of code. A code substitutes other characters for letters, in this example, digits. Ciphers replace letters with other letters.

### Caesar’s Cipher

Julius Caesar gave his name to Caesar’s Cipher. This uses an offset—or “rotation”—to select a letter a set distance from the letter you’re enciphering. If you were using an offset of two, “A” would be written as “C”, and “D” would be written as “F.” The recipient has to know the correct offset to use to decipher the message by subtracting the offset from the letters they’ve received.

A Caesar’s Cipher with an offset of 13—known as “rotation 13” or ROT13—possesses a special quality. There are 26 letters in the standard English alphabet, and 13 divides into 26 exactly twice. With this offset, to decipher something you can put it through the enciphering process again. Enciphering twice returns you to the original text.

```Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
ROT13: NOPQRSTUVWXYZABCDEFGHIJKLM```

If you pick out the letters “GEEK” in the top alphabet and note the matching letters in the lower alphabet, you’ll get “TRRX”. If you do that again with “TRRX” in the top alphabet you’ll get the letters “GEEK” from the bottom alphabet.

In programming terms, this simplifies matters because you only need to write an enciphering routine. There’s no need for a deciphering routine. This is why writing a ROT13 implementation is a common exercise for people learning to program. ROT13 is also commonly held up as an example of very poor, low-grade encryption.

You can try it yourself with this online ROT13 engine. Try entering “Alaska Nynfxn” then putting the output back in as the input.

### So, What is Encryption?

All of the examples we’ve covered here are easy to crack, but they do illustrate a common element that is shared amongst them all, and amongst all forms of encryption. There’s a set of rules to follow to convert your original data, called the “plaintext”, into the enciphered version, known as the ciphertext. That set of rules is an algorithm. And that’s what encryption is.

It’s algorithms for privacy.

## How Does Encryption Work?

Just like the person in ancient Greece, a person in the digital age who wishes to store or send private data faces challenges. What can you do to prevent unauthorized people from accessing the data? And what can be done to make it secure?

All of the old systems could be overcome with knowledge of the encryption system. Use the same diameter rod and the scytale message becomes readable. Caesar’s Cipher can be broken by trying different offsets on the first part of the message. You only have 25 to try, at the most.

Polybius squares pose more of a challenge because the layout of the letters within the square is unpredictable. If you know what the layout of the square is, it isn’t even a challenge. If you have no idea of the layout of the square you can try to decipher the message by studying the ciphertext itself. That’s called cryptanalysis.

With a simple cipher, you can use aids like letter frequency tables to work out which ciphertext letter represents which plaintext letter. A secure encryption scheme needs to be secure no matter who knows about the mechanics of the scheme, and the ciphertext must withstand cryptanalysis attacks.

### Not Characters, Bits

Robust digital schemes don’t work on letters and characters one at a time as serial ciphers do. They work through the data a chunk at a time and are called block ciphers.

They manipulate the bits—all those ones and zeroes—inside each block according to the rules of complicated mathematical transforms embedded inside the encryption algorithms. If an algorithm uses a block size of 128 bits it’ll work its way through the data in chunks of 128 bits. If the last chunk to be processed is smaller than 128 bits, it is padded to 128 bits.

There are many block encryption schemes available. The Advanced Encryption Standard (AES) is the official encryption standard of the U.S. government. Different encryption schemes use different algorithms and different block lengths and make use of different combinations of mathematical transforms.

That all sounds very thorough, but how do we prevent an unauthorized person from using the same encryption scheme to decrypt our encrypted data?

### Hash Strings

We’ll look at a special case first. It’s possible to encrypt data using a one-way transform. This is the very antithesis of ROT13 because the resulting ciphertext cannot be reverted to plaintext. More accurately, it can’t be decrypted within a practical timeframe. This type of encryption is used in hashing functions where a string of plaintext is hashed into a string of ciphertext, called the hash or hash string. All of the hash strings are the same length.

This lets the website use authentication without having to store the passwords in an exposed form. If they get hacked, none of the passwords are compromised. Hashing techniques may also add unique, random data called a salt to the passwords before they are hashed. This means all hashes are unique even if two or more users happen to have chosen the same password.

### Encrypted Hard Drives

To prevent unauthorized people from decrypting data, a key is used that identifies who encrypted it and who can decrypt it. A key is a long sequence of bytes generated by a complex algorithm. They typically range in size from 128 bytes to 2048 bytes or more. The key is used by the encryption algorithm when it is encrypting the plaintext. The key size is independent of the block size.

To protect locally stored data, entire hard drives can be encrypted. The encryption is tied to the login identity of the user and the key is generated automatically and applied automatically. The user doesn’t have any direct interaction with the key, and the key never needs to be sent to anyone else.

Because the key is tied to the login identity of the user, removing the hard drive from the computer and connecting it to another computer will not allow access to the data. This type of protection safeguards data that is static or “at rest.”

If your data must be transmitted you need to consider how you will safeguard your data “in transit.”

### Secure Websites

When you connect to a website and see a padlock symbol in the address bar, you know you’re connected to a website that is secure, right? Well, sort of. What it actually means is that the connection between your computer and website is encrypted using SSL/TLS encryption.

That’s a good thing, but it doesn’t verify the security of the rest of the website. The website might be storing passwords in plaintext and using a default admin password on the database. But at least if you see the padlock, you know your communication with the website is encrypted.

This encryption is possible because your browser and the website use the same encryption scheme with multiple keys. At the start of a connection session your browser and the website exchange public keys. A public key can decrypt something that has been encrypted using a private key.

Your browser and the website exchange their public keys and then encrypt using their private keys. Because each end of the connection has the other end’s public key, each end can decrypt the information they receive from the other end. The private keys need never be exposed.

Releasing a public key is safe. A public key cannot be used to fraudulently encrypt data. So although you receive a copy of a website’s public key, you can’t impersonate the genuine website because you don’t have the private key. This raises the question of authenticity. How do you know the website is the genuine owner of the public and private key pair, and not a copycat site that somehow stole both keys from the genuine website?

Certificates are used to verify the identity of websites. These are issued by Certification Authorities once they have verified the identity of the applicant. The website sends the certificate as part of the handshake at the start of a connection session so that the web browser can validate the certificate.

It does this by contacting the Certificate Authority and decrypting some information on the certificate. This requires yet more keys. Your browser has public keys of major Certificate Authorities as part of its installation bundle. And there are yet more keys involved. As well as exchanging public keys, your browser and the website create unique session keys to further secure their communications.

Once your browser has verified the authenticity of the site and the strength of the encryption, it places the padlock in the address bar.

### Secure Email

The concept of public and private keys crops up again and again in encryption. A common method of securing emails in transit uses pairs of public and private keys. Public keys can be exchanged safely, private keys are not shared. Messages are encrypted using the sender’s private key. The recipient can use the sender’s public key to decrypt and read it. They can use their own private key to encrypt a reply.

OpenPGP is a well-known encryption scheme that follows this model, with a twist.

The sender’s email client generates a random key. This is used to encrypt the email message. The random key is then encrypted with the recipient’s public key. The encrypted message and the encrypted random key are sent to the recipient. The recipient’s email program uses their private key to decrypt the random key which is then used to decrypt the message.

The purpose of the extra step is to allow an email to be sent securely to multiple recipients. Your email client doesn’t need to encrypt the entire email separately for every recipient, just the random key.

Of course, secure email systems also face the question of authenticity. You have to trust the public key that has been sent to you. Keys are tied to email addresses. Having the public key sent to you from the email address you’ll be conversing with is a good first step. Most email clients can show the email address associated with a public key.

Another method of checking the authenticity of a public key is to obtain it from a repository. The public keys uploaded to repositories are verified by the repository before they’re made public.

### Encryption Underpins Our Digital Lives

At least, encryption underpins our digital lives if we’re doing it right. Avoid unsecured remote connections of any type (whether remote working or buying online), use email clients capable of encrypting private messages, and use messenger apps with end-to-end encryption.

Lbhe cevinpl vf vzcbegnag, hfr gur nccebcevngr gbbyf gb fnsrthneq vg. As Caesar might have said.

Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. His writing has been published by  howtogeek.com, cloudsavvyit.com, itenterpriser.com, and opensource.com. Dave is a Linux evangelist and open source advocate.