May 23, 2013
Drink Your Ovaltine: Encryption 101
When it comes to cryptography, there are no experts. It is considered to be a constantly evolving field. If you started learning today, it is accepted that you might see something new in the code, or do something better that lifelong cryptographers have missed.
The first thing that comes to mind when I think of encryption, is the scene in A Christmas Story when Ralphie gets a decoder ring and decrypts a disappointing (advertising) message:
But at its basic level, this describes encryption. You probably even had similar games you made up as a kid. In the computer world, this means converting plaintext data (ordinary info) into ciphertext, or unintelligible text.
1) Symmetric Password-Based Encryption
This is the simplest encryption system. It’s called “symmetric” because the same key is used to encrypt and decrypt the file. If Alice wants to share data privately with Bob, she must first create an encryption key. This can be done by sampling a sufficiently random source, or by deriving it from a password. Alice must securely give this key to Bob. Now Alice can encrypt her data with that key, hand the encrypted data to Bob, and Bob can use the key to decrypt it. This method is useful to encrypt sensitive information for yourself, for family, or for a few trusted friends or coworkers. AES is a popular symmetric cipher.
2) Asymmetric Public/Private Key-Based Encryption:
Asymmetric encryption involves the use of two different keys, one which is private and not shared, and one which is public. The public key encrypts data, and the private key decrypts data. With this scheme, Alice and Bob each have their own private/public key pairs. Alice now uses Bob’s public key to encrypt the data she wants to send to him. Because only Bob has his private key, only he can decrypt the data Alice sends him. Asymmetric encryption takes more computer power than symmetric key encryption, so it is often used to set up secure communications to exchange symmetric keys. RSA is a popular asymmetric cipher.
As for SpiderOak, our old clients used a combination of 2048 bit RSA and 256 bit AES. Now new clients use 3072-bit RSA combined with 256 bit AES to meet industry recommendations. We use this mixture of techniques where each is best suited: asymmetric encryption for communications channel setup and key exchange, and symmetric encryption for internal data structures and improved client performance.
Not only are your files encrypted with SpiderOak, but so are the filenames and paths. Our Engineering Matters page does a good job of explaining in detail how we encrypt your data after the initial scan, and our servers have zero-knowledge of what they are storing. Next week our system administrator will talk about why we went this direction, as well as why encryption doesn’t necessarily mean privacy or safety.
Jon Callas is one of the world’s most respected and brilliant minds when it comes to software security and privacy. He worked on Apple’s Whole Disk Encryption, PGP Universal Server, co-founded the PGP Corporation, is former CTO of Entrust, and current co-founder and CTO of our friends, Silent Circle (Global Encrypted Communications). As an inventor and cryptographer, his designs of security products have won major innovation awards from The Wall Street Journal and others. If you are interested in learning cryptography, we recommend reading his PDF, An Introduction to Cryptography.
(Teaser: Our community gets the opportunity to interview Jon, so we will make a call out for your questions later this week – be thinking of what you’d want to ask him!)
What else would you say about encryption? How did you learn? Why do you think it is important?