Data encryption in transit vs. at rest
Online Tech's Senior Product Architect Steve Aiello continues his data security series of videos on data encryption by explaining difference between data encryption in transit vs. at rest and how symmetric and asymmetric encryption are used.
One encryption algorithm that is popular is AES - Advanced Encryption Standard. Using symmetric and asymmetric in encryption is important to understand.
With symmetric encryption, your decryption key is the same on both sides. Symmetric key cryptography is when the sender and receiver of a message share a single key (the same one) to both encrypt and decrypt the message. This type of encryption is used to protect the bulk of our information on the Internet.
Aiello goes on to describe what asymmetric encryption is and what it is used for (primarily secure online exchanges via SSL - Secure Sockets Layer).
Various types of encryption are used in conjunction. Symmetric is fast, easy to use, not CPU-intensive; while asymmetric is very CPU intensive, slow, and harder to encrypt.
Steven: From a technical perspective, a lot of the same forms and encryption are used whether in transit or at rest. How those encryption algorithms are applied is a little bit different and probably beyond the scope. One of the encryption algorithms that's really popular is AES. There's different ways that you can use that. The biggest thing to understand is using symmetric or asymmetric encryption.
If you're using symmetric encryption, let's say your decryption key, which is something that's really important, your decryption key is the same on both sides. If the key to decrypt my data is 1-2-3-cat-dog the piece of data on this side is going to be encrypted with the key 1-2-3-cat-dog. That is going to be transferred over the line or on the hard drive with that same encryption method. When it gets to the other side the person who either wants to decrypt that data coming across the Internet or decrypt that data off the hard drive needs to know that same decryption phrase. This is the type of encryption that is generally used to protect the bulk, or the payload, of our information on the Internet.
Something else that we have is asymmetric encryption. Asymmetric encryption is a series of mathematically related formulas. For example, the number four may be related to the number two because four is two to the second power. When you have two mathematical numbers, or two numbers that are mathematically related, there are certain formulas that you can run on them. If you only know this number you can derive this number. Some really brilliant people discovered this. What it allows you to do is it allows me and you never to have any shared knowledge, but still be able to transmit, unlock, and lock our data securely using this form of asymmetric encryption.
This is basically how a lot of the hand shaking on the Internet is done. I go to Newegg's website or Online Tech's website and I say I would like to place an order. Online Tech says okay we need to handle your order securely, you're going to need to talk to us through our SSL cert. SSL certs are very common. I've never spoken to anyone at Online Tech before so what has to happen is the web browsers need to communicate a pair of numbers that are related, but not the same. What you can now do is start to share these keys. Once the keys are shared, that common key that was used in the symmetric encryption, you actually have through the first asymmetric encryption, now common data you can use to encrypt the bulk of your web session.
What a lot of folks don't know is that various types of cryptography are used in conjunction because symmetric encryption is very fast and it's very easy to use. It's low intensity on your processor whereas asymmetric encryption is very, very computationally expensive and it's very, very slow. What frequently happens is you'll use asymmetric encryption to encrypt the key, send the key over the wire, and then decrypt the bulk data using the symmetric keys. It's a really quite brilliant system and it's commonly deployed with SSLs, basically how most of the Internet runs.