The encryption of data as well as encrypted data transfer on network-based transmission paths (LAN, WAN, WLAN, Internet) is increasingly becoming the norm. It is not without reason that hardly any unencrypted websites can be found on the Internet anymore - the TLS standard has become part of everyday life. Many browsers now mark unencrypted HTTP pages as "not secure". Even public WLAN networks are mostly encrypted with a known password to prevent third parties from viewing the data traffic. Messenger services advertise their products with the end-to-end encryption used. Online shops are now required by law to handle their payment systems using only encrypted channels.
The encryption of files and entire data media has been used for decades, especially in companies. But encryption techniques are also increasingly being used in the private sphere - more and more users are using additional encryption software in cloud services from US cloud providers to protect their data content from the eyes of prying third parties and to ensure data protection.
Methods that convert plaintext into ciphertext have been known for thousands of years. Encryption in information technology refers to various procedures and algorithms that convert data into an unreadable form using digital keys.
Symmetric encryption methods have been known for over 2,500 years. A key is used for encryption and decryption, which sender and receiver agree upon. In order to protect the information, this key must be kept secret, therefore the handing over of the key represents a potential security risk. Another problem is that a separate secret key is required between each sender and receiver. Therefore, the number of keys required increases disproportionately with the number of persons.
Symmetric cryptography therefore works like a briefcase with two matching keys that cannot be lost.
Data Encryption Standard (DES)
The Data Encryption Standard (DES) developed by IBM is a symmetrical encryption method that was standardized in 1977 by the US National Institute of Standards and Technology (NIST). The symmetric algorithm works as a block cipher at bit level. It breaks down the plaintext into blocks of 64 bits, which are individually encrypted with a 64-bit key. Thus, 64-bit plaintext is translated into 64-bit ciphertext. Since every eighth bit of the key functions as a parity bit, only 56 bits are effectively available for encryption. A parity bit is a supplementary bit in a sequence of bits to supplement the number of bits occupied by 1 (including the parity bit) of the sequence as even or odd.
Advanced Encryption Standard (AES)
Although the DES was the foundation of modern cryptography, it is now obsolete and insecure due to the small key length. With the current state of the art, a DES key can be decrypted in just a few hours. The successor of DES was the Rijndael algorithm, certified by NIST as Advanced Encryption Standard (AES) at the end of 2000. AES is also based on block encryption: instead of 64-bit blocks, however, AES uses much larger 128-bit blocks, which are encrypted in several successive rounds using a substitution permutation network (SPN).
Due to its algorithm, AES is considered very secure and is used today as an encryption method for WPA2, SSH and IPSec, among others. However, the data is only secure if the key remains secret. Since the same key is used for encryption and decryption, the encryption system is affected by the key distribution problem like any other symmetric method. The secure use of AES is therefore rather limited to fields of application that do not require the exchange of keys or allow it via a secure channel.
Asymmetric encryption methods, which were developed in the 1970s, use two keys: In addition to a secret, private key, there is a public key, which is accessible to everyone. The file is encrypted with the public key and can only be decrypted with the matching private key. So asymmetric cryptography works a bit like a mailbox.
The advantage of the asymmetric encryption method is that anyone can use the public key to encrypt data. Since only the public key is exchanged, this can also be done via a public channel.
A disadvantage of the asymmetric encryption method is an increased effort if there are several recipients, because the encryption is done with the individual public key of each recipient and the message has to be encrypted individually for each recipient. An attack by an intermediary can also occur. In this case, the middleman places himself between the communication of two persons and deceives his own public key as that of the actual recipient, then decrypts with his own private key and finally encrypts the message with the public key of the actual recipient and sends it on. The communication partners may not notice anything, but their message was read.
Hybrid encryption is the combination of the symmetric and asymmetric encryption method. This means that the weaknesses of one system are compensated by the strengths of the other system. A random, symmetric key is generated with which the data is encrypted. The symmetric key is encrypted with the public key of the recipient or recipients. The symmetrically encrypted data is then transmitted together with the asymmetrically encrypted key.
However, not only the type of encryption method is important, but also where the key is stored. This is crucial for data security.
Channel Encryption is the encryption of the transmission path. Channel Encryption by means of SSL/TLS represents a minimum standard today, which should actually be active for every service used on the Internet. With this technology, the transmission of login information such as user name and password, meta information about existing files and folders such as names, data types, etc. and the files themselves is protected once again with an additional encryption layer.
Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL), is a hybrid encryption protocol for secure data transmission on the Internet. The last version of the SSL protocol was version 3.0; thereafter it was further developed and standardized under the new name TLS, starting with version 1.0.
In the case of data encrypted on the server side, the data is transferred to the respective server or provider together with the key. Even if the provider assures to handle the data confidentially, he could decrypt them at any time using the attached key.
With client-side encryption, the user encrypts his data with his own key and then transfers it to the server. The key that encodes the data never leaves the user's client in plain text. There is therefore no possibility to decrypt the files on the server itself. This is the best way to prevent access by third parties. Client-side encryption can be difficult to implement and manage with some solutions, but it is the most secure encryption for your data.
End-to-end encryption means that messages are encrypted at the sender and only decrypted at the intended recipient. In between, they are at no time available in unencrypted form. Client-side encryption is therefore the prerequisite for true end-to-end encryption.
Unencrypted storage enables some functions such as analysis, search, categorization or data mining.
Analysis and search functions can be practical, but they pose a security risk. Security should be a priority, especially for companies. When client-side encryption is used, only the owner and authorized users have access to the data.
|Server side encryption
Many cloud service providers claim that their platform is secure and data is encrypted. This may well be the case, but as long as these providers have the decryption key, your data can be decrypted every time you access the cloud server.
Anyone who has authorized or hacked access to the server can view, modify or steal your data.
Client-side encryption already encrypts your data on your end device, so it cannot be decrypted in the cloud. No one, except the owner and authorized users, has access to the data, not even the provider.
|Storage of the keys for encryption and decryption on the server
With this variant, the key for encryption and decryption is also stored in the cloud.
Anyone who has authorized or hacked access to the server will also have access to the keys and can view your data. If you encrypt your data on the client side, your files remain encrypted.
|Encryption on the transmission path
The majority of cloud operators use SSL or TLS encryption to protect files as they move from the client to the cloud and back.
|Some level of security
Files are decrypted on the servers during a pure channel encryption, which means that they can be intercepted there. Encryption on the transmission path is important. But first you have to encrypt your files on the client side so that they cannot be decrypted again on the server.
|Client-side encryption / end-to-end encryption
With client-side encryption, the user encrypts his data with his own key and then transfers it to the server. The key that encodes the data never leaves the user's client in plain text. There is therefore no possibility of decrypting the files on the server itself.
With client-side encryption, your data is best protected against access by unauthorized third parties.