Since encryption is used to secure data, it would seem only natural that encrypting something twice would increase security. However, that isn't always the case.
Disclaimer: This post does not involve detailed analysis of encryption concepts designed to make the head explode. Those interested in mathematical formulas and cryptographic methods can read an overview from Gary C. Kessler or sign up for a cryptography course from Stanford University on Coursera .
Whether you realize it or not, in the age of data privacy, encryption is a part of our daily lives and used extensively in payment processing, on websites, for secure file transfer and for securing data volumes. The ‘s’ in “https” means secure and assures visitors that they are visiting a ‘protected’ site. Protecting all data is the norm and encryption is the best way to prevent malicious actors (cybercriminals or those who seek to disrupt) from achieving their goals. There are many types of encryption, with those perceived as the most secure including AES and RSA. For most of us, a single encryption method is enough but what if you want to use more? Why not double encryption or even triple?
Double, multi or cascade encryption/ciphering, whatever you wish to call it, is often the subject of debate amongst cryptographers, data scientists and mathematicians, and even these academics are divided in their opinions. Superencryption refers to the final outer-level encryption of a multiple encryption process. To most of us, the application of basic logic means that security would automatically be enhanced if something is encrypted again. However, as is the case with cooking, it’s all about how you use the ingredients. The best approach is according to recipe, rather than experimentation.
Ecryption’s primary purpose is to protect against brute force attacks. It is composed of a cipher (the encryption method), the message/data and a key (the password). With a wide range of free tools available, even novice hackers can attempt to hack passwords using brute force (dictionary or list-based attacks until a match is found).
Does double encryption increase security? It depends, but not always. Using the same cipher could reduce security, for example, with one expert comparing the process to an artificial leg. It’s useful if you lose a leg but better to keep your existing legs. However, the use of multiple ciphers requires a password at each level, each of which is theoretically as vulnerable (or as secure) as the first encryption password.
In my opinion, as a lay person in cryptography, multiple encryption may not increase security, but it may slow down attackers, who at the very least would require substantially more storage to use comparative lists on more than one encryption stage. Whether it’s privacy, authentication or security, encryption has a part to play but how much is too much? When does encryption interfere with operations or productivity and impede data analysis?
Let’s look at a practical low-level example.
Ideally, encryption protects data but should also allow authorised users free access. Take an average PC/desktop, where would you start?
This easy process requires a password at each stage, and a user enters five passwords (all different, of course, according to best practices) from booting the computer to viewing the unprotected file. Hardly productive, even with a password manager.
Apart from the file contents stage, all others only protect data at rest. To share data securely, further encryption is needed to prevent man-in-the-middle attacks.
At the time of writing, AES-256 is still the most ‘secure’ (officially still unbroken) encryption method but all encryption methods depend on one primary element–the key. The best encryption algorithm in the world will fail to protect if the key is weak, making passwords the primary area of encryption that needs improvement.
In conclusion, your use of encryption and the frequency of it is a balancing act between security and productive use; you must decide how much is too much.
Rather than focusing on encryption methods and the frequency of same, companies are advised to enforce password management as part of their overall security policy. Insist on long, complex passwords and use password managers (most come with password generators built in). For passwords, make them alphanumerical (in varying case) with special characters and no less than 24 characters.
Why not test your existing passwords using the brute force tools mentioned earlier? Depending on the results, you can reward or dismiss employees as you see fit. In my view, using ‘admin’, ‘123456’, ‘QWERTY’ or any word found in the dictionary as a password is a coded request to collect unemployment. Any thoughts?
An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.