Encryption can be a very complicated subject, but getting a grasp of the basics isn't difficult.
Recently, we've had a few questions about encryption. We've talked about how Android incorporates encryption and the changes that Nougat brings, and to get the most from those discussions an understanding of the basics is a must. Let's talk about those basics for a bit.
What exactly is encryption?
In its simplest sense, encryption is changing the way information is displayed, so that it is masked, and the only way its true form can be viewed is with a clear set of instructions.
You're using encryption every day and may not know because it can be transparent.
There are plenty of ways to do this, especially when that information is digital and stored on a computer or a phone. If you've ever received a zip file or Microsoft Office document that needed a password to view, it was encrypted. The data you wanted to see was placed inside a container (think of it as a folder on your phone or computer) and the container was password protected. This method can be scaled up, even to include an entire disk or partition. To access anything on the encrypted partition, you need to unlock it with a password.
Another way to encrypt data is to physically alter what is displayed when you view it unless you can decode it. Let's say I built an app that you could type a phrase in, and it would convert all the letters into numbers from 1 to 26. You could type "this is a message" into my app and save it. If you tried to look at what you typed without using my app, it would look like this:
208919 919 1 1351919175
But my app knows that 1 equals a, that no string higher than 26 is valid, and has access to the operating systems dictionary to make sure the letters are correct because 11 could equal aa or k depending on what word it's used in. So if you open that file in my app, it reads normally.
At its core, encryption is designed to make something hard to read unless you know how to look at it.
Now do something like reverse the order, add 13 to numbers between 11 and 15, omit the whitespace and drop random data that won't be read every few letters. The file would be impossible to read without sitting down and trying to figure out how the text was manipulated through trial and error. That's what an encryption algorithm does. It helps a program turn data of any kind into a jumbled mess that can be easily decoded by the algorithm itself but would take a lot of effort and time to crack without it.
Computer algorithms can do things that are far more complicated than my simple example and take a lot less time than it did for me to count on my fingers. This type of encryption is usually referred to as a cipher and the method the algorithm gives to decode it is called a key. If you have ever used PGP or GPG encryption for a message or email attachment, you've used this type of encryption, known as cipher-keypair encryption.
Both types of encryption — container based or cipher-keypair — are common and in use on our Androids. Sometimes both are used and encrypted data is placed inside an encrypted container. Taking our data and encrypting it then making sure the things that we want to have access can decrypt it is extremely complicated. Thankfully, those complicated parts are handled by the hardware and operating system and all we need to do is have the right key in the right place and/or supply a password.
Encryption and Android
Android supports both types of encryption we talked about above in the OS, through the network and on the storage. As an application platform, it can also support encryption methods from third-parties for things like secure folders or encrypted messaging and email.Android also supports hardware backed encryption. That means there is a component inside the SoC (System on Chip — where the CPU and GPU live) that exists to help encrypt and decrypt data on the fly. The actual key to decrypt files is stored on this device and any user interaction — a password, a fingerprint, a trusted device, etc — that is used to access encrypted data is really asking the Secure Element in the hardware to do the job. Since Android 6.0 Marshmallow, all cryptographic function can be done using this Secure Element and the private key (the token used to encrypt and decrypt data) is never exposed to software. This means that without a token to present to the hardware, the data stays encrypted.
Android is built with encryption in mind and your data can be safe and inaccessible to anyone but you.
In your Android settings you might also be able to keep the system encrypted every time it boots up until a password is entered. Having a phone running that's filled with encrypted data is pretty safe, but halting the boot process until a password is entered prevents access to the files and acts as a double-layer of protection. Either way, your login password (or PIN or pattern or fingerprint) still accesses data through the secure element and you don't have a way to get the actual private encryption key, which is the only thing that knows exactly how the data was scrambled and how to put it back together.
Your messages and web browsing can be encrypted, too. You've probably seen many sites in your browser use the HTTPS header instead if HTTP. HTTP stands for Hypertext Transfer Protocol and is the protocol (think rules) that is used to send and receive data over the internet. HTTPS stands for HTTP over SSL (Secure Sockets Layer), which adds an encryption standard to the protocol. Anything you enter into the web browser is "scrambled" with a public key you downloaded from the website when you got there, and only the private key — which the web server has — can unscramble it.
Whenever you're entering any information you consider private on the web make sure you have a secure HTTPS connection.
Data sent back to you is scrambled in a way that only your unique version of the public key can unscramble. You don't need to do anything except visit a secure page that has the HTTPS header. Your phone makes sure the server is really who it claims to be, using a certificate, and encrypts and decrypts data on its own through the browser app.
Messages that are encrypted usually require an app you need to download from Google Play. The Pixel is the lone exception, as it comes with Allo installed which supports encrypted messages. Another great messenger that does the same is Signal. Signal offers what's called end to end encryption, which means that the app assigns keys for individual contacts or groups and only you can decrypt a message sent to you. BlackBerry Messenger is considered secure by many, but since there is only one global key and every BlackBerry device has it, there's debate about how secure it is. BBM Protected is available for groups who require higher encryption or end to end encryption. Apple's iMessage is also encrypted end to end, but only when everyone is using an iPhone.
You use these apps like you would any other messenger — add a contact and send messages. The only difference is that those messages can be encrypted so only the two parties involved can read them.
Is encryption bad?
Encryption does nothing on its own. It's the user that makes it "dangerous."
Some folks in some governments claim that having encryption technology available to the end user (that'd be you and me) is dangerous because it makes it impossible to monitor communications of "persons of interest". The argument can sound convincing when we're told that terrorists communicated for months using a service like Facebook or WhatsApp. But encryption itself is not a danger to anything and without it, none of our online transactions would be secure, and we would have no guarantee that our chats are private. At the same time, all the private information on our phones would be easily accessible by anyone with the right tools and motivation.
If we give up any right to have encryption, we are giving up our privacy. Privacy is scary to the government because they want to know when we're not being completely law-abiding. The notion that potential criminals can be caught and some crime prevented is great, but it requires that the law-abiding citizens who want to safely buy from Amazon give up that right, too.
Only you can decide if you think encryption should be taken away from the private sector for the greater good, but you do need to know that the technology itself does no harm. Like most things, it can be abused by the user.
This really only scratches the surface of what encryption is and how it works. there are plenty of online resources that go in-depth with all the technical details. But this should give you a basic understanding of it all, and the next time you see someone talking about the merits of end to end encryption or advantages of a particular platform, you'll be able to understand and participate.