Welcome to “Security Threats: Encryption Concepts.” After watching this video, you will be able to: explore encryption and its common uses, list use cases for symmetric and asymmetric encryption, and explain how cryptographic hashing works. Encryption is the act of taking readable text and scrambling it so it can only be read by a recipient that has the decryption key. Data that has not been encrypted is called plain text because it's readable. Algorithms used to scramble plain text are called ciphers. Encrypted plain text is called ciphertext. An encryption key is a series of random, unique numbers, combined with very powerful algorithms that are used to encrypt (or scramble) your data before you send it. The person on the receiving end has a decryption key that's used to decrypt (or unscramble) the data so it's in a readable or useable format. In some industries, data encryption is a mandatory requirement. This includes student records, medical records, and consumer data. Many OSes have encryption built in. For those that don't, third-party encryption software is available. Data at rest refers to data that resides on a storage device. The files aren't open or being transmitted anywhere. Data at rest can be encrypted at the file level, storage device level, and cloud level. Encryption at the file level lets you encrypt all your files on a storage device or just a select few. Disks and drives can be encrypted two ways: using software to perform the encryption, or enabling hardware-based encryption like BitLocker. Data at rest is less vulnerable but it’s not immune from attacks. Using updated firewalls, VPNs, and anti-malware helps keep your data safe. Data in motion or data in transit refers to data that is actively moving between two devices – meaning two computers, a mobile device and a mail server, or your computer and your bank's online website. Any website that uses HTTPS in its prefix is using encryption. However, hackers can compromise encrypted sites with social engineering, man-in-the-middle attacks, and password cracking. And they can create their own encrypted HTTPS sites that install malware. Data in motion is especially at risk for interception attacks like man-in-the-middle. Using end-to-end encryption means that the data being transmitted and received is safe, even if it's intercepted by a hacker. They won't be able to decrypt your data. Data traversing through a virtual private network (or a VPN) is automatically encrypted but is not always end-to end. Symmetric encryption, also called “single-key” or “private key” encryption, is when a single key is used between parties to encrypt and decrypt data. With only one key, symmetric encryption uses less memory, which is great for quickly and securely processing larger amounts of data. That’s why it is often used to protect the main data exchange in a session. But it’s harder to keep a single key secret, especially if it needs to be broadly distributed. If this key is intercepted by a hacker, then they can decrypt your messages, hack your account, and steal or tamper with your data. 3DES and CAST are examples of symmetric encryption technologies. Asymmetric encryption, also called “Public Key Cryptography”, uses a public key and a private key. Asymmetric encryption takes longer because it is more complex. It is used for smaller amounts of data. It is safe to widely share the public key for encryption or decryption, because only the secret key can undo the public key’s action. Uses include: authentication, digital certificates, digital signatures, and key exchange – where a symmetric encryption key is shared only to the intended recipients. The RSA cipher is used in most asymmetric encryption. Public Key Infrastructure (or PKI) is when a user is validated with a digital certificate by a Certificate Authority (CA). The digital certificate has a public encryption key that encrypts data. If the data recipient trusts the CA that issued the digital certificate, they use a private key to decrypt the data. Digital certificates are used in smart card authentication. The smart card has a public/private key pair. It presents a digital certificate (including the public key) to the server it’s trying to access. If the server trusts the CA that issued the digital certificate, it will use the public key to send an encrypted request. Only the smart card’s private key can decrypt the request, which means only the smart card owner can send the correct response. For digital signatures, the process is reversed. The sender sends an encrypted signature and a public decryption key to a recipient. If the recipient can decrypt the signature with the public key, that proves the sender signed it because they must have performed the encryption with the private key. A cryptographic hash is a short string of numbers and letters created by running a password or file through an algorithm. A single password and a full library will have different cryptographic hashes, but each will have the same number of characters. If any data is altered or removed from a password or file, its cryptographic hash will be different. If the cryptographic hash of a secure email is different after being sent across a network, the recipient knows the message has been tampered with. When you create a password, it’s converted into a cryptographic hash. On your next login, it’s converted again. If the stored hash and the new hash match, the system lets you in. Cryptographic hashes save space, authenticate data, and keep information secure. In this video, you learned that: encryption scrambles plain text into ciphertext so the data cannot be read, encryption needs keys to encrypt and decrypt data, data at rest is data that resides in storage, data in motion is data that is actively being transmitted and received, symmetric encryption uses the same key to encrypt and decrypt data, and asymmetric encryption encrypts with a public key and decrypts with a private key.
