What the fuck is encryption?
It’s hard to read the news these days without hearing about encryption. Some say only criminals and pedophiles use it, others argue that it’s absolutely necessary for every person online these days. But do you know what encryption even is?
The principles of Information Security
Before we can answer what encryption is, we have to take a look at what we actually want to achieve. These goals are sometimes considered the core principles of information security. I’ll explain them as well as I can:
- Confidentiality: You only want information to be read by those who are allowed to read them. Your bank account data, for instance, should only be allowed to be read by you and your bank, but not by your neighbor, your ISP or anyone else who’s curious how much you earn.
- Integrity: You want to be assured that the data you receive is exactly the same as your partner has sent, and vice versa. This means if you agree to send 100 USD to someone, you want to ensure that it doesn’t suddenly turn into 10000 USD.
- Availability: While this has very little to do with encryption, Information Security also needs to ensure that data is available when required.
- Authenticity: You want to be assured that your partner is who they claim to be. That means that you want a way to verify that the website you are surfing on is actually your bank’s website and not some shady scam.
- Non-reputability: You want to be assured that nobody can digitally sign a contract and then claim that it wasn’t them.
For the purposes of encryption Confidentiality, Integrity and Authenticity are vital goals. Non-reputability is somewhat a result of those things, so we don’t really have to care about those.
So what the hell is encryption now?
At its core, encryption means that data becomes unreadable (confidentiality) to anyone who doesn’t have the right key. In modern systems, it also means that encrypted data can’t just be modified without the communication partners noticing (integrity).
Perhaps you have heard terms like RSA, AES-256 or Triple-DES somewhere before. Well, those are modern cryptographic algorithms. They are based on mathematical constructs, which are quite a chunk to understand (trust me, I had to study them for an exam), but at its core they work like this:
- Take a clear message M and a secret key K.
- Put M and K into an encryption function e(M,K) and receive a cipher C.
- C is now completely unreadable to anyone, including you.
- The recipient puts C and K into a decryption function d(C,K) and receives the original clear message M.
(I know, this only applies to symmetric ciphers, but it’s a decent enough explanation. And if you know about symmetric and asymmetric ciphers, why are you even reading this?)
So what is all the fuzz about?
Certain entities don’t really like the idea of not being able to read what you are doing. Entities like criminals, but also government agencies. They love reading what you are doing, but for different reasons. Criminals just want to steal your data, so it’s good that encryption has become so widespread.
Government agencies on the other hand just love knowing what’s going on in their country, and as such widespread use of encryption made this task a lot more difficult. That said, it’s not impossible for them to crack encrypted texts, but it makes it more difficult for them.
What about terrorists and criminals?
Ahh yes, the good old go-to argument governments love to give. Yes, terrorists and criminals use those algorithms as well, but they would do the same thing if they were outlawed. And even if not, they don’t really need to use them to gain their goal.
An example: A terrorist group wants to plan an attack. They could use encryption, or simply meet in person and discuss plans at their home. If they are not suspects of terrorism, then calling someone to meet up and watch the game is not really suspicious. And even then, a text like “hey, do you have time on saturday the 12th?“ isn’t enough for a warrant. So yeah, terrorists don’t really need encryption anyways.
Criminals, well, they have a bit more to gain. For instance, drug dealers can communicate more securely now, but they have developed a somewhat secure code for communication long before cryptography became widespread and usable.
The only one who can really gain something from encryption is the average internet user. Consider this: When your connection to a website is unencrypted, EVERYONE IN THE WORLD CAN SEE EVERYTING! Your email address, your password, every message you type, every image you upload, every image you view, etc.. Do you feel comfortable with your neighbor knowing the login to your Facebook account? To your online dating account? To your bank account? I wouldn’t!
Why can’t we have a golden key so we can decrypt the stuff from the bad guys?
Another argument that people just love saying. In this case, a golden key would be some binary sequence that could decrypt every message in a particular cipher. This golden key would need to be protected very well, and only available to governments or the like. However, there are many reasons why this is impossible:
- We already have encryption algorithms where no such keys exist (at least to our knowledge). This means that “bad guys” can just use these algorithms. Why would they switch to something that their “enemies” could easily decrypt?
- If these keys ever got leaked, EVERYTHING would be easily decryptable, which means you might as well not encrypt it at all. We had exactly that happen to the TSA-compliant travel cases. You can buy these keys on ebay or print them with a 3D printer.
- And before you ask, no, it’s not possible to create a “safe” golden key. Encryption is a mathematical process and math doesn’t understand the concept of a warrant. 2 doesn’t divide 5, even if you have a court order to make 5 comply.
Well, I don’t have anything to hide!
Just because you are not a criminal doesn’t mean you don’t value privacy. You likely have things you don’t want everyone you know to know, such as your financial situation, your health data, and the nude pictures of your ex girlfriend which you totally deleted and are really not in User/My Documents/Backup/Calendar/Private/!
We all want a certain level of privacy, and even if we allow the government to take it away from us, criminals don’t give a fuck about that. It’s the law-abiding citizen who loses. Just look at the movie industry: Tickets keep getting more and more expensive, but the pirates don’t give a crap — it’s the people who go to the cinema who lose. When they started selling Blu-Ray disks, they included so much digital protection that it took me 3 hours to finally watch a movie on my PC which I bought on Blu-Ray. If I had downloaded it illegaly, I could have watched it instantly.
So please, just take away this one thing: Encryption is important to you, even if you don’t realize it! Every law that weakens encryption doesn’t hurt the bad guys — it hurts you!