May 23, 2013

Drink Your Ovaltine: Encryption 101

by with 7 comments

When it comes to cryptography, there are no experts. It is considered to be a constantly evolving field. If you started learning today, it is accepted that you might see something new in the code, or do something better that lifelong cryptographers have missed.

The first thing that comes to mind when I think of encryption, is the scene in A Christmas Story when Ralphie gets a decoder ring and decrypts a disappointing (advertising) message:

But at its basic level, this describes encryption. You probably even had similar games you made up as a kid. In the computer world, this means converting plaintext data (ordinary info) into ciphertext, or unintelligible text.


OpenPGP (PGP = Pretty Good Privacy) is thought to be the most widely-used encryption program in the world. But there are two types of encryption methods: symmetric and asymmetric.

1) Symmetric Password-Based Encryption

This is the simplest encryption system. It’s called “symmetric” because the same key is used to encrypt and decrypt the file. If Alice wants to share data privately with Bob, she must first create an encryption key. This can be done by sampling a sufficiently random source, or by deriving it from a password. Alice must securely give this key to Bob. Now Alice can encrypt her data with that key, hand the encrypted data to Bob, and Bob can use the key to decrypt it. This method is useful to encrypt sensitive information for yourself, for family, or for a few trusted friends or coworkers. AES is a popular symmetric cipher.

2) Asymmetric Public/Private Key-Based Encryption:

Asymmetric encryption involves the use of two different keys, one which is private and not shared, and one which is public. The public key encrypts data, and the private key decrypts data. With this scheme, Alice and Bob each have their own private/public key pairs. Alice now uses Bob’s public key to encrypt the data she wants to send to him. Because only Bob has his private key, only he can decrypt the data Alice sends him. Asymmetric encryption takes more computer power than symmetric key encryption, so it is often used to set up secure communications to exchange symmetric keys. RSA is a popular asymmetric cipher.

As for SpiderOak, our old clients used a combination of 2048 bit RSA and 256 bit AES. Now new clients use 3072-bit RSA combined with 256 bit AES to meet industry recommendations. We use this mixture of techniques where each is best suited: asymmetric encryption for communications channel setup and key exchange, and symmetric encryption for internal data structures and improved client performance.

Not only are your files encrypted with SpiderOak, but so are the filenames and paths. Our Engineering Matters page does a good job of explaining in detail how we encrypt your data after the initial scan, and our servers have zero-knowledge of what they are storing. Next week our system administrator will talk about why we went this direction, as well as why encryption doesn’t necessarily mean privacy or safety.

Jon Callas is one of  the world’s most respected and brilliant minds when it comes to software security and privacy. He worked on Apple’s Whole Disk Encryption, PGP Universal Server, co-founded the PGP Corporation, is former CTO of Entrust, and current co-founder and CTO of our friends, Silent Circle (Global Encrypted Communications). As an inventor and cryptographer, his designs of security products have won major innovation awards from The Wall Street Journal and others. If you are interested in learning cryptography, we recommend reading his PDF, An Introduction to Cryptography.

(TeaserOur community gets the opportunity to interview Jon, so we will make a call out for your questions later this week – be thinking of what you’d want to ask him!)

What else would you say about encryption? How did you learn? Why do you think it is important?

  1. What a cool public service you guys are doing. Also check out the cryptography video series on code academy dot com. Its great and geared towards visual learners.

    Different subject:
    Is it possible for SpiderOak to show exactly what info is given to any law enforcement agency when requested with a subpoena. A dummy account with all the usual redaction’s in their proper places. Example redaction would be…name of account and the requesting law enforcement agency.
    I know SpiderOak says all they would get is binary blobs, but let your customers see a sample of that. I’m thinking something small like a 2 or 3 page PDF report. Even if is unreadable nonsense, it would interesting to see that. Anyway, I hope your legal dept doesn’t spoil a possible great marketing opportunity.

    • @ Omar: Thank you for your response. Per your request, I agree that it would be interesting to display the data extracted from our system – the encrypted data blocks – in an output. To get around the legal aspects, we could simply use one of our own accounts (such as mine). Allow us to look into this a bit further and perhaps you will see a new blogpost soon containing this information. Additionally, you might find the following interesting as a follow up:

      Thank you again for writing in.

  2. “We use this mixture of techniques where each is best suited: symmetric encryption for communications channel setup and key exchange, and private key for internal data structures and improved client performance.”

    Isn’t that the wrong way round? Asymmetric public/private key encryption is used to exchange the keys used for symmetric encryption I think!

  3. I want to thank Jon Callas for sharing ‘An Introduction to Cryptography’ with everyone. What an amazing read! It answered so many of my questions. Like the difference between symmetrical and asymmetrical cryptography. The book was very easy to read and understand! I can’t believe how well written this book is.

    Thanks for posting SpiderOak! I would have never found this book otherwise. Great stuff!

  4. Howdy just wanted to give you a quick heads up and let you
    know a few of the pictures aren’t loading correctly. I’m not sure why but I think its a linking issue.
    I’ve tried it in two different browsers and both show the same outcome.