# Exploring encryption: Know the basics of an important IT security standard

**Encryption is one of the most powerful tools available** to security professionals seeking to protect sensitive information from unauthorized disclosure. It is the driving force behind the security of networks, web applications, messaging, mobile devices and many other critical technologies. Successful IT professionals are familiar with the technology and ways to apply it appropriately to many enterprise security challenges.

**How Does Encryption Work?**

Encryption has many different applications, but they all boil down to one simple concept: applying mathematical algorithms to transform data. The purpose of this transformation is often to protect the confidentiality of information, hiding it from prying eyes. Encryption technology may also be used to prove an individual’s identity through the use of digital certificates, or demonstrate the authenticity of a document through digital signatures. Together, these different applications of encryption provide a critical suite of tools that anyone with an Internet connection uses almost every day.

As with any technology, encryption has a special language that includes some discipline-specific terms. *Plaintext* messages are, quite simply, normal data that has not yet been encrypted and can be read by anyone. A user seeking to protect the confidentiality of a plaintext message encrypts the message using an encryption algorithm. Encryption transforms the plaintext message into *ciphertext*. The ciphertext has no apparent meaning and resembles gibberish until the recipient properly decrypts it, restoring the original plaintext.

Encryption algorithms aren’t secret — they’re publicly available for download and use. The security of encryption comes from the use of encryption and decryption keys. When the sender uses an encryption algorithm to transform plaintext into ciphertext, he or she provides an encryption key. The recipient of the message must then supply the corresponding decryption key to retrieve the original plaintext.

There are two main categories of encryption algorithms: *symmetric* encryption and *asymmetric* encryption. The difference between them rests in the keys used for encryption and decryption of the message. In symmetric encryption, both the sender and recipient use the same key, known as the shared secret key.

In asymmetric encryption, each user has a pair of keys: one public and the other private. Messages encrypted with one key from a pair may be decrypted with the corresponding key from that same pair. For example, if Alice would like to send an encrypted message to Bob, she encrypts the message using Bob’s public key. When Bob receives the message, he decrypts it using his own private key. Bob keeps his private key secret, so he is the only person who can decrypt a message that anyone else encrypts using his public key.

Both symmetric and asymmetric cryptography may be used for protecting the confidentiality of sensitive information, but asymmetric encryption offers two additional benefits that are not possible with symmetric algorithms. First, asymmetric cryptography allows the use of **digital certificates** to verify the identity of an individual or server. These certificates, issued by trusted certificate authorities, are the equivalent of driver’s licenses for the Internet. They are the technology underlying the HTTPS protocol that allows secure web communication.

The second encryption technology available through asymmetric cryptography is **digital signatures**. Just like physical signatures in the real world, digital signatures are used to prove the authenticity of information, such as a document. Let’s say that Alice would like to digitally sign a document that she is sending to Bob. This would allow Bob to be certain that Alice actually signed the document and also allow him to prove that to an interested third party. Alice creates the digital signature by encrypting a summary of the message with her own private key. Bob can then verify the signature by decrypting it with Alice’s public key. If it decrypts successfully, Bob can be confident that Alice created the signature because Alice is the only person with access to Alice’s private key.

**Choosing Secure Encryption Technologies**

The most important rule when it comes to encryption technologies is don’t try to build it yourself! Encryption is a complex mathematical science and developing encryption algorithms is best left to the experts. Along those lines, if a vendor selling a product refuses to reveal the details of the encryption used in the product and claims that it is proprietary, that’s a huge signal that you should run away quickly! The security of an encryption algorithm should depend upon the secrecy of the keys used with it, not the secrecy of the algorithm itself. It’s far too easy to make mistakes when building a complex encryption algorithm.

The answer to this dilemma is using encryption algorithms that the cryptography community generally accepts as secure. For example, the Advanced Encryption Standard (AES) is a well-known and widely used symmetric encryption algorithm and the Rivest Shamir Adelman (RSA) algorithm is a strong asymmetric approach. Perform some research on whatever algorithm you choose and ensure that it was widely vetted and has no known vulnerabilities. You’ll want to avoid, as an example, the Data Encryption Standard (DES) algorithm that was once widely used but is now considered too weak to provide effective security.

Once you choose an algorithm, your next step is to choose an encryption key. Some algorithms allow you to select a key length appropriate for your purpose. The key is similar to a password and the longer it is, the harder it will be for an attacker to guess it successfully. The longer the key, the more secure the algorithm. The tradeoff is that encryption with longer keys is slower because it requires more computing power to process.

**Building a Career in Encryption**

Every IT professional touches encryption in one form or another and should have a basic familiarity with the concepts discussed in this article. If you are truly intrigued by encryption technology, it’s possible to build an entire career as a cryptography specialist. Professionals in this field build and monitor encryption implementations for governments and businesses around the world. If you’re mathematically inclined, you may choose to go a step further and work for a firm that designs the inner workings of encryption algorithms.

The starting point for these opportunities is a broad background in information security. Remember, cryptography is used as a security building block for a wide variety of technologies, including web applications, networks, e-mail and digital certificates. Aspiring cryptographers may wish to first pursue the information security profession’s generalist certifications, such as the **Security+** and **Certified Information Systems Security Professional (CISSP)**, before moving on to specialized cryptography education programs.

The EC-Council, a certification body most well known for the **Certified Ethical Hacker** credential, offers the industry’s only encryption-specific certification. Their EC-Council **Certified Encryption Specialist (ECES)** program requires that candidates demonstrate a deep understanding of encryption technology from both theoretical and practical perspectives. The ECES exam is a 50-question multiple choice exam administered over two hours. Candidates must answer 70 percent of the questions correctly to earn the ECES designation.

As the technology community reacts to the large number of recent high-profile security incidents, employers will continue to seek out qualified encryption specialists to help secure sensitive information. IT professionals seeking to build a career in information security should have a solid understanding of encryption to build their resumes and position themselves well for future growth opportunities.

Pingback: Exploring Encryption | Mike Chapple, CISSP, Ph.D.