Cryptography Explained: How Encryption Actually Works

Every time you visit an HTTPS site, send a message on Signal, or log into your bank, cryptography is doing something remarkable: making it mathematically impossible for an eavesdropper to read your communication, even if they capture every bit.

Cryptography is the most important technology in digital security. But most people — including many developers and IT professionals — have only a vague understanding of how it works. This guide gives you the actual picture, without the math degree.

Why Cryptography Is the Foundation of Digital Security

Cryptography solves three fundamental problems in digital communication: confidentiality (only the intended recipient can read the message), integrity (the message hasn't been altered), and authentication (the sender is who they claim to be).

Without cryptography:

• Anyone on your WiFi network could read your bank login
• An attacker could modify data in transit (change a wire transfer amount)
• You couldn't verify that amazon.com's website is actually Amazon's
• Passwords stored in databases would be readable if the database was stolen
• Software updates could be tampered with to deliver malware

Cryptography solves all of these — not through obscurity, but through mathematical problems that are computationally infeasible to solve without the right key.

Symmetric Encryption: One Key for Everything

Symmetric encryption uses the same key to encrypt and decrypt data. Both sender and receiver must possess the same secret key. It is fast and efficient — suitable for encrypting gigabytes of data. AES-256 is the current standard, used everywhere from HTTPS to disk encryption to VPNs.

How AES (Advanced Encryption Standard) works conceptually:

1. Your plaintext is divided into 128-bit blocks.
2. Each block goes through 10-14 rounds of transformations (substitution, shifting, mixing) using the key material.
3. The output is ciphertext that looks like random noise. Without the key, it is computationally infeasible to reverse.

AES-256 (with a 256-bit key) has never been practically broken. Brute-forcing a 256-bit key would require more energy than the sun can produce in its entire lifetime. The weakness in AES implementations is almost always in the key management — how keys are generated, stored, and distributed — not in the algorithm itself.

The core problem with symmetric encryption: how do two parties who have never met securely share the key? If you email the key, an eavesdropper intercepts it. This is the key distribution problem — and it's why asymmetric cryptography exists.

Asymmetric Encryption: Public and Private Keys

Asymmetric (public-key) cryptography uses mathematically linked key pairs: a public key (can be shared with anyone) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key. This solves key distribution — you publish your public key publicly, and anyone can send you encrypted messages that only you can read.

RSA — the most widely known asymmetric algorithm:

• Security relies on the computational hardness of factoring large numbers. It's easy to multiply two large prime numbers to get N. It's computationally infeasible to factor N back into its prime components if N is large enough (2048+ bits).
• Your public key is essentially N and a related number e. Your private key includes the prime factors p and q.
• RSA-2048 is currently considered secure against classical computers. RSA-4096 provides a larger margin.
• Quantum threat: Shor's algorithm on a sufficiently powerful quantum computer can factor large numbers efficiently, breaking RSA. This is the most serious long-term threat to current cryptography.

ECC (Elliptic Curve Cryptography): Provides equivalent security to RSA with much smaller key sizes. A 256-bit ECC key is roughly equivalent in security to a 3072-bit RSA key. Smaller keys mean faster operations and less bandwidth. Most modern TLS connections use ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for key exchange.

Cryptographic Hashing: One-Way Fingerprints

A cryptographic hash function maps any input to a fixed-size output (the hash or digest). It is a one-way function — computationally infeasible to reverse. Two different inputs should never produce the same hash (collision resistance). SHA-256 produces a 256-bit hash; SHA-3 produces 224-512 bits depending on variant.

Properties of a good cryptographic hash:

• Deterministic: Same input always produces the same hash.
• One-way: Given a hash, you cannot find the original input.
• Avalanche effect: A small change in input (one bit) produces a completely different hash.
• Collision-resistant: It is computationally infeasible to find two different inputs with the same hash.
• Fixed output size: SHA-256 always produces exactly 256 bits regardless of input size.

Uses for cryptographic hashes:

• Password storage: Never store passwords in plaintext. Store the hash. When a user logs in, hash their input and compare. bcrypt, scrypt, and Argon2 add a salt (random value) and are deliberately slow to defeat brute-force attacks.
• Data integrity: Software distributors publish SHA-256 hashes of downloads. You hash the downloaded file and compare — any tampering changes the hash.
• Digital signatures: You hash the message, then sign the hash with your private key. More efficient than signing the entire message.
• Blockchain: Each block contains the hash of the previous block, creating an immutable chain. Changing any historical block changes its hash, breaking the chain.

Broken algorithms: MD5 and SHA-1 have known collision attacks and should never be used for security purposes. Use SHA-256 or SHA-3 minimum.

Digital Signatures: Proving Who Sent It

A digital signature proves that a message was created by a specific private key holder and has not been altered since signing. It provides non-repudiation — the signer cannot later deny having signed the message.

How digital signatures work:

1. Alice computes the hash of her message.
2. Alice encrypts the hash with her private key. This is the signature.
3. Alice sends the message and signature to Bob.
4. Bob decrypts the signature with Alice's public key to get the hash.
5. Bob hashes the received message independently.
6. If the two hashes match: the message came from Alice (only she has her private key) and has not been altered (any modification changes the hash).

Digital signatures are used for software code signing (verifying that software updates came from the legitimate vendor), email signing (S/MIME, PGP), document signing (PDFs), TLS certificates, and Git commit signing.

How TLS/HTTPS Actually Works

TLS (Transport Layer Security) protects HTTPS connections by combining asymmetric cryptography (for authentication and key exchange) with symmetric cryptography (for fast bulk data encryption). The process is called the TLS handshake.

TLS 1.3 handshake (simplified):

1. Client Hello: Browser sends supported cipher suites and a random value.
2. Server Hello: Server selects a cipher suite, sends its certificate (containing its public key), and a random value.
3. Certificate verification: Browser verifies the certificate is signed by a trusted Certificate Authority (CA), is not expired, and matches the domain name.
4. Key exchange: Both parties use ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) to derive a shared symmetric session key — without ever transmitting the key directly. Each connection gets a unique session key (forward secrecy).
5. Finished: Both sides confirm they computed the same key. All subsequent data is encrypted with AES-128-GCM or AES-256-GCM using the shared session key.

The green padlock in your browser means this entire process succeeded — the connection is authenticated and encrypted.

Public Key Infrastructure (PKI) and Certificates

PKI is the system of Certificate Authorities (CAs), digital certificates, and trust relationships that makes asymmetric cryptography work at internet scale. A certificate is a digital document that binds a public key to an identity, signed by a CA that your browser trusts.

The certificate trust chain: Your browser trusts about 100 root CAs (like DigiCert, Let's Encrypt, and GlobalSign). These CAs issue certificates directly or delegate to intermediate CAs. When a web server presents a certificate signed by an intermediate CA, your browser traces the chain to a root CA it trusts.

Certificate types: Domain Validation (DV) certificates verify only that the requester controls the domain — fast, free (Let's Encrypt). Organization Validation (OV) includes verified company information. Extended Validation (EV) has the most rigorous identity verification and historically showed the company name in the browser address bar (browsers have mostly dropped the visual distinction).

Post-Quantum Cryptography: The Coming Transition

Quantum computers threaten current asymmetric cryptography. NIST finalized post-quantum cryptographic standards in 2024. Organizations should begin auditing cryptographic dependencies and planning quantum-resistant migrations, especially for long-lived sensitive data.

The threat: A sufficiently powerful quantum computer running Shor's algorithm can break RSA and ECC by solving the underlying mathematical problems efficiently. "Harvest now, decrypt later" attacks are already happening — adversaries collect encrypted data today, planning to decrypt it when quantum computers mature.

NIST's 2024 post-quantum standards:

• CRYSTALS-Kyber (ML-KEM): Key encapsulation mechanism. Replaces RSA and ECDH for key exchange.
• CRYSTALS-Dilithium (ML-DSA): Digital signature algorithm. Replaces RSA and ECDSA for signatures.
• FALCON: Smaller signatures than Dilithium but more complex implementation.

Timeline: Symmetric algorithms (AES-256) are quantum-resistant. The migration challenge is replacing asymmetric algorithms everywhere they're used — TLS certificates, SSH keys, VPN configurations, code signing infrastructure. Large organizations should be inventorying their cryptographic dependencies now.

Frequently Asked Questions

What is the difference between symmetric and asymmetric encryption?

Symmetric uses one shared key for both encryption and decryption — fast, suitable for bulk data, but requires secure key distribution. Asymmetric uses a public/private key pair — slower, solves key distribution, used to exchange symmetric keys. TLS uses asymmetric to exchange a symmetric key, then symmetric for all data.

What is a cryptographic hash function?

A one-way function that maps any input to a fixed-size output (hash). Cannot be reversed. Used for password storage, data integrity verification, digital signatures, and blockchain. SHA-256 is the current standard. MD5 and SHA-1 are broken and should not be used.

How does TLS/HTTPS work?

TLS handshake: server sends certificate, browser verifies it, both parties use ECDHE to agree on a symmetric session key, all subsequent data is encrypted with AES. The certificate proves server identity; encryption provides confidentiality.

What is post-quantum cryptography?

Algorithms resistant to quantum computer attacks. NIST standardized CRYSTALS-Kyber and CRYSTALS-Dilithium in 2024 as quantum-resistant replacements for RSA and ECC. Current symmetric algorithms (AES-256) remain secure. Organizations should begin planning migration of asymmetric cryptographic systems.