On Security: Types of Encryption

The last article in our series described in general terms how encryption is used to take a piece of sensitive information and turn it into a pile of random data -- data that will be useless to anyone who doesn't have the proper key. In Web applications, three broad types of encryption are often used to protect our information.

One-Way (Irreversible) Encryption

One-way functions are also known to programmers as hashing functions, because just like in cooking, the result bears little resemblance to the ingredients, and there's no way at all to reconstruct the ingredients from the cooked dish. A cryptographic hash is a function that takes input of any length and produces a result that's completely unpredictable, but always the same. For example, if my password is abc123, a hashing function might turn it into a49df2c1. There's no way for an attacker to reverse the process to get the password, but processing the same password with the same function will always produce the same result. This means that a Web application doesn't have to actually store a user's password. It can store the result of the hash, and when a user signs in, the application processes the password that was supplied and checks to see if the result matches what's on file. Then, even if an attacker gets access to the database, he doesn't have access to actual passwords.

Symmetric Encryption

Symmetric algorithms are what most people imagine when they think about encryption. This type of encryption is used when data needs to be protected, but made readable by certain people under certain circumstances. For example, if you have a billing system that needs to process recurring payments for credit cards, that system needs to be able to read the card number once per month to generate the charge. But otherwise, the number should be rendered unreadable, and encryption makes that possible. A symmetric algorithm means that the same secret key (usually just a long, random string of characters) is used both to encrypt the data and, later, to decrypt it. Symmetric functions are usually very fast and can be quite strong even with a relatively short key. In Web applications, they're useful for data storage, where the same application is reading and writing the sensitive information.

Asymmetric Encryption

In an asymmetric algorithm, a pair of keys are generated together. Due to some fascinating and complex math, these key pairs are designed in such a way that when one is used to encrypt a message, only the corresponding key can be used to decrypt it. This is often known as public-key cryptography, because usually one of the two keys is made public. For example, I can generate a pair of keys and publish one of them on my website. Anyone in the world can use that public key to encrypt a message for me, but that same key can't then be used to decrypt the message. Only I can read it, using the corresponding key in the pair, which I've kept private. This basic principle forms the basis of SSL, which we'll discuss more in a future post, as well as some other technologies like encrypted email. Asymmetric functions are usually slower and require a much larger key to be considered secure, but they're enormously useful in communications systems, where sensitive information needs to be transmitted rather than just stored.