Discovering innovations that matter since 2002

Browser security | Photo source Shutterstock

Tech Explained: Encryption

Updates

This Tech Explained focuses on encryption - explore the workings behind how your data is encoded and protected when you are online.

At Springwise, we have seen an increasing interest in online security with innovations such as a personal data agent and home router encryption. In fact, nearly every computing device we interact with uses some form of encryption technology. Without it, all of your data, including credit card numbers, PINs and passwords, would be visible to almost everyone. So what is encryption, and how does it work?

Encryption starts by using an algorithm to turn normal text data into seemingly random characters. These random characters can only be read using a special key which can decrypt the code. The two most common encryption methods are asymmetric, or public key encryption, and symmetric, or private key encryption. These methods differ primarily in how they handle the steps between encryption and decryption.

In symmetric-key encryption, both computers use the same private key for encryption and decryption. These keys can be thought of as a secret that is shared between the two computers. However, the need for both parties to have access to the same secret key is one of the main drawbacks of symmetric key encryption. Asymmetric encryption solves this problem by using a combination of keys – one public and one private. The keys generate very large numbers that are paired together but are not identical (this is why this type of encryption is called asymmetric). One key in the pair (the public key) can be shared with everyone. The other key in the pair (the private key) is kept secret.

The most common algorithm used for creating the keys is called RSA. In calculating the keys, RSA relies on multiplying together very large prime numbers. The security of this system derives from the fact that it takes very little computing power to multiply two large primes, but it takes a great deal of computing power to find the original two numbers if all you have is the total. Individual hackers do not have the computing power necessary to find them without the private key.

An alternative algorithm that is growing in popularity uses a very complicated mathematical principle called Elliptic Curve Theory. The math involved is too complex for the scope of this article, but elliptic curves have several interesting properties that allow the creation of faster, smaller and more efficient cryptographic keys than RSA. This allows the same security to be delivered while using less computing, and battery, power.

In order for asymmetric encryption to be used on a large scale, as with web servers, one more step is needed – a digital certificate. This is a unique piece of code that guarantees that the web server can be trusted. The certificate works in a similar way to an ID card or passport. It is issued by an independent party, known as a certificate authority. The certificate authority acts as a middleman who guarantees that both parties are trustworthy. It confirms that each computer is in fact what it says it is, and then provides each computer with the public keys of the other computer. There are other types of public key authentication. For example, the Pretty Good Privacy (PGP) model relies on a form of decentralised authentication called a ‘web of trust’.

The most common methods, or protocols, for delivering asymmetric security are the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols are used whenever a browser attempts to connect to a secure website. The browser first requests that the web server identify itself. The server then sends the browser a copy of its certificate and the public key. Once the browser confirms that the certificate is genuine, it uses the public key to encrypt a randomly selected private key and sends it to the server. The computer and server can then communicate using the private key. Once the session is finished, each computer discards the private key used for that session.

In your browser, you can tell when you are using a secure protocol in a couple of different ways. First, you should notice that the ‘http’ in the address line is replaced with ‘https’. You should also see a small padlock in the status bar at the bottom of the browser window. To see the certificate and the issuing authority, simply click on the padlock in your browser window.