👋 Hi, this is Akash with this week’s newsletter. I write about security engineering to help you get into the world's best security teams. Thank you for your readership.

This week I’m sharing one of the fundamental pillars of security: Encryption. Hope it’s helpful; enjoy!

The Internet was designed to be inherently insecure.

It was meant only for selected trustworthy people. And we know how much of that is true today.

David D. Clark, one of the inventors of the Internet in his own words,

“It’s not that we didn’t think about security, we knew that there were untrustworthy people out there, and we thought we could exclude them.”

Data is the currency of our modern digital world.

And trillions of transactions take place on the world wide web.

You must have heard, encrypt your data at rest, in transit.

Today, let’s explore the fundamentals of “Encryption”.

📖 The Concept

At the very lowest level, encryption is a reversible mathematical operation for scrambling data so only authorized parties with the correct key can access it.

Well, pretty much. Let’s break it down.

🔒 Encryption

It is the whole process of scrambling your message to hide its meaning from unauthorized parties.

Encryption is primarily associated with confidentiality of information, but it can also be used to protect integrity and availability of a system.

We talked about encryption as:

• Reversible mathematical operation

• Protects information from outside access

• Only accessible to individuals with correct key

Encryption is very similar to encoding. In encoding, we transform data, but the purpose is interoperability. Think of encryption as encoding using a key. Only people with the right key can decode it.

This process of decoding is called decryption. Mathematically, it’s the inverse operation.

At the heart of encryption, there’s an algorithm. The field that studies this is Cryptography.

These algorithms use a key, this field is known as key management.

Fun fact: Key management is one of the hardest problems in security, that’s still unsolved.

Strength of an algorithm is typically proportional to the size of the key. For a fixed algorithm, the longer key version will be more secure (generally).

Shannon in his groundbreaking Information Theory (paper) proved, to achieve perfect secrecy, the length of the plaintext should be equal to the length of the key. This is also known as “One time pad”.

🧮 Types of Encryption Algorithms

It’s clear that key plays a central role in encryption. If an attacker is able to predict the key, game over!

So far we have constructed this idea that,

Now the question becomes, what is K? Is that a secret shared between two parties?

That’s exactly how it started. The Internet wasn’t always this huge. It started off as a small network with selected individuals on it.

Let’s say, we have 3 people who want to privately speak to each other. Each person will maintain 2 keys, so we end up with 6 keys total.

When another person joins the party, the number of keys grows to 12.

It’s a quadratic growth. At the size of the internet, this was unsustainable. There’s another problem, sharing this secret, but that’s for another time.

As the internet was growing to include everyone in the world, another type of algorithm surfaced. Encryption was broadly divided into two types.

👯 Symmetric Key Encryption

The same key is used to encrypt and decrypt.

Before going into further details, let’s call our friends Alice and Bob! I don’t think it’s allowed to talk about this without inviting these two.

Bob and Aline wants to privately share information without Eve seeing them. They met at a restaurant, shared a secret (K) when they were alone at the table.

Now whenever they need to send information to one another, they encrypt with the key, K.

The security model relies on the security of the key. If either of them loses the key, their communication will lose confidentiality.

Important things to remember about symmetric key:

• Same key is used to encrypt and decrypt a message

• Secret key is shared prior to communicating

• Decryption algorithm is reverse operation of encryption

Common examples would include AES, DES, Blowfish, RC4 etc., we won’t go into details here.

👫 Asymmetric Key Encryption

Different keys are used to encrypt and decrypt.

Asymmetric encryption relies on mathematical relations between two numbers.

Here, you have a key pair, one is used for encryption and the other for decryption.

These two keys are paired as a public-private key pair. You share your public key with everyone and never share your private key.

It solves the problem we touched earlier, managing less keys. Whoever wants to send you a message, can use your public key to encrypt.

Since you should never share your private key, only you can decrypt the actual message.

Important concepts to remember about asymmetric key:

• Public-Private keys are mathematically connected, e.g. prime factorization for RSA

• You can use either of the keys to encrypt

• Public key encryption is more compute intensive

Common examples would include RSA, Elliptic Curve Cryptography (ECC) etc. 

🌎 Real-World Walkthrough

What better example can we use than the internet to understand encryption?

Do you know when you’re reading this post, both the encryption types are in action?

We talked about two important concepts:

• Asymmetric encryption is preferred, because we need to manage less secrets

• Symmetric encryptions are compute efficient and fast

This is the core reason behind why symmetric key encryption still exists today. When the volume of data is large, we prefer symmetric encryption.

So when you visited this blogpost, your browser used asymmetric encryption to establish a symmetric key, also known as session key.

For the duration of the session, this secret is used to encrypt all traffic.

In another post, we will go over “What happens when you type google.com in more detail”. 

🌟 🔍 Parting Thoughts

Encryption is a large topic, this post is part 1 of the series on this area. The goal today was to fundamentally understand what encryption offers.

You can come up with your own encryption algorithm. But, never use them in production. Coming up with a secure algorithm takes years in development and testing.

Choosing the right algorithm and right size key is all we need to do. That too is easy, because it’s also highly standardized. For example, DES used to be a very famous algorithm, not anymore.

Once an algorithm is broken, it loses value.

Have you ever designed an encryption algorithm? What did you learn? Would you do it again?

Share in the comments!

Leave a comment

🐦‍🔥 Interview Questions

• Which one would you prefer, symmetric or asymmetric encryption and why?

• Given a large file, would you encrypt first, then compress or the other way around?

• Are there any differences between encryption and digital signature algorithms?

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security, you can reach out directly on akash@chromium.org. 

If you enjoyed this content, please 🔁 share it with friends and consider 🔔 subscribing if you haven’t already. Your 💙 response really motivates me to keep going.

Share

Share Cracking The Security Interview