Encryption involves transforming data (from “plaintext” into “ciphertext”) using keys generated by algorithms. Encrypted data must be decrypted, which can easily be done with the right key. Brute-force decryption without a key is also possible, but often requires significant computational power and time. Because encryption does not prevent third-party theft, encryption systems attempt to make brute-force decryption impractical.
The US NIST and NSA adopted the AES Advanced Encryption Standard, and the AES 256-bit implementation is commonly used to protect internet data. AES uses a symmetric algorithm, which means the same key is used for encryption and decryption. AES works well with large amounts of data but has key management vulnerability because the symmetric key must be shared. Another encryption system RSA (named after developers Rivest, Shamir, and Adleman) uses an asymmetric algorithm, which requires separate encryption and decryption keys: a public key for encryption and a private key for decryption. A public key can be generated from a private key and shared publicly, because there is no known method for deriving private keys from public keys. Because RSA lacks the key management vulnerability of AES but requires more computational power than AES, many secure internet systems use AES to encrypt data and RSA to share AES symmetric keys.
Secure websites that use encryption to protect data in transit have a security certificate (and “HTTPS” appears in the URL). Data can be decrypted upon receipt, but some custodians also need to store sensitive data in encrypted form after receipt. End-to-end encryption (E2EE) refers to encryption in transit (sending encrypted data) and encryption at rest (storing data in encrypted form), and is commonly used in secure messaging, password management, and secure file transfer applications among others. Secure protocols may also require multi-factor authentication (MFA) or native software applications on controlled devices for additional security. E2EE secures communications between endpoints and has vulnerabilities at each endpoint (where data is encrypted/decrypted) and in key exchanges (MITM attacks, where hackers interject malicious keys).
Due to wide availability, encryption is often misunderstood and overly relied upon. Encryption and E2EE do not prevent data breaches. Significant breaches have occurred despite E2EE systems being in place. Encryption must be tailored specifically to the application and is merely the first step in good security hygiene for sensitive data.