A brief history of encryption
Encryption for the general public on the web is both quite new and now relatively normalized. At the beginning, data encryption was exclusively a state security measure: keeping national or military secrets secure, and preventing enemies (real or potential) from accessing them. As the internet became a more publicly used resource in the 1990s, the language around and accessibility of encryption changed. The terms “security” or “privacy” have been rightfully extended to the general public. But this need to hide information is in fact quite old.
Ancient origins of cryptography
The practice of concealing messages dates back to ancient civilizations. Herodotus recounts how Histeaus tattooed a secret message on a slave’s shaved scalp, hiding it as the hair regrew. This is steganography – hiding, not transforming, a message.
By 700–500 B.C.E., ciphers emerged to encode sensitive information, such as military communications. Early methods included simple letter substitutions (A=Z, B=Y). Over time, encryption grew more complex. Nazi Germany’s “Enigma” machines used intricate rotor-based ciphers, and cracking them helped the Allies win WWII.
We can thus say that encryption is as old as the moment when human language became political, and as new as language continues to become digital.
Encryption as modern security technology
Modern digital and computational cryptography was developed in the 1970s, largely through the research funding and initiatives of the U.S. government. RSA (Rivest–Shamir–Adleman) was one result of this work. These efforts were not exactly kept secret, since they involved academic researchers and tech companies like IBM working under government contracts. But the results were highly guarded and considered assets of national security. Cryptographic technology was even classified as a “munition” or weapon under U.S. law to restrict and prosecute its export during the Cold War.
Encryption as a public privacy resource
Through court cases, activism, and grassroots tech efforts, U.S. encryption laws relaxed, allowing encrypted messaging to spread globally – giving rise to digital privacy.
By the 2010s, most web services adopted AES or similar protocols, making encryption the default for browsing, emails, and online purchases.
Today, the fight for secure, backdoor-free encryption continues. But first, let’s explore how encryption works.
What is encryption?
Encryption is the transformation of data so that it is unreadable except by those with the cryptographic keys necessary to unlock it. Think of it first as putting your sensitive information in an impenetrable room, inaccessible without a special key that only you possess. Afterall, to “encrypt” means to seal away, to protect, or to keep secret. But rather than being enclosed by a physically protective room, your data is transformed into digital code.
Encryption process
Encryption turns your data from “cleartext” (original and readable, or “in the clear”) into a “ciphertext” (unreadable, hidden under a “cipher” or puzzle). Special algorithms transform every letter or value in your data so that even if someone intercepted it, it would be indecipherable. Modern encryption algorithms that we will discuss include AES, RSA, and ECC (Elliptic Curve Cryptography).
Encryption key strengths
The strength of encryption is determined by the numerical length (or number of bits) of the encryption key(s): the longer the key, the harder it is to crack. In 2001, AES was established as 128-bit encryption for both sensitive and general use, and is also compatible with 256-bit keys. AES encryption effectively rendered the original 56-bit DES (Data Encryption Standard) obsolete.
For advanced security, 256-bit encryption is now the benchmark, and even higher bits are used in sensitive cases. To appreciate the strength of something like 256-bit encryption, note that there are approximately 10^77 possible numerical combinations and keys.
Basic types of encryption
The principal forms of encryption are distinguished by how keys, and what kinds, are shared between trusted parties. In current practice, the following forms of encryption are often combined to form hybrid encryption protocols.
Symmetric encryption
Symmetric encryption uses the same shared key to both encrypt and decrypt a data package. Both the sender and receiver must thus possess the key, or share it in advance, in order to encrypt and decrypt the message respectively. AES is the primary symmetric standard, encrypting data into fixed-sized boxes of 128-bits.
Because it is significantly more efficient, symmetric encryption is particularly useful for large amounts of data at rest, such as protecting database storage. However, one problem with symmetric encryption is that the key must be shared securely between multiple parties, which poses a security risk without encryption. This is where asymmetric encryption steps in.
Asymmetric encryption
Asymmetric encryption, or public key cryptography, uses two linked keys: a public key for encryption and a private key for decryption. These keys are mathematically connected through large prime numbers, ensuring that data encrypted with one can only be decrypted with the other. Public keys can be shared freely, allowing anyone to encrypt messages that only the recipient’s private key can decrypt.
Elliptical Curve Cryptography (ECC)
ECC (Elliptic Curve Cryptography) is a fast-growing form of asymmetric encryption based on elliptic curves over finite fields. It generates public and private keys using complex mathematical problems, offering strong security with minimal computational effort. A 256-bit ECC key equals a 3072-bit RSA key, making ECC ideal for SSL/TLS certificates, blockchain, WireGuard, and mobile security.
New encryption methods are also emerging. WireGuard, for example, uses ChaCha20 is a fast, secure stream cipher that encrypts data bit by bit. Often paired with Poly1305 for authentication, ChaCha20-Poly1305 is highly efficient and resistant to cyberattacks.
Hybrid encryption for online traffic
Encryption can also take hybrid and multi-layered forms to better protect data in transit. As we saw, symmetric encryption is fast, but on its own doesn’t provide a secure, encrypted way to share keys. Public key cryptography provides a solution to this. Hybrid models (including ECC) combine symmetric and asymmetric encryption protocols at different levels to provide both key security and encryption optimization.
Learn more about encryption protocols with VPNs in Nym's guide.
Internet security protocols
The most widespread form of hybrid encryption are in fact the very protocols that now secure traffic across the web: the original SSL (Secure Socket Layer), TLS (Transport Layer Security) which built and improved on SSL, and HTTPS which is layered over TLS/SSL.
SSL/TLS is the process for first establishing an encrypted connection. This begins with your browser and the webservice, authenticating the latter’s TLS/SSL certificate and validity through a trusted certificate (CA) authority to ensure it is the true server. A symmetric encryption key is then securely exchanged to encrypt and decrypt your data.
Multi-layer encryption
Typically, user data is encrypted once because it is both adequately secure and fast. However, there are ways in which data can be encrypted multiple times. Connecting with a VPN will likely involve your data being encrypted twice: first by the HTTPS connection with the destination, and another time by the VPN tunnel. These encryption steps essentially form layers, with HTTPS being the first layer around the core of your cleartext data.
Other routing procedures have more complex layering designs. The Tor network’s onion encryption is another well-known example of hybrid encryption, adding multi-layered encryption to protect the route of a packet through its three server (or node) routing network. Sphinx is designed specifically for anonymous communications in a mixnet like the one powering NymVPN.
Speed optimization
The more robust the encryption process is, the more latency will be a problem. Longer keys, multi-stage key exchanges, multiple encryption layers, and multi-node decryption and routing: all of this adds computational time to the process. But it undoubtedly adds security.
Ultimately, online security and privacy will always involve a trade off with speed and performance. So in choosing an encryption protocol, or a service like a VPN based on one, it’s important to consider what encryption algorithms and routing protocols are being used.
Techniques for breaking encryption
Is it possible to break encryption security? In principle, yes. Practically, however, “breaking” modern encryption standards head-on is not currently possible. Doing so would require massive computational resources which are not known to exist at present. The only concern is when these computer powers will become practically feasible. In any case, let’s break down the means of possibly doing it.
Key acquisition
The most straightforward way to compromise encryption – that is, to access encrypted data illegitimately – is to acquire the encryption/decryption key(s). This can be accomplished in a number of ways.
- User error: Private keys are often exposed due to poor management, such as reuse or insecure sharing. Like passwords, if compromised, they can be exploited.
- Cyber attacks: Hackers obtain keys through phishing, man-in-the-middle attacks, or database breaches. Phishing tricks users into revealing credentials, while attackers may intercept key exchanges or access insecurely stored plaintext keys.
- Social engineering: Psychological tactics like spear phishing or baiting trick users into sharing keys. For example, a fake IT email may falsely claim a security breach, manipulating users into disclosing encryption keys.
Even if any of these attacks are successful, these methods do not technically break or crack encryption itself, but rather exploit human vulnerabilities to gain access to keys.
Brute force attacks
Brute force attacks systematically guess encryption keys through trial and error. However, as key length increases, possible combinations grow exponentially, making these attacks impractical.
While 56-bit encryption has been broken in hours and retired, 128-bit encryption remains uncracked. Advanced keys like 256-bit encryption make brute force attacks virtually impossible, requiring an unrealistic amount of time and computing power.
Cryptanalysis
Wherever codes exist, attempts to break them follow. Cryptanalysis, dating back to ancient times, examines language patterns to crack ciphers by reducing possible codes and analyzing frequency patterns.
With digital encryption, this is far more complex. Modern cryptanalysis seeks patterns in ciphertext to narrow key possibilities, but current techniques remain largely impractical.
Side-channel attacks
Side-channel attacks do not target the encryption itself, but rather analyze data leaking from the encryption process, such as computer power usage and timing. This metadata can be used to more precisely identify the kind of encryption algorithm that is being used and the parameters of the keys. But again, modern 128- and 256-bit encryption algorithms remain nearly impossible to crack even if the algorithm is known.
Quantum computing
Quantum computing presents a future risk to encryption, capable of processing multiple computations simultaneously. Though largely theoretical, these supercomputers could outmatch traditional systems in brute force attacks and cryptanalysis. While their exact impact remains speculative, this threat has driven the development of quantum-resistant cryptography to strengthen encryption against potential quantum decryption.
Limits of encryption for privacy
Modern encryption methods are virtually impenetrable, which means that the content of your online traffic and communications, if end-to-end encrypted, should be safe. However, data encryption alone is a necessary but not sufficient protection.
Even with the content of our data encrypted, there are many agents and AI-powered systems actively tracking us online and harvesting our metadata, or the data surrounding the encrypted traffic of everything we do.
Traffic metadata is highly revealing, even when messages are encrypted. Readable data like IP addresses, device type, location, recipient’s IP, and activity timestamps can still leak. While this doesn’t expose personal details directly, it can be linked to records from ISPs or centralized VPNs. More commonly, third parties analyze it to infer behavioral patterns and user interests.
