What is encryption?

From connecting to your Wi-Fi network to reading this web page, you use encryption all the time. Let’s explore the technology that protects your online privacy.

What does encryption do?

Encryption turns human- or computer-readable data into a string of code that’s meaningless unless you have the key required to decode it. It’s critical to online security, financial transactions, privacy, and the general operation of the internet as we know it today.

People have been using cyphers to encrypt information for at least 2500 years. Simple substitution cyphers, such as ROT-13, in which the “key” is the knowledge that every character of the Latin alphabet is moved on 13 places, are as common in games and puzzles as they are in online spoiler warnings.

This type of encryption is known as a Caesar cypher, as Roman emperor Julius Caesar used it in his private letters. While fun to solve and easy to implement, cracking a Caesar cypher can be done by hand in minutes, and is an inconsequentially trivial task for the mathematical processing power of your average computer.

Symmetric and asymmetric encryption

In encryption, you have a plaintext – the original, unencrypted message, a key, and a cyphertext – the encrypted result result of encrypting the plaintext with the key, which is – hopefully – incomprehensible to anyone who does not have that key. When it comes to computer encryption, you’ll encounter two main types:

Symmetric encryption, where both the sender and recipient of the encrypted data have the same key, is less processor-intensive, but also more vulnerable to being broken or intercepted. Generally used in security scenarios where everyone involved can be assumed to be fairly trustworthy and it’s easy to privately tell someone what the shared key is without risk of it being stolen. Your wireless router uses symmetric to secure the data it sends back and forth to the devices connected to it.

Symmetric encryption protocols include AES, Blowfish, DES and 3DES.

Asymmetric encryption, which uses two keys: a public key that you give to anyone who needs to encrypt data for you, and private key that you only hold, used to decrypt data encrypted using the public key. It’s also known as “public key cryptography” for this reason.

It’s famously used for PGP (Pretty Good Privacy) email encryption, where users share public keys for others to import into their email clients, which will then encrypt messages to them. You might not have PGP set up for your email, but you definitely use asymmetric encryption every day.

It’s a ubiquitous part of the modern, secure web, as it’s used in the TLS (Transport Layer Security) protocol used by the HTTPS (Hypertext Transfer Protocol Secure) protocol to encrypt data to sent to and from any website that uses the https:// prefix and shows that little lock icon in the address bar.

Asymmetric encryption protocols include Diffie-Hellman Key Exchange (DHKE), RSA, DSA and ECC.

You’ll often encounter systems that use both asymmetric and symmetric encryption in tandem. In fact, that applies to TLS, which uses asymmetric encryption to keep data secure during the “TLS handshake” process, where the parties (your browser and the website it’s connecting to) establish their identities, protocols and generate session keys, which they’ll then use for faster, more resource-efficient symmetric encryption to secure data for the rest of the connection session.

All of this is carried out automatically by your web browser to ensure that your online activities aren’t snooped on by strangers hoping to steal your passwords, credit card numbers, or other personal information.

Combinations of symmetric and asymmetric cryptography are also used by the SSH protocol, many VPN protocols, and End-to-End Encrypted (E2EE) chat services. You can see a list of the benefits the encryption brings in our best VPN guide.

End-to-End Encryption

I’ve already mentioned PGP email encryption, in which one public key is shared with anyone who want to send a secure message to the recipient and a second private key is held only by them and used to decrypt the public-key-encoded messages they receive. The message is encoded at one end, transmitted, and decoded at the other.

This is an example of end-to-end encryption, and people have been using various iterations and versions of it since 1991 to encrypt everything from messages on public Bulletin Board Systems to files and, of course, email. The encrypted message can be published on an open message board, sent across a network in plain text, or other communicated by insecure means, but it will remain private.

Some secure email services, such as ProtonMail, have built-in PGP, although you may have to take extra steps, such as deliberately sharing your public key, to be sure of using properly when communicating with non-ProtonMail users.

End-to-end encrypted messaging, famously used by communication apps such as Signal, Element and WhatsApp, are all designed to ensure that no one can read your messages in transit. WhatsApp and Signal both use the Signal protocol, Element uses the Matrix protocol, and both of these use a raft of asymmetric and symmetric encryption protocols to ensure that your encoded message can’t be decoded until it gets to your recipient’s messaging client at the other end.

The choice of protocol is irrelevant to the principle of End-to-End Encryption, as long as it does its job.

Arguments against E2EE are based on the idea that a computer system somewhere between you and your recipient should also have a key to decrypt your message, so that a third party with access to that system can read it if they want to. As all online services and computer systems stand a risk of being compromised, the potential privacy hazards are clear.

It’s important to note that end-to-end encryption is designed to protect your communication in transit. Messages may be accessible in plain text or without password protection when at rest on systems belonging to sender or recipient.

To avoid this, most modern E2EE systems – and all the messaging services I mentioned above – also use client-side encryption to ensure that the contents of messages are protected at rest.

Breaking encryption

As with passwords, longer encryption keys make for better security, and modern protocols are more secure than their predecessors. Standards are regularly changed upgraded as vulnerabilities are discovered or modern computers make it easier for keys to be cracked through brute force.

Fortunately, and very much unlike passwords, most computer users don’t have to worry about much of this stuff on a personal level. Ensuring that your operating system, web browser, VPN clients, communication software and networking hardware are reasonably current and have all their updates installed

If you run a website, your HTTPS certificate authority (such as Let’s Encrypt) will make sure you’re compliant with the latest TLS standards, although you may have to make sure certificates are properly applied if you administer your own web server.