What is encryption? (A comprehensive guide)

Encryption is the front-line defense of our data security online. Whether we are browsing the web, sending personal emails, or sharing sensitive information, encryption makes our data unreadable by unauthorized third parties. But this hasn’t always been the case. What began as special cryptographic programs by governments has now become an integral part of the public internet. But what is encryption and how does it work?

This article will explain all the ins-and-outs of data encryption, its history, as well as the different types of encryption currently being used. Modern encryption protocols, whether provided between our browsers and a webservice or by a Virtual Private Network (VPN), are extremely secured, if not unbreakable. However, when it comes to online privacy, things are much more complicated.

With the rise of AI-powered data tracking and surveillance programs, encryption is not sufficient to protect our privacy. A VPN is an additional tool in our privacy arsenal. However, traditional and centralized VPNs can leave us vulnerable to data breaches, metadata tracking, and traffic analysis even if our data is encrypted. In light of this constant privacy threat, we need to carefully choose the best VPN provider to protect our privacy and security online. A reliable decentralized VPN (dVPN) service will not only double our encryption and obscure our IP addresses, but also inhibit the tracking of our metadata.

Read our article to discover more about encyption and data protection.

A brief history of encryption

Encryption for the general public on the web is both quite new and now relatively normalized. At the beginning, data encryption was exclusively a state security measure: keeping national or military secrets secure, and preventing enemies (real or potential) from accessing them. As the internet became a more publicly used resource in the 1990s, the language around and accessibility of encryption changed. The terms “security” or “privacy” have been rightfully extended to the general public. But this need to hide information is in fact quite old.

Ancient origins of cryptography

The practice of hiding messages, and further transforming them through cryptography, dates back to ancient civilizations. Herodotus tells of the general Histeaus who, looking to incite a revolt against the Persians, tattooed a secret message on the shaved scalp of one of his slaves to transport it to a commanding officer. As the slave’s hair grew back, the message was hidden and safe for travel. Technically this is what’s called “steganography” rather than encryption proper: the message is hidden but not itself transformed.

As early as 700–500 B.C.E., ciphers were developed to further encode sensitive information, such as military communications to generals at war or to protect trade secrets from competitors. One classic encryption technique was simple letter substitutions, for example, in which each letter of a coded message corresponds with its alphabetic counterpart (A=Z, B=Y, etc.). The cipher is simply the code or rule for translating. With time, these methods naturally became more and more complex. Sophisticated letter-substituting typing machines, based on many possible rotor configurations, were used centuries later by Nazi Germany to encode military messages, and the cracking of these “Enigma” machines played a significant role in the Allies winning the war.

We can thus say that encryption is as old as the moment when human language became political, and as new as language continues to become digital.

Encryption as modern security technology

Modern digital and computational cryptography was developed in the 1970s, largely through the research funding and initiatives of the U.S. government. RSA (Rivest–Shamir–Adleman) was one result of this work. These efforts were not exactly kept secret, since they involved academic researchers and tech companies like IBM working under government contracts. But the results were highly guarded and considered assets of national security. Cryptographic technology was even classified as a “munition” or weapon under U.S. law to restrict and prosecute its export during the Cold War.

Encryption as a public privacy resource

Through a series of court cases, public activism, and grassroots tech development, this legal classification in the U.S. was relaxed and encrypted messaging systems then began to spread internationally. The notion of digital privacy for everyone was thus born.

By the 2010s, most web services began providing at least AES (Advanced Encryption Standard) or similar protocols to ensure end-to-end encryption for clients. So today when you browse the web, send an email, or buy something online, your data is likely encrypted by default.

Unfortunately, this isn’t the end of the story for online privacy. During what’s known as the Crypto wars, governments fought to block online encryption becoming publicly accessible and widespread. Access to encrypted communication systems without backdoors continues to be an ongoing political struggle globally. But before we get there, let’s consider how encryption works from the ground up.

What is encryption?

Encryption is the transformation of data so that it is unreadable except by those with the cryptographic keys necessary to unlock it. Think of it first as putting your sensitive information in an impenetrable room, inaccessible without a special key that only you possess. Afterall, to “encrypt” means to seal away, to protect, or to keep secret. But rather than being enclosed by a physically protective room, your data is transformed into digital code.

Encryption process

Encryption turns your data from “cleartext” (original and readable, or “in the clear”) into a “ciphertext” (unreadable, hidden under a “cipher” or puzzle). Special algorithms transform every letter or value in your data so that even if someone intercepted it, it would be indecipherable. Modern encryption algorithms that we will discuss include AES, RSA, and ECC (Elliptic Curve Cryptography).

Encryption key strengths

The strength of encryption is determined by the numerical length (or number of bits) of the encryption key(s): the longer the key, the harder it is to crack. In 2001, AES was established as 128-bit encryption for both sensitive and general use, and is also compatible with 256-bit keys. AES encryption effectively rendered the original 56-bit DES (Data Encryption Standard) obsolete.

For advanced security, 256-bit encryption is now the benchmark, and even higher bits are used in extremely sensitive use cases. To appreciate the strength of something like 256-bit encryption, note that there are approximately 10^77 possible numerical combinations and keys. Can’t imagine what this number signifies? For comparison, there are estimated to be a minimum of 10^88 atoms in the known universe.

Basic types of encryption

The principal forms of encryption are distinguished by how keys, and what kinds, are shared between trusted parties. In current practice, the following forms of encryption are often combined to form hybrid encryption protocols.

Symmetric encryption

Symmetric encryption uses the same shared key to both encrypt and decrypt a data package. Both the sender and receiver must thus possess the key, or share it in advance, in order to encrypt and decrypt the message respectively. AES is the primary symmetric standard, encrypting data into fixed-sized boxes of 128-bits.

Because it is significantly more efficient, symmetric encryption is particularly useful for large amounts of data at rest, such as protecting database storage. However, one problem with symmetric encryption is that the key must be shared securely between multiple parties, which poses a security risk without encryption. This is where asymmetric encryption steps in.

Asymmetric encryption

Asymmetric encryption (also known as public key cryptography) requires two distinct keys: a public key and a private key used for decryption. These keys are mathematically linked (according to the properties of large prime numbers): information that is encrypted with one key can only be decrypted with the other. Public keys are exactly that: they can be widely shared and known without issue. So when you want to communicate privately with someone, you can use their public key to encrypt your message, while a unique private key possessed by the recipient is used to decrypt it. RSA introduced public key cryptography in 1983, and it is now the basis of many encryption protocols used online.

Elliptical Curve Cryptography (ECC)

ECC is a new and rapidly advancing form of encryption that is based on the algebraic structure of elliptic curves over finite fields. It is a form of asymmetric, public-key cryptography that uses the difficulty of solving a particular mathematical problem (the logarithm of a random element on the curve in relation to a base number) to generate public and private keys.

ECC is particularly important because it maximizes encryption strength while also minimizing computational effort to store and decrypt, making it exceptionally efficient. This is due to the fact that a 256-bit key in ECC would be equivalent to a 3072-bit key in RSA! For this reason ECC is being increasingly used by SSL/TLS certificates, blockchain transactions, encryption protocols like WireGuard, and even mobile device software.

New forms of encryption

There are now newer encryption algorithms which are being used by advanced VPN routing protocols like WireGuard. For example, ChaCha20 is a stream cipher which is highly secure, fast, and resistant to certain cyber attacks. As a stream cipher, it encrypts data one bit at a time, rather than something like AES which encrypts data into fixed-sized blocks. ChaCha20 is particularly fast and efficient. It is often paired with Poly1305 for message authentication (and so commonly referred to as ChaCha20-Poly1305).

Hybrid encryption for online traffic

Encryption can also take hybrid and multi-layered forms to better protect data in transit. As we saw, symmetric encryption is fast, but on its own doesn’t provide a secure, encrypted way to share keys. Public key cryptography provides a solution to this. Hybrid models (including ECC) combine symmetric and asymmetric encryption protocols at different levels to provide both key security and encryption optimization.

Internet security protocols

The most widespread form of hybrid encryption are in fact the very protocols that now secure traffic across the web: the original SSL (Secure Socket Layer), TLS (Transport Layer Security) which built and improved on SSL (often now referred to as TLS/SSL), and HTTPS which is layered over TLS/SSL.

When you connect with any web service through a browser, SSL/TLS is the process for first establishing an encrypted connection. This begins with a kind of “handshake” between your browser and the webservice, authenticating the latter’s TLS/SSL certificate and validity (including its public key) through a trusted certificate (CA) authority to ensure it is the true server and not an imposter. A symmetric encryption key is then securely exchanged to encrypt and decrypt your data on the client-server side respectively. This all happens before any data is transferred.

Multi-layer encryption

Typically, user data is encrypted once because it is both adequately secure and fast. However, there are ways in which data can be encrypted multiple times. Connecting with a VPN will likely involve your data being encrypted twice: first by the HTTPS connection with the destination, and another time by the VPN tunnel. These encryption steps essentially form layers, with HTTPS being the first layer around the core of your cleartext data.

Other routing procedures have more complex layering designs. The Tor network’s onion encryption is another well-known example of hybrid encryption, adding multi-layered encryption to protect the route of a packet through its three server (or node) routing network. Sphinx is a another multi-layered encryption protocol designed specifically for anonymous communications in a mixnet like the one powering NymVPN.

Speed optimization

The more robust the encryption process is, the more latency will be a problem. Longer keys, multi-stage key exchanges, multiple encryption layers, and multi-node decryption and routing: all of this adds computational time to the process. But it undoubtedly adds security.

Ultimately, online security and privacy will always involve a trade off with speed and performance. So in choosing an encryption protocol, or a service like a VPN based on one, it’s important to consider what encryption algorithms and routing protocols are being used.

Techniques for breaking encryption

Is it possible to break encryption security? In principle, yes. Practically, however, “breaking” modern encryption standards head-on is not currently possible. Doing so would require massive computational resources which are not known to exist at present. The only concern is when these computer powers will become practically feasible. In any case, let’s break down the means of possibly doing it.

Key acquisition

The most straightforward way to compromise encryption – that is, to access encrypted data illegitimately – is to acquire the encryption/decryption key(s). This can be accomplished in a number of ways.

• User error: Private keys are usually exposed through poor management practices: reusing keys, insecurely sharing them, etc. It is no different than a password: if it’s known, it can be used against you. This can be mitigated by secure storage and exchange.
• Cyber attacks: Keys can be obtained by fraudulently eliciting disclosures through different data hacking attacks. In phishing attacks, users might be fooled into disclosing sensitive information by way of fake administrator emails asking for credentials. Man-in-the-middle attacks can also intercept or manipulate the key exchange process. And of course database attacks can reveal any keys which are insecurely stored as plaintext.
• Social engineering: There are many forms of these kinds of social engineering attacks (e.g., spear phishings, pretexting, baiting) which target individuals psychologically rather than their software or hardware. For instance, a fraudulent email pretending to be an IT security analysis might convince a user that their system has been compromised and that their encryption keys need to be shared to resolve the problem. The fear of a possible threat is then used to realize the threat.

Even if any of these attacks are successful, these methods do not technically break or crack encryption itself, but rather exploit human vulnerabilities to gain access to keys.

Brute force attacks

Brute force attacks attempt to guess encryption keys through trial and error, systematically trying every possible key combination until the correct one is found. However, as the length of the key increases, the number of possible combinations grows exponentially, making brute force attacks increasingly impractical.

While theoretically possible, brute force attacks are simply infeasible due to the computational resources required. For instance, 56-bit encryption has been regularly broken by challenges, with a record decryption time of approximately 22 hours. It has since been retired. 128-bit encryption has not yet been known to have been cracked by computer systems. With advanced keys like 256-bit encryption, brute force attacks are effectively impossible: they would take an unforeseeable amount of time, even with every computer on the planet working maximally to do so.

Cryptanalysis

Wherever a code appears, attempts to crack it will soon follow. Cryptanalysis is an ancient method of trying to break ciphers by analyzing the frequencies of human language (such as the limited vowel pairings possible in a given language). The goal is both to reduce the number of possible codes to be used, and to analyze frequencies in code making.

This is much more difficult with the numerical encryption of digital data. Methods of modern data cryptanalysis nonetheless attempt to identify encryption patterns in the ciphertext to reduce the number of possible keys. There are distinct cryptanalysis techniques, but because of their current lack of practical efficacy, it is not necessary to detail them all here.

Side-channel attacks

Side-channel attacks do not target the encryption itself, but rather analyze data leaking from the encryption process, such as computer power usage and timing. This metadata can be used to more precisely identify the kind of encryption algorithm that is being used and the parameters of the keys. But again, modern 128- and 256-bit encryption algorithms remain nearly impossible to crack even if the algorithm is known. Nonetheless, the role of collecting and analyzing metadata is important for seeing the limits of encryption for protecting online privacy.

Quantum computing

Quantum computing poses a significant future risk for breaking current encryption standards. Quantum computers are able to essentially process many computations at once. The power of these supercomputers, however theoretical they are at present, can in principle out-compute our traditional computer systems in brute force attacks and cryptanalysis. How they might compromise current encryption standards, however, is still speculative. Nonetheless, this coming threat has provoked the development of quantum-resistant cryptography, or post-quantum encryption, efforts to make encryption more robust in anticipation of the potential for faster quantum decryption.

Limits of encryption for privacy

Modern encryption methods are virtually impenetrable, which means that the content of your online traffic and communications, if end-to-end encrypted, should be safe. However, when it comes to our privacy online, data encryption alone is a necessary but not sufficient protection.

Even with the content of our data encrypted, there are many agents and AI-powered systems actively tracking us online and harvesting our metadata, or the data surrounding the encrypted traffic of everything we do. This can reveal a lot about who we are, and sometimes even more than the content of our particular data can.

Metadata leakage

The content of our traffic is not everything: the metadata about our traffic online is particularly revelatory. If we send an encrypted message, for instance, there is a lot of unencrypted data about this traffic that is perfectly readable surrounding or leaking from it. This includes our IP address, device type, proximate location, our recipient’s IP, and the timestamps and durations of our activity.

This information does not disclose explicit personal data (such as our name, home address, or banking information). However, it can be used to further arrive at this information with the help of records leaked from or disclosed by our Internet Service Provider or a centralized VPN we’re using. More commonly, it is actively being compiled and analyzed by third-parties to infer behavioral patterns about who we are and what we want.

Traffic analysis

Long-term tracking can also compile connection and communication frequencies with particular web services or correspondents, as well as derivative data about browsing habits, interests, desires, and political leanings. All of this amounts to an immense pool of personal data that is being regularly collected, analyzed, and bought and sold behind our backs. So while the contents of any particular message, transaction, or site visit might be encrypted, AI-powered tracking is now able to decipher huge amounts of data about what we do, look for, or are interested in. Genuine concerns for online privacy must focus on these tracking processes which encryption cannot currently address.

Conclusion

Modern data encryption has been a huge technological advancement for the public web. While it is a necessary security measure for everyone online, it is not a sufficient privacy solution. In light of invasive metadata harvesting, data tracking, and global surveillance, additional privacy tools are necessary for everyone. Online privacy ultimately requires more than one tool, and a privacy-centered VPN is this second necessary tool: it can not only supplement default encryption, but multiply it.

Most traditional VPNs on the market cannot guarantee user privacy, due to the way they centralize user metadata, leaving it at risk of data breaches or government surveillance. Novel decentralized VPNs like NymVPN have been designed to avoid all risks of centralization. They are designed to make centralized log-keeping impossible, and their multi-hop routing through independent servers adds a robust layer of protection against traffic analysis and metadata leakage.

To learn more about how encryption works with different VPN services, check out Nym’s comparison of the WireGuard and OpenVPN encrypted communication protocols.