(Photo by Rob Pegoraro/Yahoo Tech)
Encryption has been all over the headlines after recent terrorist attacks, and the discussion can quickly get cryptic. Is “crypto” a fatal weakness of the Internet? An endangered species that must be saved? You can hear heartfelt testimony for either view from both Democratic and Republican politicians.
But ultimately, encryption is just math that, like any other tool, can be used for good or ill. Let’s start with some basics about it that often get neglected in all the commentary.
Q. It was my understanding there would be no math in this story…?
A. Sorry, it’s unavoidable: Encryption works by encoding information in such a way that its recipient can decode it (without further help from its sender), but no one else can. To do that scrambling, you need to run the original data through one equation or another.
For example, to encrypt something against the prying eyes of somebody who’s really, really drunk, you could just replace each letter with one 13 places forward (so “A” becomes “N” and so on). If your eavesdropper is more capable, you’ll need something more complicated — but it’s still all equations.
Q. Okay. What makes for strong cryptography?
A. Using more complex math in an encryption algorithm only goes so far if the sender and recipient use the same key — that is, if they both plug the same secret set of digits into the encryption formula — to encrypt and decrypt. In that case, if either party loses the key, game over.
The simplified version of how encryption works. (Image: Commons.wikimedia.org)
But you don’t have to share the same key. That’s the insight behindpublic-key cryptography. You use one key — a public key shared with the person with whom you want to communicate confidentially — to encrypt the message. Then that recipient decrypts it using a differentprivate key originally generated alongside the public key.
Q. Sounds really complex. How do I use this?
A. You already have by reading this story. Your browser and Yahoo Tech’s site used public-key encryption to secure their connection, based on a standard variously called SSL (Secure Sockets Layer, the original name) and TLS (Transport Layer Security, a more modern moniker). That’s why the URL in your address bar begins https instead of just http.
(For more details, see this thread at the tech Q&A site StackExchange.)
Q. Can I protect my email this way?
A. You can, but that’s not as easy. While an increasing number of e-mail services — including Gmail, Microsoft’s Outlook.com and Yahoo Mail — use encryption to protect messages as they transit the Internet, that doesn’t secure them after they arrive.
So-called end-to-end encryption requires senders and recipients to install an extra program. The best-known such software is the open-source Pretty Good Privacy. But even when used inside the refined interface of a PGP-compatible app like GPG Suite, encrypting email is tricky enough that most people don’t bother.
Let me put it this way: If this sentence’s link to my public PGP key gets me an encrypted message from a reader, that will be the first time it’s happened in many years.