Encryption

Encryption is a way of modifying data so that it can not be understood by anyone who is not an intended recipient.

There are two basic types of encryption: symmetric and asymmetric.

Symmetric means that one key is used to both encrypt and decrypt the data.

Asymmetric means the one key is used to encrypt the data and a different key is required to decrypt the data.

With symmetric key encryption, you can use a password to encrypt data and send it to someone. Nobody without the password can decrypt the data unless something goes wrong. Things can go wrong, the most common being that the password is not long enough to keep a computer from guessing it. To make it harder for computers to guess the password, the process can be done many times, meaning that one guess has the computer trying over and over and over before it is finished trying one guess. This doesn't provide a tremendous amount of extra security since it means that the decryption that should happen also takes a lot longer to go through. If it takes three seconds for  your computer to decrypt a file, then a super computer can do the same things a million times as fast. For day to day work, three seconds is acceptable to you, but choosing a very difficult to guess key is important so that a useful delay is enough to make a super computer unable to try enough combinations to luck onto it.

When encrypting something with symmetric encryption it is also somewhat important to know what algorithm is being used. Some techniques were good enough twenty years ago that it would have taken super computers years to guess all the possible passwords, but now are a matter of hours for the common desktop. The standard that I recommend people try to always use is AES. It is considered to be sufficient for top secret document encryption by the government because with a sufficiently complex key (or password) even the fastest computers in the world cannot go through all the possible combinations in several lifetimes.

Practical application is to use WinZip or 7-Zip (free) or WinRAR or whatever compression tool you have to do the encryption for you. This is generally an easy option to select or the default so all the person doing the encryption needs to do is pick a strong password, right click the target file and choose to encrypt from the menu.

With asymmetric encryption you and the recipient have to exchange the keys that the other will need for the encryption step. You give the sender a public key and the sender can send you encrypted messages. If the sender gives you a public key then you can send an encrypted message back. It's called asymmetric because the symmetry of being able to encrypt and decrypt with the same information doesn't work.

This asymmetric encryption works because of math.

This is the basis for encryption on secure websites. Your computer needs to know that the website can be trusted so it asks somebody it already trusts for the public key for the new website. Your computer uses that public key to send the new website an encrypted message, which only that website can possess. The website can then decrypt the message, proving to your computer that it is the website that can be trusted. Typically the message your computer sends is your own public key. When the new website finishes decrypting the secret message, it can use your public key to send a message back to you which only your computer can read.

Now that you can prove that the website is who it claims to be and send encrypted traffic to it, and the website can send encrypted traffic to you and neither can be decrypted by anyone else, you are ready to begin communication where both parties know they can trust each other and keep the traffic secure.

It should be noted that the website has no way to know that you are who you claim be because your public key is from your computer and not something it can verify. In order for you to change that, you'd have to use a key that it can verify by either publishing it somewhere that the website knows it can trust, or by you getting your private key from the website owner. This is possible and done for a few highly secured systems, but unusual. The  bit of trust the website has to place in your computer is why you still have to provide a password when you're logging into secured sites like home banking sites.

It's worth noting that you can install gpg on Windows and use it to do asymmetric encryption. Here's what that looks like:

C:\temp\gpg>gpg --list-keys

gpg: C:/Users/boyce/AppData/Roaming/gnupg/trustdb.gpg: trustdb created

C:\temp\gpg>gpg --import anc-at-yah.gpg.public.key

gpg: key B88EB520: public key "Boyce Crownover (Expires 05May2026 Created 06May2016) <ancientt@yahoo.com>" imported

gpg: Total number processed: 1

gpg:               imported: 1  (RSA: 1)

C:\temp\gpg>gpg --list-keys

C:/Users/boyce/AppData/Roaming/gnupg/pubring.gpg

------------------------------------------------

pub   2048R/B88EB520 2016-05-06 [expires: 2026-05-04]

uid       [ unknown] Boyce Crownover (Expires 05May2026 Created 06May2016) <ancientt@yahoo.com>

sub   2048R/B5CB7A58 2016-05-06 [expires: 2026-05-04]

C:\temp\gpg>gpg --encrypt --recipient 'Boyce Crownover' TextDocumentExample.txt

usage: gpg [options] --encrypt [filename]

C:\temp\gpg>gpg --encrypt --recipient "Boyce Crownover" TextDocumentExample.txt

gpg: B5CB7A58: There is no assurance this key belongs to the named user

sub  2048R/B5CB7A58 2016-05-06 Boyce Crownover (Expires 05May2026 Created 06May2016) <ancientt@yahoo.com>

 Primary key fingerprint: FCA3 EC13 7808 D354 BE95  5534 7816 B522 B88E B520

      Subkey fingerprint: C175 DA12 A3DE B65F DC0E  71D9 1104 2CC3 B5CB 7A58

It is NOT certain that the key belongs to the person named

in the user ID.  If you *really* know what you are doing,

you may answer the next question with yes.

Use this key anyway? (y/N) y

C:\temp\gpg>gpg --decrypt TextDocumentExample.txt.gpg > Decrypted.TextDocumentExample.txt

C:\temp\gpg>dir

 Directory of C:\temp\gpg

05/17/2016  12:01 PM    <DIR>          .

05/17/2016  12:01 PM    <DIR>          ..

05/06/2016  10:36 AM             3,702 anc-at-yah.gpg.private.key

05/06/2016  10:36 AM             1,806 anc-at-yah.gpg.public.key

05/17/2016  12:01 PM                33 Decrypted.TextDocumentExample.txt

05/17/2016  11:55 AM               376 TextDocumentExample.txt.gpg

05/17/2016  11:48 AM                 0 pubring.gpg

05/17/2016  11:48 AM                 0 pubring.gpg.lock

05/17/2016  11:48 AM                 0 secring.gpg

05/17/2016  11:48 AM                 0 secring.gpg.lock

05/17/2016  11:54 AM                33 TextDocumentExample.txt

               9 File(s)          5,950 bytes

               2 Dir(s)   1,020,076,032 bytes free

There are tools to simplify that process of course, I just chose the most basic command line method.