Hackers are rarely far from the news these days, whether they’re perpetrating cyber-intrusions into political campaigns or take-downs of major retail websites, social media sites, movie studios, or entertainment conglomerates. But some of the “hacking” headlines can be deceiving. In fact, a significant number of cybersecurity breaches around the digital world actually represent a kind of all-too-familiar crime that is as old as the abacus.
As a data protection report last year by the firm Bitglass noted, one in four security breaches in the financial services sector stems from lost and stolen devices. Related reports conducted by the same firm found that device loss and device theft in some recent years have represented more than two-thirds of all healthcare data breaches.
In other words, sometimes when the media reports “hack,” they really mean to say “theft.” And this fact is significant when assessing your cybersecurity posture.
Fortunately, there’s one universal solution to securing physical devices against unwanted intrusions. It’s called encryption.
The Value of Encryption
Think of encryption, at the most fundamental level, as a secret recipe for encoding and decoding information. If I’m a military commander and want to communicate “one if by land, and two if by sea” to an allied commander, I’d be foolish to send the message as-is—just written out or emailed in plain text for anyone, be they ally or enemy, to read. Instead, military forces, governments, and other purveyors of sensitive information for millennia have used secret codes (i.e., cryptographic protocols) to conceal sensitive information from prying eyes. For a typical business user, encryption begins with two concepts: data-in-motion and data at-rest. As the names imply, the first involves the transmission and reception of data packets and files across networks including (but not exclusive to) the internet.
Two Kinds of Cryptography
One familiar kind of data-in-motion encryption is the padlock that appears on your web browser when you’re on a website that uses sensitive information—credit card information or medical data, for instance. Called SSL for Secure Sockets Layer, this familiar data-in-motion standard is what’s known as a “public key” crypto system. Public key cryptography (sometimes called asymmetrical key cryptography) involves two kinds of keys, a public and a private key. They’re based on math that’s very easy to perform in one direction (think of multiplication of two large numbers) but hard to perform in the other direction (think of dividing up a very large number into its prime factors).
A public-key transaction might go as follows. Bob wants to send and receive encrypted data, so he shares his public key with the world—a string of numbers that his correspondent Alice can use, in this case, to decrypt Bob’s secret message. Say, for argument’s sake that Bob’s public key comprises the numbers 33 and 7. (The real-world public-key algorithm involves much larger numbers.) He does some math of his own in advance to discover the corresponding private key for that public key, which in this case, is 33 and 3. And, crucially, he keeps his private key private. Unlike the public key, which he can and should distribute as broadly and widely as possible, the whole system breaks down if an interloper knows Bob’s private key as well as his public key.
Presuming Bob has done his job and kept the private key private, Alice can now securely transmit “one if by land, two if by sea” to Bob using his public key. He’ll then decrypt that same message using his private key. Alice begins with the first letter of the message, “O.” That’s the 15th letter in the alphabet, so represent it as the number 15. Raise 15 to the power of the second of Bob’s public keys. That’s 15 multiplied by itself 7 times, which is a big number (170859375). Now take the first of Bob’s public keys, 33, and divide that big number Alice just computed by 33 to the nearest whole number and then take the remainder of that division. The remainder of that whole number division problem (trust us) is 27. And, so 27 is the encoded message that Alice will now send to Bob. It secretly represents the letter “O,” although anyone intercepting Alice’s transmission to Bob would never know that. And the bigger the size of the public and private keys, the harder the system is to crack.
Bob then looks at his private key (33 and 3) and performs a similar operation on the encoded message, 27. He raises 27 to the power of his second private key. That’s 27 cubed, which is 19683. Now divide that number by the first of Bob’s private public keys (33) to the nearest whole number and take the remainder. The remainder is 15; corresponding to the letter “O.” Alice has just sent the first letter of her secret message to Bob that she encrypted using his public key and that Bob then decrypted using his private key. (Of course, she uses the exact same recipe to encrypt every other letter in her message too, for which Bob uses the exact same recipe on his side of the line to decrypt the message.) And this, public key cryptography, is one of the foundation stones of data-in-motion encryption. It’s also, not coincidentally, the reason why you can type in your credit card number on your favorite online retailer and know that anyone intercepting your transaction with that retailer will not be able to steal your credit card number. It’s the basis of secure transmissions over the internet.
Yet public-key (or asymmetrical) cryptography is only one of two basic kinds of cryptography in use today. The other is so-called private-key or symmetrical encryption. That’s the kind of cryptography in which the same key is used to encrypt and decrypt a piece of data. Private key cryptography is often used for data-at-rest applications such as encrypting a hard drive on a laptop. And whether it’s public or private key, encryption is always more than a yes-or-no proposition. If an IT security person asks you if your device is encrypted—and is satisfied with “yes” without any follow-up questions—you might want to advise them to be a little more inquisitive. Just as with any security measure, there are many different kinds of encryption. And some work better than others at deterring intrusions into your data.
Three Levels of AES Encryption
And, depending on the circumstance, some encryption protocols can also slow down a computer or tablet or smartphone that implements it. So the trade-offs, if any, have to be known and appreciated in advance too. One of the gold standard crypto protocols for private-key systems carries the initials AES. In 2001, the U.S. National Institute for Standards and Technology established the Advanced Encryption Standard (AES), which has since been adopted by governments and companies around the world as the go-to private-key crypto standard. There are three levels of AES encryption, described by the size in bits of the cryptographic key used to encode and decode. AES128, AES192, and AES256 are the three standard sizes, with increasing levels of security as the numbers increase.
Cracking AES by trying every possible combination of keys until the right one is found, the so-called “brute force” method, is considered to be practically impossible. The electrical engineering journal EE Times in 2012 calculated that even the “lowest” of the AES protocols, AES128, would take one-billion-billion years (that’s a 1 followed by 18 zeroes) for a supercomputer to crack. The time to crack the higher AES standards is even more exponentially outlandish.
AES192, the authors calculated, would be crackable in 18 trillion-trillion-trillion years. And AES256 would require 3 followed by 56 zeros in years of brute-force supercomputer time. That said, the authors of the EE Times study cautioned that hackers can be very clever people. So estimates of the time to brute-force a solution, so far beyond a realistic time frame that it’s absurd to even consider, shouldn’t then lead to complacency or a false sense of security. After all, AES replaced a standard first proposed in 1977 called the Data Encryption Standard, or DES. Today, DES (whose cypher key is 56 bits long) is crackable using present-day supercomputers in a matter of minutes.
It’s hard to imagine even the fastest supercomputers achieving speedups necessary to bring the brute-forcing of AES to even within billions of years, let alone realistic human time scales. As a result, security professionals are generally comfortable in their firm commitment to AES—especially AES256. Of course, no cybersecurity protocol is ever 100% secure for all time. DES was considered uncrackable using the computers of its time too.
So, in 2017, for hackers using even the world’s fastest computers, AES will at the very least resist any known or documented methods of brute-force cyber lockbreaking. (However, buyer beware. Older legacy systems should be checked by an IT security professional to ensure that they are not using DES or other now antiquated and compromised security standards.)