Encryption can be a confusing concept even to the most initiated. Use the below as a primer as you acquaint yourself with this important tool against surveillance.
What is encryption?
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor. In an encryption scheme, the message or information, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, large computational resources and skill are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorised interceptors.
How does encryption work?
Per The Guardian:
Don't be fooled by the suggestion that only terrorists, paedophiles and those with "something to hide" use encryption on the internet. Anyone who shops online uses it – though probably without realising that that's what the padlock symbol in the address bar of their browser means.
When you see that padlock on a shopping site or bank site, or when you use Skype for video chat, or Apple's iMessage, or BlackBerry's messaging and email systems, or a host of others, your communication is encrypted. If someone breaks that encryption, your details – such as your credit card, address, and what you're buying – are theirs to own.
Modern computer-based encryption uses "public-key encryption", which has been in use since 1973 – having been developed, in secret, by GCHQ. (It finally admitted its work in 1997.)
Public key encryption relies on the fact that it is much harder to figure out the factors of a number – what numbers were multiplied together to produce it – than to multiply them to make the number. Quick, what two numbers do you multiply together to produce 323? (Answer at the end.) If you choose two large prime numbers, a computer can multiply them together easily, but it can't deconstruct the result with anything like the same ease.
The key to public key encryption is thus to generate large numbers using numbers that only you (or your computer) know. The large number can be published online, and used to encrypt a message using specific and well-tested mathematical formulae. In effect, the large number is a digital padlock which you make available to anyone so they can secure a message. Only you hold the keys to the padlock, so it doesn't matter how many copies are out there. When you link to a shopping site, the creation of the secure link is enabled in the first place by that padlock-and-key process.
But if someone can figure out the factors of the big number, they have in effect cracked your padlock. The difficulty of doing so rises with the size of the number: "brute force" decryption attempts to find its factors by slogging through the number range. A key's strength is measured by the number of digital bits it uses, and the encryption method. The old benchmark used to be a 40-bit "key" encoded with the RC4 algorithm; these days that could be cracked in moments by a standard desktop computer. These days, 256 bits or more (which theoretically should take thousands of years to crack) is common.
While the NSA, GCHQ and other intelligence agencies can afford to spend millions on custom-built chips to crack encrypted signals, many hackers have begun to use the power of modern graphics processing units (which drive the screen on your computer) to crack passwords. The latest software can manage 8bn guesses per second – and crack passwords up to 55 characters long. Crack that, and you can access the user's account – at which point, encryption might not matter.
(Answer: 323 is the multiple of 17 and 19 – both prime numbers.)
Why does encryption matter?
Per The Intercept:
The benefits of [encryption] are obvious when you think about protecting secret information you send over the internet, like passwords and credit card numbers. It also helps protect information like what you search for in Google, what articles you read, what prescription medicine you take, and messages you send to colleagues, friends, and family from being monitored by hackers or authorities.
But there are less obvious benefits as well. Websites that don’t use [encryption] are vulnerable to “session hijacking,” where attackers can take over your account even if they don’t know your password. When you download software without encryption, sophisticated attackers can secretly replace the download with malware that hacks your computer as soon as you try installing it.
Encryption also prevents attackers from tampering with or impersonating legitimate websites. For example, the Chinese government censors specific pages on Wikipedia, the FBI impersonated The Seattle Times to get a suspect to click on a malicious link, and Verizon and AT&T injected tracking tokens into mobile traffic without user consent. [Encryption] goes a long way in preventing these sorts of attacks.
And of course there’s the NSA, which relies on the limited adoption of [encryption] to continue to spy on the entire internet with impunity. If companies want to do one thing to meaningfully protect their customers from surveillance, it should be enabling encryption on their websites by default.