Explained: How encryption works

Updated

...and I'll explain how encrypted messaging works.

If you send a message using end-to-end encrypted messaging apps — like iMessage, WhatsApp, Signal or Wickr — it's basically impossible for law enforcement agencies (or anyone else) to intercept and read it.

You won't be surprised to hear they're not too happy about that.

But do you know how encryption actually works? We're here to help, and along the way we'll also show you how governments, like our very own, might try to gain access.

Don't worry, it's not that complicated.

This article includes an interactive component which is not supported on this platform. For the full interactive experience in this article, you will need a modern web browser with JavaScript enabled. Find out more about browser support at ABC News Online.

So, you want to share a secret?

If you want to make sure nobody else can read it (except for me, of course) it would be a good idea to use an encrypted messaging app.

When you're using one of those on your phone, the 'plain text' or unencrypted version of your secret never leaves your phone.

Before being sent, your message will be encrypted so that only I can read it.

To do that, the app needs something called my public key.

🚨 Not so fast. 🚨

Before your message is encrypted is the first point where the government may seek to gain access to messages. It's also the most likely interception point.

Attorney-General George Brandis has reportedly suggested that security agencies should gain warrant-based access to messages either before they're sent or after they're received.

In practice, this would likely mean forcing technology companies to allow authorities secret access directly to your phone (if they have a warrant).

But back to sending me this secret — you'll need my public key.

To humans, a public key just looks like a big blob of random text.

All this random text is created using some complicated maths — we'll come back to this.

But you can think of it as an open safe, which only I have the combination to.

You can put your secret into the safe and close it. But once it's closed, the safe is impenetrable — not even you can re-open it.

It would take thousands of years to crack the safe without knowing the combination.

Which, remember, only I know.

So, now you have my public key you can use it to encrypt that juicy secret.

And your messaging app does this all for you behind the scenes before your message ever leaves your phone.

While in transit, your message (securely locked in that impenetrable safe) will pass through many servers.

Your internet provider is the first stop, but there are likely many others in between, which are controlled by other companies.

At any one of these stops your message can be intercepted — this would be similar to how regular communication interceptions work.

But, even if it is intercepted, the encryption means it still can't be read. It's locked away in the safe.

Hmm, remember how I said that locked safe would take thousands of years to crack?

What if it wasn't so strong?

This is another way governments could try to get access to encrypted messages, by mandating that only specific types of deliberately weakened encryption can be used.

This would mean someone could break into the hypothetical safe more quickly, if that someone knew the right techniques.

A deliberate (or at least known) weakness is what's commonly referred to as a 'backdoor'.

The government would have to keep those safe-breaking techniques secret or anyone who knows the trick could unlock it — and history suggests keeping a secret like that would be difficult.

Regulation like this has been tried before in the US. While this is a potential solution the Australian Government could look to, any draft legislation is unlikely to include a specific method.

Prime Minister Malcolm Turnbull has said that technology companies would be tasked with finding a solution themselves.

Finally, your secret will arrive on my phone, still encrypted and impossible to read.

Except that I have the private key, the only possible way to unlock (or decrypt) your message.

Remember, the public key is the unlocked safe. Anyone can have a copy of that. The private key is the safe's combination, which must be kept totally secret and not shared with anyone.

In the real world, I would never reveal this to anyone (and neither would the messaging app which creates and uses it).

My public key and private key are called a key pair.

My key pair was probably created when I first installed the app we're using to share our secrets.

The public key would then have been uploaded to the app's servers so anyone wanting to send me a message (that's you!) can get it.

There's some quite complicated maths involved in generating a key pair, and it's all to do with prime numbers.

As a pair, the keys have some very specific properties: the public key can be used to scramble a message in a way that is impossible to unscramble unless you have the private key.

Another thing George Brandis reportedly said was: "If there are encryption keys then those encryption keys have to be put at the disposal of the authorities."

There are practical, technical reasons why this would be difficult.

And there are also problematic security implications for keeping a huge database of all keys.

So, because I know my private key...

...and I now have your encrypted message.

I can put them together to finally read your secret.

I'll stay tight-lipped, I promise.

Is that all there is to it?

This provides a simplified overview of asymmetric encryption, a key component in most modern end-to-end encrypted messaging apps. There are other types of encryption, and the protocols used by apps are somewhat more complicated in reality, usually involving multiple layers of encryption.

One important reason they're more complicated is to ensure something called perfect forward secrecy, which means even if your private key is somehow compromised in the future, messages sent in the past will remain safe from prying eyes.

Encryption isn't only used for sending and receiving private messages. Nearly every aspect of our digital lives uses some kind of encryption. It ensures our credit card details and financial information remains private when online shopping or banking. It means software updates that run on our computers and phones are safe and have actually come from the manufacturer. It ensures (hopefully!) that your neighbour can't tap into your home wi-fi to see (or change) the websites you're visiting. The list goes on.

Note, the keys in this story are real but used for demonstration purposes only. Please do not use them for sensitive communications. You can use my legitimate public-key if you do want to send me an encrypted message.

Credits

Reporting / Concept design / Development: Simon Elvery

Design and Illustration: Ben Spraggon

Editor: Matt Liddy

Topics: internet-technology, computers-and-technology, information-and-communication, federal-government, world-politics, australia

First posted