### Tutanota's Founder Arne Möhle on Privacy and Encryption in Email Communications

Published on September 13, 2021

VPN

Guides

By Use

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Computer jargon and the technologies they describe can be very complicated. There’s nothing wrong with that and, for the people who develop and make this stuff, the complexities are part of the thrill.

Even as an enthusiast user, most of the low-level mathematical details of how high-technology works are completely beyond me.

If you aren’t an enthusiast of computer technology, then do you really need to know and understand all of the details? The answer is of course no. In fact, if a technology needs specialized knowledge to use it, then it’s not ready for prime time.

The same is true for computer encryption. While the technical details of encryption can be mystifying, actually using it as a consumer isn’t that hard at all. You do need some foundational knowledge about how encryption works in general to make good decisions. When it comes to your own security, the ultimate responsibility falls on you. So being informed is essential.

Say you wanted to send someone a letter, but the content of the message is pretty sensitive. It has a big secret that ONLY the person who is meant to read should ever see. If someone else got their hands on it, you’d be in more trouble than you imagine. Let’s just say that you are very motivated to keep the message out of the wrong hands.

So how would you do it? Would you hire armed guards? Put it in a very strong lockbox? What about putting a code on it and if the wrong PIN is put in, the message self-destructs?

These are all pretty serious solutions, but even then there’s no guarantee that someone won’t get around it. So why not just write the message in a form that ONLY the person on the other end knows how to read? Almost like a secret language between the two of you.

That’s a good analogy if what “encryption” is. It’s a way of manipulating your message so that no one else understands it. The other person knows how you manipulated it and can reverse the process when they get your message. So it doesn’t matter if someone else has a copy of the information. It won’t make any sense.

That’s encryption in a nutshell.

That’s a good question. It’s one thing to say we “manipulate” the message to make it unreadable, but what does the actual process look like?

First, let’s introduce some terms. You already know that the act of scrambling the message is called encryption. Encryption is the practical part of a field known as cryptography. The method we use to manipulate the message to scramble it is called a “cipher”.

All cryptography is based on the art of creating ciphers. The cipher is the bit you have to share with the other person who is going to receive the message. You use the instructions built into the cipher to mix up the message. Then the person on the other end uses the cipher to un-mix the whole thing.

What does a cipher actually look like? The simplest example is the substitution cipher. This is one you don’t need a computer for but has actually been of practical use in history. Good enough for army generals and such. What you do is you take a letter in the message and then you substitute it for something else. It could be another letter in the alphabet, some symbols you made up.

The ciphers we use on computers these days are conceptually the same as other cipher types. The key difference is that knowing how the cipher works isn’t enough to reverse its effects. How can this be? It’s thanks to the inclusion of randomness. As you probably already know, randomness is patternless by definition. If you choose 100 numbers at random then there is nothing connecting them to one another.

The ciphers we use for computers leave a little gap in them that has to be filled with a random sequence of symbols. These then form an integral part of how the cipher scrambles up the information. This means that simply knowing how the cipher works, in general, won’t help you decode a specific message.

As a part of the cipher’s functionality, there’s a unique string of symbols known as the encryption key. You need both this key and the cipher in order to make sense of the message again. The ciphers are so complicated that only a computer has any hope of applying them. Which means the only way forward is to guess the key. Except, there's one little problem with that...

Well, not technically impossible, but so hard that it might as well be impossible. Remember that the keys are randomized, which means there is no way to predict or derive the key from anything else.

That means to break the encryption you’ll have to guess. How long will that take? OK, let’s do a quick example to give you an idea. Let’s say you wanted to steal a bicycle. I don’t know why you just want one desperately.

The bicycle has a padlock with a four-digit combination. Each digit can be anything from 0-9. Since there are four digits, it means the number that will unlock the bike is between 0000 and 9999. That’s 10 000 possible numbers. If you had to guess every possible number and you could do one number per second, it would take you almost three hours to go through all of them. Of course, you’ll probably hit the correct number sooner than that. There’s a 50% chance it will be in the first half of possible numbers. That’s “only” about an hour and a half. Still, you’d probably be caught long before you actually found the answer.

Now imagine we add just one digit to this lock. Then we can go from 00000-99999. Now we have ten times as many possible combinations and it would now take ten times as long. With each additional digit in the code, the difficulty of guessing it goes up by a factor of ten.

The same is true of encryption keys, but the numbers are far, far more insane. The typical encryption key is 128 or 256 digits long. Moreover, each digit isn’t just between 0-9. Instead, it has the whole alphanumeric set available. That includes all the numbers and both cases of the alphabet. The total number of guesses is in the trillions, which means there simply isn’t enough time or energy in the universe to ever guess the right answer.

There are many ways to approach encryption. You already know that today's encryption centers around keys, but not all key-based encryption is the same. There are three main encryption types you should know about as an internet user.

The most basic type is *symmetric *encryption. That's just a fancy way to say that the key you use to encrypt, also decrypts. That means if anyone ever got their hands on the key, you're in trouble. WiFi networks use this setup. Your WiFi password is the key in this case. That's why you should use a VPN with public WiFi. Everyone has the key, so they can spy on you if they want to.

To solve the issue of getting keys to people without giving them decryption access, we invented *asymmetric encryption*. Now there are two of these keys. Each one can only do a single job: encrypt or decrypt.

So you can safely make one public. Anyone who wants to send you a message can use your public key. Only you can decipher it with your private key. To send info back the other way, you use the other person's public key.

Finally, there's *hashing*, which is not exactly data encryption, but it's related. When you hash a piece of data you get a unique signature. If just one bit was different in the data, the hash looks completely different. The actual data is not in the hash itself. Hashes are used to verify if data has been altered. We also use them for passwords. A provider like Facebook doesn't have your actual password on file. Just the hash of it. When you type in a password, it gets hashed again. If both hashes match exactly, you are given access.

It’s not hard to find an example of cryptography helping you out in your daily life. For example, you’re probably connected to a WiFi network right now or will be at some point today. The WiFi passcode is actually an encryption key, albeit a rather simple and short one. Based on what you read above, you might have figured out that it's an example of symmetric encryption.

That's not the only place by a long shot. Here are some common use cases where encryption makes your life better.

The information on our computer drives and smartphones are likely to contain some very sensitive and a need to protect are obviously there.

Encryption can help in a big way. There are plenty of full disk encryption programs out there to turn your Windows, Mac or Linux PC into a data fortress.

The same goes for Android and iOS phones and tablet. These days they come with full disk encryption activated by default. With disk encryption in place, it doesn't matter if someone gets physical access to your data. Without a decryption key, they have zero chance of getting to your information.

If you use WiFi, the router encrypts the signal between itself and your device. If you visit a website that has HTTPS protection, all the information about you and their server is protected. That's very useful if you don't want banking details or other private info being intercepted on the way to or from a web server.

Then there's VPN protection. A VPN or virtual private network encrypts every single bit of data that left or enters your network port. This means that your internet provider and your government can't spy on what you are doing. The site you are connecting to doesn't know who or where you are either. It's a strong form of protection that's within everyone's reach. We like ExpressVPN in particular. So that might be a good place to start.

These are all the basic facts needed to understand encryption and its role in our daily digital lives. Thanks to encryption we all get to live and work in relative safety. By integrating encryption into your daily life, you can effectively combat a world which wants to strip you of your privacy. I don't know about you, but that doesn't sound like a good deal!

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: