Not all encryption is created equal

Cyber attacks against corporate networks have become more sophisticated each year and are no longer limited to massive enterprises. No business is safe from attackers, irrespective of the size of their security budget.

Moreover, vast amounts of personal data are now managed online and stored in the cloud or on servers with a constant connection to the web. It is practically impossible to conduct business today without personal data ending up on a networked computer system somewhere, which means keeping that data private and safe is increasingly crucial.

This is where encryption comes in: an enterprise grade process engine that delivers secure, authenticated and audit trailed workflows through an intuitive messaging interface. Encryption is essentially the process of helping protect personal data by encrypting it, meaning it cannot be read by anyone without an encryption key.

But not all encryption is equal. It’s not only important to ensure your communications are encrypted, but to know how effectively they are secured too.

The first step towards really effective encryption is end-to-end encryption (E2EE). This is an exceptionally safe way to communicate privately and securely online. By encrypting messages at either end of a conversation, E2EE prevents anyone in the middle from snooping on private communications.

When using E2EE to send a message of any type, no one – neither attackers nor the government – would be able to eavesdrop on your messages. This is more secure than the encryption employed by most businesses, as it doesn’t only protect the data in transit between the device and the organisation’s servers. An example would be sending an email from Gmail that doesn’t offer EE2E, as Google could access the content as they have an encryption key. EE2E removes this possibility.

Then there’s the question of standards and protocols. It is advisable to only use encryption tools that employ an advanced encryption protocols available, such as AES-256, which offers highest level of security possible. AES stands for advanced encryption standard, and is a symmetric block cypher, meaning it encrypts and decrypts data in blocks of 128 bits. It employs a specific cryptographic key, either 128, 192 or 256 bits in size, to do this.

Businesses should also ask themselves whether, in the event a company device is stolen or hacked, they can really trust all their most sensitive or proprietary data to a single key. Encryption is very effective until it isn’t. Too many encryption tools, such as Pretty Good Privacy (PGP), render your most valuable data only as secure as a single key, which if it fell into the wrong hands, would see all your current and past communications becoming readable to the hacker.

This is why cryptographers developed “perfect forward security”, which ensures that the encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information. In this way, should the most recent key be compromised, only a small portion of private data would be exposed. The best encryption tools with perfect forward secrecy switch their keys with each individual message in a text-based conversation or each phone call when using an encrypted calling app.

This is why it’s called “forward secrecy”. It ensures that security mistakes of the future don’t endanger secret communications of the past. It makes use of ephemeral keys, which are generated for each execution of a key establishment process. Without a forward secrecy cipher, a single private key is used to encrypt all connections, meaning that encrypted communications could be recorded by an attacker, who could get his hands on a private key at some point in the future, and decrypt all the information.

An ephemeral key exchange works by a per-session key that is generated using a random prime number. It is called ephemeral because it isn’t stored anywhere, and therefore cannot be stolen by attackers to decrypt previously recorded communications. Essentially, you are continually generating new keys for new messages. In this way, if a device is lost, hacked or stolen, it matters less. The worst case scenario would be a single message being compromised.