Skip to content
Lesson 5 of 8

Cryptography Basics

4 min read

Why Cryptography Underpins Modern Security

Cryptography is the science of protecting information by transforming it so that only authorized parties can understand it. It is the invisible engine that makes the confidentiality and integrity of the CIA triad possible: every time you buy something online, send an encrypted message, or log in to a secure site, cryptography is working underneath.

A fundamental principle is Kerckhoffs's principle: the security of a system should not depend on keeping the algorithm secret, but only on the key. That is why strong algorithms are public and have withstood years of analysis by the community. Always be wary of solutions that promise security through "secret proprietary algorithms."

In this lesson we will not become cryptographers, but we will understand the essential building blocks and how they combine to protect data at rest and in transit.

Symmetric Encryption

In symmetric encryption, the same key is used to encrypt and decrypt. It is fast and efficient, ideal for protecting large volumes of data. The dominant standard today is AES (Advanced Encryption Standard), typically with 128- or 256-bit keys (AES-256), considered secure and used in everything from disk encryption to secure connections.

The challenge of symmetric encryption is key distribution: both parties must share the same secret, but how do you exchange it securely over a potentially monitored channel? If an attacker intercepts the key, all protection collapses. This problem motivated the development of asymmetric cryptography.

When used correctly —with adequate key length and secure modes of operation— symmetric encryption is extraordinarily robust. The weak link is almost never the algorithm, but key management.

Asymmetric Encryption

Asymmetric encryption, or public-key cryptography, solves the distribution problem using a pair of mathematically related keys: a public one, which can be shared openly, and a private one, which is kept secret. What is encrypted with the public key can only be decrypted with the private key, and vice versa.

This enables two powerful uses. For confidentiality, anyone can encrypt a message with your public key knowing that only you, with your private key, will be able to read it. For authenticity, you can digitally sign a document with your private key, and anyone can verify the signature with your public key. Algorithms such as RSA and those based on elliptic curves (ECC) implement these mechanisms.

In practice, asymmetric encryption is slower than symmetric, so it is rarely used to encrypt large volumes. Instead, it is used to securely exchange a symmetric key, combining the best of both worlds: this is the hybrid scheme used by, among others, the TLS protocol.

Hashing: Integrity and Digital Fingerprints

A cryptographic hash function takes an input of any size and produces a fixed-length output, called a hash or digest. It has three key properties: it is deterministic (the same input always produces the same hash), it is practically irreversible, and a minimal change in the input radically alters the output (the avalanche effect).

Hashing is not used to encrypt —you cannot "unhash"— but to verify integrity. Algorithms such as SHA-256 let you check that a file was not altered: if the hash matches, the content is identical. Older algorithms like MD5 or SHA-1 are considered broken for security uses and should not be employed.

A critical use of hashing is password storage. Systems must never store passwords in plain text, but their hash, computed with slow functions designed to resist attacks, such as bcrypt, scrypt, or Argon2, together with a unique random value called a salt that prevents attacks using precomputed tables.

HTTPS, TLS, and Certificates

When you see the padlock in your browser, you are using HTTPS, which is HTTP over TLS (Transport Layer Security). TLS combines all of the above: it uses asymmetric cryptography to authenticate the server and securely exchange a symmetric key, and then encrypts all traffic with that symmetric key for efficiency.

How do you know the server is really who it claims to be? Through digital certificates issued by trusted Certificate Authorities (CAs). The certificate binds a site's identity to its public key and is signed by a CA your browser trusts. If the certificate is invalid, expired, or does not match the domain, the browser warns you.

Understanding this chain of trust helps you interpret security warnings instead of ignoring them, and appreciate why you should never enter credentials on a site without HTTPS. In the next lesson we will bring protection down to the device: endpoint security.