Encryption Demystified

I thought of calling this “Encryption for Dummies”, but you’re smart. Tech doesn’t need to be your thing to be something you feel comfortable with. I believe in building bridges and sharing understanding because people work better together.

Photo by Shane Aldendorff

I’ve an idea I’d like to study to be an electrician. It’s not that I want a career change and it’s not that I want to DIY the electrics for my hypothetical self-build house.

I want to have meaningful conversations with the people I hire and be able to understand who the good people are so I can trust them.

To engage, understand and empathise — to build bridges — across different disciplines and roles is a superlative human quality and one I unashamedly admire in those who master it. The collective energy that comes from mutual understanding, is a multiplier for engagement and success.

I’d like to give you a useful flavour of a complex subject.

Why demystify encryption?

Encryption runs the world. Every time you see https, every time you buy online and for pretty much every piece of technology you interact with, consciously or under the covers, encryption is what’s keeping you secure.

Encryption is a given. It’s woven into the fabric of any organisation that touches the internet.

I’ve spent time learning this stuff. I’d like to share that with you. What I learned — understanding something of the mechanics — made the world seem a little less strange. I hope I can pass some of that that on to you.

My encryption story

The first startup I led technology for in 2010 dealt in personal data — from detailed profile information to passport scans. I was acutely aware of the need to keep these secure so I bought a book and knuckled down to learning.

It was hard. The kind of hard where you read something once, don’t get it, then read it again and again over days and weeks until understanding unfurls like a butterfly. In fact the concepts aren’t that complicated, but the world of encryption has its own language and that makes it hard for newcomers.

Having spent months studying, designing, developing and testing, I turned what I’d learned into code for any developer to use.

I worked hard to understand the ins and outs. Knowing it was a winding road and too few developers and technology designers would get to the handful of clear answers I’d found, I wanted to make it simple for others to get it right, so I published it as open source.

I went on to build an example encryption application and wrote about how we used encryption to build the Office for National Statistics public website. I’ve also developed a companion library for Apache Commons FileUpload that avoids data unwittingly being stored unencrypted.

Isn’t it all about maths?

Cryptography itself, researching, developing, implementing and testing algorithms, is a highly specialised subject that taxes the world’s finest mathematical minds. I make no claim to expertise.

Applying cryptography — standing on the shoulders of mathematical giants — is a different matter.

Learning to fly is different from designing and building aircraft. I’m an encryption pilot and I’d like to give you a tour of the cockpit to explain what those dials and switches are about.

Let’s talk encryption

The cryptography that underpins the internet — commerce, privacy, security — comes down to a remarkably small handful of key concepts. The rabbit hole goes deeper, but these are the headline acts:

Encryption: the stuff we usually think of — from clay tablets in Mesopotamia protecting commercially sensitive information, to modern-day Internet-standard AES encryption, the ability to protect information has long been a valuable capability.

Keys: there are two types here. Secret keys and public-private key pairs. These are the pieces of data that drive encryption algorithms. To use a secret key, both sender and recipient must have the same key, so it’s sometimes called symmetric encryption. In the case of a key pair, only one key is kept secret — it’s asymmetric. This is useful because the holder of a private key can prove their identity to anyone with access to the matching public key. This is the foundation of https: it allows us to trust the identity of a website we want to access because we can verify that a known public key matches.

Digital signatures: based on a public-private key pair, a digital signature allows us to verify both the provenance and integrity of data. Provenance because only the holder of a private key can produce a valid signature, and integrity because the signature encodes a fingerprint of the data. If that message has been modified, the signature will no longer match.

Password hashing: passwords secure much of our online lives, and need to be protected by the systems we enter them into. Hashing is a “one way” process for turning a password into seemingly random data. A good hash means the data can’t be reverse-engineered to find out what the password was. If the same password comes along, hashing it again will produce the same data. Matching the new hash to the original hash allows you to know the password was correct, without needing to know what the actual password was.

Key management: the hard problem of cryptography is not cryptography. It’s key management. To paraphrase Kerckhoffs’s principle, the only thing in cryptography that must be secret is the key. If your cipher algorithm is good enough, the only way in is with the key. So storing a key, or getting it to the intended recipient, is vital. Encrypted data is no use if the right person can’t decrypt the message afterwards.

How encryption works

Believe it or not, the mechanics of modern encryption have changed little since the famous enigma machine from Bletchley Park days. Take some text (or some data), feed it through a carefully designed process and something comes out that makes no sense. At the other end the “cipher text” is fed in and, process reversed, the original message is recovered.

There have been different algorithms (or ciphers) over the years, some with entertaining names like Blowfish and Triple-DES (somehow that sounds like a triple-chocolate muffin to me). The only cipher that counts in mainstream cryptography today is the NIST-approved Advanced Encryption Standard (AES), which you’ll sometimes see named on websites as AES-256.

Cipher algorithms have become exponentially more secure over the years, however the way each letter (or byte of data) is encrypted remains unchanged. If you remember logic gates, perhaps from school days — AND, OR and NOT — you may also remember XOR (“exclusive OR”). XOR is special because it allows you to work with “two out of three pieces of data”. If you have two parts, you can combine them to generate the third.

In cryptography, two out of three works neatly. If you have original data (one), plus an encryption key (two), you can create number three: encrypted data. The decryption process works in reverse. If you have the encrypted data (three) and the correct key (two), you can recreate number one: the original data. It’s exquisitely simple and that’s what makes it super reliable.

Handing over the keys

If technology isn’t your discipline, I hope this helps you feel more confident in the digital world and have meaningful conversations with technical people in your life. If you’re a developer or technology designer, I hope I’ve inspired you that encryption applied properly needn’t be rocket science — and given you links to useful code and libraries to try it out.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David Carboni

David Carboni

Hands-on culture and techology. Work hard be kind. CTO at Policy in Practice (https://policyinpractice.co.uk)