You have no doubt heard the term ‘encryption’. It is getting more and more prevalent in all areas of tech.
Below we will have a look at what encryption is, where you are probably already using it, the benefits it offers you as a consumer and member of Trent, as well as what to do if you need to work on sensitive documents but, for one reason or another, are unable to work on an encrypted device.
Encryption in a nutshell
Encryption is simply the process of encoding data so that only the intended audience can read it.
A very simple example would a substitution cipher like this:
So if I told you the ‘key’ is simply an alphabetic rotation 3 letters to the left, I could then send you a message that says:
Jbbq jb lk qeb yofadb xq axvyobxh.
You could then take my ‘ciphertext’ aka ‘encrypted secret message’, rotate back 3 letters to the right to de-crypt it to:
Meet me on the bridge at daybreak.
If someone other than you were to see the original message, they would not be able to read it. My secret message would be safe because only you and I know the ‘key’ to decrypt it.
You could diagram our secret communication like this, with me on the left, and you on the right, and the message encrypted in the middle:
Like I said, that is a very simple example. That would be easy to break. In that example someone could immediately guess that ‘b’ is probably ‘e’ because it is the most common letter in the English language, and is common in that sentence. They would have our message cracked in no time. Even if they were not that clever, the alphabet is only 26 characters long, they could try all possible shifts until they arrived at the correct one (this is called a brute force attack).
Luckily the encryption we trust our data and privacy to is much more secure. How secure? Well I'm glad you asked...
How hard is it to crack proper encryption?
The whole idea behind encryption is to make it very difficult for an unintended audience to decrypt the secret message, or data. So difficult, in fact, that it would take even a supercomputer a long time to crack it.
For example, ‘AES-128’ is a very commonly used type of encryption. Nowadays we are actually moving toward AES-256, which is even stronger, but that just makes this example even more unbelievable:
If you had a hard drive encrypted with AES-128 encryption, and a supercomputer at your disposal to try to crack it using brute force techniques, it would take a billion, billion years to do so! That’s a quintillion years (a 10 with 18 0’s after it - source) The universe is only 13.8 billion years old, so it is safe to say it probably will not be cracked any time soon.
Brute force attacks are not the only way to attack encryption, sometimes there are weaknesses to be found in the algorithm, and who knows what effect quantum computers and artificial intelligence will have on AES. The point is, it is plenty strong for right now, and our encryption standards will evolve in line with the available computer power in the future.
Fun fact, when the bad guys steal data and credentials and find out it is encrypted and therefore currently useless to them, they may not mind. Some of these folks keep that data around just in case the type of encryption used ends up being broken in the future. As well, maybe in ten years, computers will be powerful enough to brute force it. These folks are getting incredibly well funded and are very intelligent. They are playing the long-game as well the short-game. Sure the data may be years old most likely when/if they can crack it, but that may not matter depending on the type of data uncovered.
You make use of encryption every day on the web
You know when you go to a website and you see https:// instead of just http://, and the little lock icon next to it?
Like this:
That means you have a secure, encrypted connection to that website. Data sent back and forth between you and the website is encrypted and safe from prying eyes. You want to see that little lock if you plan on buying anything from the website or entering your username and password or any data you would not want anyone else reading.
Plain old ‘http’ sites are fine as long as you are just browsing them or submitting generic data you are not worried about others seeing.
Your smartphone is probably already encrypted
Nowadays Android and iPhone’s encrypt everything on them by default. Your fingerprint, face, lock-screen password or pattern is used to facilitate the decryption without you ever needing to know.
Your computer may be encrypted as well
Macs have come with their encryption ‘FileVault’ enabled for years now.
Bitlocker is the Windows solution and up until very recently has remained an option only for ‘Pro’ versions of Windows 10.
If you want to check if your Mac is encrypted, go to ‘Settings’ > ‘Security and Privacy’ > ‘FileVault’.
As far as Windows 10 is concerned, if you have a Trent laptop, once we get back on campus, they will ship pre-encrypted.
If you want to check your own personal Windows 10 computer, click the Start button at the very bottom left and just start typing ‘bitlocker’. See if it comes up as an option.
Disclaimer: Encryption is so good at keeping your data safe that if you encrypt your computer then lose your encryption key or forget your password, no one in the world will be able to help you get your data back. Make sure you fully understand the risks and safeguard your key.
So how does an encrypted phone or computer help you?
If you lost your device or had it stolen, it would ensure that whoever had it would have no way to access to your files.
You can unlock your computer and your phone easily enough, but you have the password. When you enter it, it enables the decryption function to take place behind the scenes.
For example: if a professors’ unencrypted laptop were to be stolen out of their car and it had student PII (personally identifiable information) and grades on it, this would constitute a privacy breach. If, on the other hand, the device was encrypted, the only loss would be the dollar amount to buy a new computer. No breach would have occurred, no lawyers would need to be contacted, no one would have to get in touch with the privacy commissioner of Canada. The fact that it was encrypted would safeguard from all of that.
You might ask ‘but unless the thief knows the professors’ password, they wouldn’t be able to login anyway right? So how does encryption help here?’
Correct, they would not be able to login, but they could open the computer, pull out the hard drive, plug it into another computer and have full access to the files, without knowing any passwords.
They could also use a pre-configured USB stick to boot the computer to a different operating system and then browse the files that way as well.
Tools exist to do the same with phone storage too.
So, ideally, if your device is lost or stolen, and encrypted, you at least have peace of mind knowing that the thief can not get at your files, documents, pictures, etc., and that you have not been the source of a potential privacy breach!
This is also a scenario that shines a light on the importance of Cloud Storage. As long as you keep your files backed up on GoogleDrive or OneDrive, your files are still safe and sound on the cloud to be accessed from another device. I have previously written on that topic.
What if I can not encrypt my device but need to work on sensitive files?
You still have an option here. You can keep sensitive files safe by only storing them and working on them online in GoogleDrive or OneDrive, within a browser. Or alternatively on the H or S drive if you’re on campus.
In this scenario, do not download the GoogleDrive or OneDrive software and sync the files to your computer as that defeats the purpose of keeping the sensitive files off of your computers’ unencrypted hard drive.
In this way, your computer is a window to your files, yet never stores them itself.
(Our definition of sensitive files can be found in our Policy document.)
Conclusion
There is much more to encryption if you are so inclined, however I think this was a good basis. It is pretty much all you need to know unless you have a specialized job that demands more knowledge on the topic.
We have seen an example of how encryption works, learned just how secure our current encryption standards are, what exactly ‘https’ means. You have learned that your phone and computer are probably already encrypted, and if they are not, how to check and how to turn it on. As well as how it actually protects your files in the event of theft. And finally, how to work with sensitive files when you are unable to encrypt your device.
I hope you found this informative, and stay tuned for more topics.
Back to Cybersecurity Blog home.
Stavros Tzagadouris - Level 1 Information Security Officer - Trent University