Encryption is an essential tool in keeping data safe. It’s not the whole answer, though, and the Internet is full of misleading information about it. Sometimes it’s portrayed as a magic bullet, sometimes as a waste of time. Truth is always more complicated than myths, so let’s look at a few myths and get a perspective on them.
1. Only people with something to hide use cryptography. That’s true in a sense; we all have “something to hide.” We need to hide information that would let other people impersonate us, spend our money, get inside our homes, and find out things that are none of their business. There’s nothing criminal or dishonorable about this.
Anyone who shops on a website uses cryptography. So does anyone who logs securely into a site. Our financial information is encrypted when it’s stored on businesses’ servers β or at least it had better be.
2. Encryption is easy to implement. Some people think that they can devise their own algorithms, and that they’re actually safer because they don’t follow any published standard. In reality, strong encryption is one of the hardest things to do in computing. Even experienced programmers don’t have the skill to do it right, unless they’ve done serious work in cryptography.
The algorithms which command confidence have survived serious testing to make sure they’re as hard to break as they claim to be. Even so, some popular cryptographic methods have turned out to have problems. Older versions of OpenSSL, the encryption framework used for secure Web transactions, have significant weaknesses, and old browsers that don’t use the more recent TLS upgrades are at risk.
3. Encryption degrades performance. It does have some computational cost, but it’s minor on today’s computers. In most cases, the time needed to process and transfer data is much more significant than the time to encrypt and decrypt it.
Encrypting a large amount of data at once can take a long time. An example of this would be running full-disk encryption for the first time on gigabytes of data. Once mass conversions are finished, the ongoing costs of encryption are usually barely noticeable.
4. Encryption hides all information and guarantees security. Merely encrypting data isn’t enough to meet security requirements. Encrypted information is generally accompanied by metadata which isn’t as critical but can still reveal a lot. Usage patterns, IP addresses, and timestamps may be enough information for a spy to make good guesses. Malware may be able to grab information before it’s encrypted or after it’s decrypted. Encryption keys can be stolen.
Even with the best encryption, data security requires protection of software, communication, and keys in order to be complete.
5. Encryption is only necessary where there’s a legal obligation. Anyone who stores people’s confidential information has an obligation to protect it, whether a law demands it or not. Governments enact laws requiring secure data after enough serious breaches have happened. Responsible organizations shouldn’t wait till things get that bad before protecting the data they store.
Some organizations believe their information isn’t important enough for anyone to grab. That’s a serious mistake, since attacks often go after the weakest targets, whether they’re high-profile or not. If it’s on the Internet, it needs protection.
6. Anyone clever enough can break the strongest encryption schemes. Breaking strong encryption is computationally expensive. It requires not just brains but lots of processing power and time. The periodic demands for back doors in encryption demonstrate that even the United States government doesn’t have the processing power to break a well-encrypted message in a short period of time.
Any key-based encryption scheme can be broken, given enough time and computational power. In practical terms, though, current cryptographic methods are safe against anyone’s current decryption capabilities. It’s user errors, not codebreaking, that let spies and law enforcement crack encoded communication.
Encryption is a powerful tool for good and for evil. The better we understand it, the more we can use it in good ways.
BWS provides reliable IT services to keep your systems running smoothly and fix problems quickly.Β Contact us to learn more.
