Cryptography is the mathematical foundation that makes modern cybersecurity possible. It protects data in transit over the internet, secures stored passwords, verifies digital identities, and ensures the integrity of software updates. Without cryptography, online banking, e-commerce, private messaging, and secure government communications would be impossible. In this lesson, you'll learn the core concepts of cryptography that every security professional must understand.
Cryptography is the practice and study of techniques for secure communication in the presence of adversarial behavior. It transforms readable data (plaintext) into an unreadable format (ciphertext) using mathematical algorithms and keys. Only those who possess the correct key can reverse the process and recover the original data. The strength of a cryptographic system lies not in keeping the algorithm secret, but in keeping the key secret — a principle known as Kerckhoffs's Principle.
💡 Kerckhoffs's Principle states that a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. This is why modern algorithms like AES and RSA are publicly published and extensively tested by the global cryptographic community. Security through obscurity — relying on secret algorithms — is considered a fundamental flaw.
Symmetric encryption uses a single shared key for both encryption and decryption. The sender encrypts the plaintext with the key, and the receiver decrypts the ciphertext with the same key. Symmetric algorithms are fast and efficient, making them ideal for encrypting large volumes of data. The challenge is securely sharing the key between parties.
| Algorithm | Key Size | Status | Use Case |
|---|---|---|---|
| DES | 56-bit | Broken — do not use | Legacy systems only |
| 3DES | 168-bit | Deprecated — being phased out | Legacy banking systems |
| AES-128 | 128-bit | Secure | General purpose encryption |
| AES-256 | 256-bit | Secure — recommended | Government, military, high-security |
| ChaCha20 | 256-bit | Secure | Mobile devices, TLS 1.3 |
# Example: AES symmetric encryption using Python's cryptography library
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import os
# Generate a random 256-bit key and 128-bit initialization vector
key = os.urandom(32) # 256-bit key for AES-256
iv = os.urandom(16) # 128-bit IV
# Encrypt
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
# Pad the plaintext to be a multiple of block size (16 bytes)
plaintext = b"Secret message for authorized eyes only!"
padded_plaintext = plaintext + b"\x00" * (16 - len(plaintext) % 16)
ciphertext = encryptor.update(padded_plaintext) + encryptor.finalize()
print(f"Ciphertext (hex): {ciphertext.hex()}")
# Decrypt
decryptor = cipher.decryptor()
decrypted = decryptor.update(ciphertext) + decryptor.finalize()
print(f"Decrypted: {decrypted.rstrip(b'\x00').decode()}")Asymmetric encryption (public-key cryptography) uses a pair of mathematically related keys: a public key and a private key. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. This solves the key distribution problem of symmetric encryption — you can share your public key openly while keeping your private key secret.
In practice, most systems use hybrid encryption: asymmetric encryption to securely exchange a symmetric key, then symmetric encryption for the actual data transfer. This is exactly how HTTPS/TLS works — RSA or ECDHE for key exchange, then AES for bulk data encryption. This gives you the best of both worlds: the key distribution benefits of asymmetric encryption and the speed of symmetric encryption.
Hashing is a one-way function that converts input data of any size into a fixed-length output (hash/digest). Unlike encryption, hashing cannot be reversed — you cannot recover the original data from the hash. Hashing is used for password storage, data integrity verification, and digital signatures.
Public Key Infrastructure (PKI) is the framework that manages digital certificates and public-key encryption. A digital certificate binds a public key to an identity (person, organization, or device) and is issued by a trusted Certificate Authority (CA). When you visit an HTTPS website, your browser checks the site's certificate against its list of trusted CAs to verify the site's identity.
⚠️ Never implement your own cryptographic algorithms or protocols in production. Cryptography is extremely difficult to implement correctly, and even small mistakes can completely undermine security. Always use well-established, peer-reviewed libraries and follow current best practices. Algorithms that were considered secure 20 years ago (like DES, MD5, and SHA-1) are now broken.
Verify exercises to earn ★ 160 XP and unlock next lab level.