Encryption has been all over the headlines after recent terrorist attacks, and the discussion can quickly get cryptic. Is “cryptoā a fatal weakness of the Internet? An endangered species that must be saved? You can hear heartfelt testimony for either view from both Democratic and Republican politicians.
But ultimately, encryption is just math that, like any other tool, can be used for good or ill. Letās start with some basics about it that often get neglected in all the commentary.
A. Sorry, itās unavoidable: Encryption works by encoding information in such a way that its recipient can decode it (without further help from its sender), but no one else can. To do that scrambling, you need to run the original data through one equation or another.
For example, to encrypt something against the prying eyes of somebody whoās really, really drunk, you could just replace each letter with one 13 places forward (so āAā becomes āNā and so on). If your eavesdropper is more capable, youāll need something more complicated ā but itās still all equations.
Q. Okay. What makes for strong cryptography?
A. Using more complex math in an encryption algorithm only goes so far if the sender and recipient use the same key ā that is, if they both plug the same secret set of digits into the encryption formula ā to encrypt and decrypt. In that case, if either party loses the key, game over.
The simplified version of how encryption works. (Image: Commons.wikimedia.org)
But you donāt have to share the same key. Thatās the insight behind public-key cryptography. You use one key ā a public key shared with the person with whom you want to communicate confidentially ā to encrypt the message. Then that recipient decrypts it using a different private key originally generated alongside the public key.
Q. Sounds really complex. How do I use this?
A. You already have by reading this story. Your browser and Yahoo Techās site used public-key encryption to secure their connection, based on a standard variously called SSL (Secure Sockets Layer, the original name) and TLS (Transport Layer Security, a more modern moniker). Thatās why the URL in your address bar begins https instead of just http.
A. You can, but thatās not as easy. While an increasing number of e-mail services ā including Gmail, Microsoftās Outlook.com and Yahoo Mail ā use encryption to protect messages as they transit the Internet, that doesnāt secure them after they arrive.
So-called end-to-end encryption requires senders and recipients to install an extra program. The best-known such software is the open-source Pretty Good Privacy. But even when used inside the refined interface of a PGP-compatible app like GPG Suite, encrypting email is tricky enough that most people donāt bother.
Let me put it this way: If this sentenceās link to my public PGP key gets me an encrypted message from a reader, that will be the first time itās happened in many years.
Q. But if end-to-end encryption is so hard, why do I keep hearing about the risk of crypto letting criminals āgo darkā?
A. Because sometimes encryption is built into apps or devices and turned on by default. Almost all computer-security types think this is a good idea, overall, even if it makes it easier for bad people to use crypto, too. (More on that in a moment.)
For example, WhatsApp activated end-to-end encryption a year ago. This feature doesnāt protect messages to and from regular mobile phone numbers but does scramble communication between the Facebook-owned serviceās 900 million regular users. That amounts to a decent chunk of the global conversation.
Apple, in turn, made full-device encryption the default on iPhones and iPads with iOS 8, walling off data on them from anybody without a userās registered fingerprint or device passcode. As an Apple white paper explains, this is fiendishly strong stuff ā and because Apple has no backup key, it canāt unlock any of the hundreds of millions of devices secured accordingly.
Q. Can the government ban that kind of unbreakable encryption?
A. The government could ban U.S. companies such as Facebook and Apple from providing encryption without a āback doorā that law-enforcement could use to unscramble a suspectās chatter without his or her password or key. But security experts correctly say that such back doors would weaken security for everybody using that compromised crypto.
Tim Cook lambastes encryption backdoors at recent WSJD Live conference. (Photo: WSJDLive/Ars Technica)
Meanwhile, the Feds canāt force individuals to use back-doored encryption. Nor can they stop developers elsewhere in the world from writing and shipping unbreakable crypto.
Q. Will law enforcement be increasingly out of luck as more people use encryption?
A. Not necessarily. Police investigators can and will try to compromise a suspectās devices to work around encryption. As far back as 2007, the U.S. government has used court-authorized malware for that purpose.
And no encrypted device is an island. An iPhone thatās been backed up to a computer or to Appleās iCloud lets you go after its contents in either place. And you can attack the devices and accounts of a suspectās regular contacts ā encrypted messages still leave metadata such as sender and recipient addresses exposed ā some of whom may not be as expert as our hypothetical criminal mastermind.
In short: Encryption is powerful math, but itās still dependent on fallible humans.
