On Security: Encryption

The last post of our series on website security discussed a common attack known as SQL injection. Among other things, this type of attack is used to steal sensitive data. And although it's a common method, it's not the only way that attackers try to gain access to information they shouldn't have.

One way we can protect data is by encrypting it. Encryption means that even if an attacker gets a piece of information, it's useless to him. It's a pile of incoherent bits that only become readable with the proper key. In the preface to his book Applied Cryptography, Bruce Schneier makes the following analogy:

If I take a letter, lock it in a safe, hide the safe somewhere in New York, and then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism -- and you still can't open the safe and read the letter, that's security.

This is how modern encryption works. The strongest algorithms are publicly available so that anyone can use them, but they're so well designed that even when an attacker knows exactly how the algorithm works, he still can't come close to decrypting a piece of data without the proper key.

All of us who use the Web likely make use of encryption to protect our data many times every day -- without even being aware of it. There are 3 broad categories of encryption that commonly relate to Web applications:

  1. One-way (irreversible) encryption, also known as hashing
  2. Symmetric encryption, where the same key can be used both to encrypt and to decrypt information
  3. Asymmetric encryption, where a pair of related keys are generated -- one used for encryption and the other for decryption

Our next article will consider each type of function and how it's used to keep our data safe.