Very simply, encryption takes information and changes it so it’s not readable. People use encryption when they’re concerned that there might be sensitive information they don’t want out in the public, such as your credit card number, and only able to be used by a trusted party. Decryption refers to the process of making that information readable again.
Methods of encryption have been around for a long time, such as the Polybius Square that goes back to the ancient Greeks.
In the digital world, encryption uses mathematical techniques to render data unreadable. These techniques are known as cryptography. While in the current zeitgeist, many people may associate the word crypto with cryptocurrency, cryptography refers to the mathematical techniques or algorithms applied to convert text, or plaintext, into the altered text known as ciphertext. That ciphertext can only be converted into something readable by someone who has the means to decrypt.
For example, say I want to encrypt my deep dark secret “I like marshmallows” because I don't want anyone to know that I, indeed, like marshmallows.
Using cape encrypt, Cape Privacy’s encryption utility as an example, the term “I like marshmallows” would be transformed into this unreadable ciphertext block:
I could potentially send this ciphertext out and have it show up on a billboard in Times Square or the front page of the Wall Street Journal without having to worry about my deep dark secret getting out.
cape encrypt, this block could only be decrypted in an isolated pre-determined environment called a secure enclave. You can think of a secure enclave as the only place where the message can be read.
Encryption is a part of our everyday lives. For example, as you’re reading this, your web browser might show a lock in front of <www.capeprivacy.com> indicating https and showing your connection is secure. That means that the information sent between your browser and the Cape Privacy website is encrypted when being sent over the internet and decrypted at either end to see the request or response. When you use an ATM or buy something online, encryption is used to protect the information in-transit.
We measure encryption strength based on how hard it is to guess or break it. In a simple example of replacing letters with different letters, it’s possible to use a distribution of the frequency of letters used in the alphabet to break that weak level of encryption. For example, there are various encryption algorithms that used to be used more frequently that have since been compromised.
At Cape we use AES 256 and RSA 4096. AES stands for Advanced Encryption Standards. AES uses symmetric cryptography and is one of the most effective encryption algorithms. Government and Military Secrets use AES 256 for protection. RSA stands for the three people who created it, Ron Rivest, Adi Shamir, and Leonard Adleman. RSA is widely used in HTTPS and VPN systems. RSA uses asymmetric key encryption. There are some trade-offs such as computational cost, affecting processing time, depending on the encryption methods used.
You can read more about the technical specifics behind these encryption standards and how they work in Ellie’s blog: Demystifying Encryption: Symmetric Encryption, Public-key Encryption, and Hybrid Encryption.
Encryption Key: You can think of an encryption key as a tool created specifically to make data unreadable. Some encryption keys are stronger than others.
Symmetric Encryption is when the same key is used to encrypt and decrypt the data.
Asymmetric Encryption is when one key, referred to as the public key, is used to encrypt the data, while a different key, referred to as the private key, is used to decrypt the data. Asymmetric encryption is slower than Symmetric Encryption.
Many systems, including cape, use asymmetric encryption, using RSA, to encrypt a symmetric key, AES, for added protection without slowing down processing.
Hashing refers to transforming data into something unreadable of the same length. Unlike encryption, hashing is a one-way process. Hashing is primarily used for authentication, for example when you login into a website, a hash is sent versus the actual password to avoid it being compromised.
How Does Encryption Help in Processing Data Securely?
Traditionally, data is protected at-rest and in-transit but not while being processed. With Trusted Execution Environments (TEEs), you can process protected data in secure enclaves. Data can be encrypted anywhere and then decrypted only in this safe environment. Granular controls can be built in, for example a particular piece of data can only be decrypted for a particular use case and by a particular individual for an additional control layer that complements zero-trust solutions. Our co-founder Gavin Uhma brings together several paradigms succinctly below:
What this means is that data should be encrypted before it goes anywhere. Historically, the challenge has been that data must be decrypted, or made human-readable, for applications such as machine learning models to use it, and privacy can be compromised if there’s a data breach. Confidential Computing, the practice of using hardware based secure enclaves, changes this paradigm because that decryption and processing happens in a hardware-based isolated environment with extremely limited networking and access.
In a real world example that is far less silly than me liking marshmallows, say a university wants to do medical research. This may require data from medical records from multiple places, such as the records in your doctor’s office. Moving this data, think of a physical file in the real world being left in a taxi as in the plot of many movies, can be fraught with danger in the digital world as well. Encrypting the data so even if it’s lost protects it, but if it’s decrypted in order to be processed and then someone loses control of it by accident or negligence, your data is out there. Decrypting in a secure enclave means that the data is safe. The data is never stored in its unencrypted form and unencrypted forms are destroyed from memory when finished.
Right now this technology is not accessible, so Cape’s mission is to empower developers and their organizations to use encryption with secure enclaves so they can protect data and make use of it in areas where privacy is fraught but the rewards could be great.