Since encryption is used to secure data, it would seem only natural that encrypting something twice would increase security. However, that isn't always the case.
Disclaimer: This post does not involve detailed analysis of encryption concepts designed to make the head explode. Those interested in mathematical formulas and cryptographic methods can read an overview from Gary C. Kessler or sign up for a cryptography course from Stanford University on Coursera.
Whether you realize it or not, in the age of data privacy, encryption is a part of our daily lives and used extensively in payment processing, on websites, for secure file transfer and for securing data volumes. The ‘s’ in “https” means secure and assures visitors that they are visiting a ‘protected’ site. Protecting all data is the norm and encryption is the best way to prevent malicious actors (cybercriminals or those who seek to disrupt) from achieving their goals. There are many types of encryption, with those perceived as the most secure including AES and RSA. For most of us, a single encryption method is enough but what if you want to use more? Why not double encryption or even triple?
Double, multi or cascade encryption/ciphering, whatever you wish to call it, is often the subject of debate amongst cryptographers, data scientists and mathematicians, and even these academics are divided in their opinions. Superencryption refers to the final outer-level encryption of a multiple encryption process. To most of us, the application of basic logic means that security would automatically be enhanced if something is encrypted again. However, as is the case with cooking, it’s all about how you use the ingredients. The best approach is according to recipe, rather than experimentation.
Brute Force Attacks
Ecryption’s primary purpose is to protect against brute force attacks. It is composed of a cipher (the encryption method), the message/data and a key (the password). With a wide range of free tools available, even novice hackers can attempt to hack passwords using brute force (dictionary or list-based attacks until a match is found).
Does double encryption increase security? It depends, but not always. Using the same cipher could reduce security, for example, with one expert comparing the process to an artificial leg. It’s useful if you lose a leg but better to keep your existing legs. However, the use of multiple ciphers requires a password at each level, each of which is theoretically as vulnerable (or as secure) as the first encryption password.
In my opinion, as a lay person in cryptography, multiple encryption may not increase security, but it may slow down attackers, who at the very least would require substantially more storage to use comparative lists on more than one encryption stage. Whether it’s privacy, authentication or security, encryption has a part to play but how much is too much? When does encryption interfere with operations or productivity and impede data analysis?
Let’s look at a practical low-level example.
Layered Encryption And User Access
Ideally, encryption protects data but should also allow authorised users free access. Take an average PC/desktop, where would you start?
- You could encrypt the volume i.e. the entire drive using Bitlocker or other method. This means you will need a password or start-up key on USB when you boot the system.
- You could encrypt a partition on the hard drive. Again, a password is needed.
- Encrypt folders-ditto password.
- Encrypt a file. Let’s take Excel as an example.
- Encrypt the contents of an Excel file, whether worksheet, column, row or cell.
This easy process requires a password at each stage, and a user enters five passwords (all different, of course, according to best practices) from booting the computer to viewing the unprotected file. Hardly productive, even with a password manager.
Apart from the file contents stage, all others only protect data at rest. To share data securely, further encryption is needed to prevent man-in-the-middle attacks.
At the time of writing, AES-256 is still the most ‘secure’ (officially still unbroken) encryption method but all encryption methods depend on one primary element–the key. The best encryption algorithm in the world will fail to protect if the key is weak, making passwords the primary area of encryption that needs improvement.
In conclusion, your use of encryption and the frequency of it is a balancing act between security and productive use; you must decide how much is too much.
Rather than focusing on encryption methods and the frequency of same, companies are advised to enforce password management as part of their overall security policy. Insist on long, complex passwords and use password managers (most come with password generators built in). For passwords, make them alphanumerical (in varying case) with special characters and no less than 24 characters.
Why not test your existing passwords using the brute force tools mentioned earlier? Depending on the results, you can reward or dismiss employees as you see fit. In my view, using ‘admin’, ‘123456’, ‘QWERTY’ or any word found in the dictionary as a password is a coded request to collect unemployment. Any thoughts?