Encryption seems like one of those big words that people use but don’t understand, and for many that’s the case. Start adding terms like algorithm, PKI (public key infrastructure), AES (Advanced Encryption Standard), or ciphertext, and most people would rather go look at new cat videos. While the actual process of encryption is extremely complex, it’s not something the average internet user needs to be worried about. You should, however, have a basic understanding of how it works so that you can assess for yourself cybersecurity risks you might be facing online.
At its simplest, encryption is just securing your data with a key. Did you ever make secret messages or try to solve codes in the newspaper as a kid, where you replaced certain letters with other letters? If you exchanged these letters with a friend, you each had to know the way to solve this code. This answer is known as a “key”, and it’s the way encryption works as well. Another way to picture this is a physical key to your house. Only a key with teeth cut in a particular way will fit the lock and open or lock the door. Encryption works the exact same way, albeit with much more complexity, to foil hackers who use advanced computing to try to break codes.
Encryption takes plaintext (the words you type and read on the internet) into ciphertext (encryption) and back (decryption) by using a key, also known as a cipher, to change the bits. There are two basic types of encryption you’ll meet on the internet; symmetric and asymmetric encryption. Symmetric encryption is more like the secret codes you used to pass notes to your friends. Both ends of the data exchange have the same key (a secret key) they use to encrypt and decrypt data in a transmission. Think of you and a friend having a key that fits a box, and shipping the box through the mail. Even though the box is going through an insecure place (the mail system), it’s protected because only you and your friend can lock or unlock the box. Likewise, a website that uses symmetric encryption has servers that use your login credentials to encrypt data. You know your credentials as well as the server, so it knows it’s you when you log in. There are many symmetric encryption standards out there, such as AES, 3DES, or RC4, and they’re all used for different purposes.
Asymmetric encryption uses a system with a paired public key and private key, and is more complex than symmetric encryption. In this scenario, you have a public key that is shared with everyone, and a private key that is only available to you (your username/password combination, your face, your thumbprint, or whatever else you use to log in to a website). What your public key encrypts, only your private key is able to decrypt so you can read it. Public keys are used to encrypt data while private keys are used to decrypt it on the other end. For example, you want to send an encrypted email to your business partner. Your business partner has shared her public key, and you have it, so you use it to encrypt the email. Since only she has her private key, only she can decrypt the email and read the message you sent. Asymmetric has the added benefit of being able to prove that a person sent something. If someone uses their private key to digitally “sign” something, you can use their public key to verify that it was that person that sent it.
This is a simplified explanation of the basics of encryption; each website or email exchange uses their own standard and most of this is done behind the scenes. Whenever you are inputting login credentials to your banking website, social media profile, or email, you are using some form of encryption. One key feature to look for when navigating to a website is to notice if it has https in the URL. The “s” stands for secure and indicates that the web server is using encryption. Your web browser should also show a locked padlock next to the URL when you’re logged in to a website that has a secure connection. If you don’t see the https or the padlock, you should think twice before sending any sensitive information (for example, credit card data) to the website.