Cryptography
Encryption principles, key management and secure communication
Symmetric encryption, asymmetric encryption, key management and hybrid security
Cybersecurity Foundations Training Series
Learning objectives
Explain plaintext, ciphertext, keys, algorithms, encryption and decryption.
Compare symmetric and asymmetric cryptography.
Describe how public and private keys support encryption and signatures.
Explain why secure systems combine asymmetric and symmetric techniques.
| Cryptography fails when keys are poorly managed. Treat key ownership, storage, rotation, recovery, revocation and destruction as core controls rather than implementation details. |
|---|
What cryptography does
Cryptography uses mathematical techniques to protect information and communications. Depending on the mechanism, it supports confidentiality, integrity, authenticity and related security objectives.
Plaintext is readable input. An encryption algorithm processes the plaintext with a key and produces ciphertext. Decryption uses the required key and algorithm to recover the plaintext. The security of a modern design should depend on protecting the key rather than hiding the algorithm.
Symmetric encryption
Symmetric encryption uses the same secret key, or directly related secret key material, for encryption and decryption. It is efficient and well suited to protecting large volumes of data.
The main operational challenge is key distribution. Both parties need access to the secret key without exposing it to an attacker. Key generation, storage, rotation, backup, revocation and destruction are therefore essential parts of the security design.
The Advanced Encryption Standard, or AES, is a widely adopted symmetric block cipher. AES supports 128-bit, 192-bit and 256-bit keys. The selected algorithm, mode of operation, key management and implementation all affect security. A long key does not compensate for a weak mode, reused nonce, exposed key or vulnerable implementation.
Key length and security strength
For an ideal n-bit symmetric key, exhaustive search involves up to 2 raised to the power n possible keys. Increasing key length sharply increases the work required for brute-force search.
Real security cannot be judged by key length alone. Algorithm design, protocol use, random-number generation, key protection, side-channel resistance, software quality and operational controls remain important.
Asymmetric cryptography
Asymmetric cryptography uses a mathematically related key pair: a public key and a private key. The public key can be distributed. The private key must remain under the owner’s control.
For public-key encryption, a sender uses the recipient’s public key or an agreed public-key mechanism so that only the holder of the matching private key can recover the protected secret.
Digital signatures use the signer’s private key through a defined signature algorithm. Other parties use the public key to verify the signature. It is more accurate to describe signing as a signature operation, not as “encrypting with the private key”, because many signature schemes do not work as reversed encryption.
Figure 1. Public-key encryption protects information for the holder of the matching private key.
Asymmetric techniques
RSA supports encryption and digital signatures when used with approved padding and protocol designs.
Elliptic-curve cryptography supports key agreement and digital signatures with smaller key sizes than many older public-key approaches for comparable security levels.
Diffie-Hellman and elliptic-curve Diffie-Hellman establish a shared secret between parties. They provide key agreement rather than general file encryption by themselves.
Certificates and public key infrastructure bind public keys to identities and help relying parties decide whether to trust them.
Why secure systems use hybrid encryption
Asymmetric operations are computationally more expensive than symmetric encryption and are less suitable for protecting large data streams directly. Symmetric encryption is fast but requires a secure way to establish shared keys.
Modern protocols combine the strengths of both. Public-key methods authenticate endpoints and establish fresh session secrets. Symmetric authenticated encryption then protects the bulk data. TLS uses this general hybrid approach.
Session keys are short-lived and should be renewed or discarded according to the protocol and risk. Compromise of a long-term credential should not automatically expose every previous session when forward secrecy is properly implemented.
Figure 2. Secure protocols combine public-key trust and key establishment with fast symmetric protection.
Comparing symmetric and asymmetric cryptography
| Feature | Symmetric cryptography | Asymmetric cryptography |
|---|---|---|
| Keys | Shared secret key | Public and private key pair |
| Performance | Fast and efficient for bulk data | Slower and more computationally intensive |
| Key distribution | Requires secure sharing or establishment | Public key can be distributed; private key remains secret |
| Common uses | Disk encryption, backups, database fields, session traffic | Key agreement, certificates, digital signatures, limited encryption uses |
| Examples | AES | RSA, ECDSA, EdDSA, ECDH, Diffie-Hellman |
| Main operational risk | Shared-key exposure or misuse | Private-key compromise and trust in public-key binding |
Quick knowledge check
1. Which form of cryptography is normally preferred for high-volume data encryption?
A. Symmetric cryptography
B. Asymmetric cryptography
C. Hashing
D. Digital signatures
2. Which key must remain secret in a public-key pair?
A. Public key
B. Private key
C. Certificate serial number
D. Hash value
3. What does Diffie-Hellman primarily provide?
A. Password storage
B. Key agreement
C. File compression
D. Digital watermarking
4. Why do protocols such as TLS combine asymmetric and symmetric techniques?
A. To avoid using keys
B. To combine trusted key establishment with efficient bulk encryption
C. To make hashes reversible
D. To remove certificate validation
Standards and framework alignment
This lesson uses the following frameworks as complementary references. NIST provides risk and control guidance, ISO/IEC 27001 defines requirements for an information security management system, ISO 22301 addresses business continuity, and SOC 2 evaluates service-organisation controls against the AICPA Trust Services Criteria.
| Reference framework | How it supports this lesson |
|---|---|
| NIST cryptographic standards | FIPS 197 specifies AES. NIST key-management and algorithm-transition guidance supports suitable algorithms, key sizes, lifecycles and approved implementations. |
| ISO/IEC 27001:2022 | Cryptographic controls should follow a defined policy covering approved use, key ownership, generation, storage, rotation, recovery, revocation and destruction. |
| ISO 22301:2019 | Encryption and key-recovery arrangements must support continuity. Unavailable keys can make otherwise intact backups and records unusable during recovery. |
| SOC 2 Trust Services Criteria | Encryption supports Security and Confidentiality when implemented with effective key management, change control, monitoring and incident response. |
References and further reading
1. NIST Cybersecurity Framework (CSF) 2.0, NIST CSWP 29, 2024. https://doi.org/10.6028/NIST.CSWP.29
2. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. https://www.iso.org/standard/27001
3. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. https://www.iso.org/standard/75106.html
4. AICPA, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, Revised Points of Focus 2022. https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022
5. NIST FIPS 197, Advanced Encryption Standard. https://csrc.nist.gov/pubs/fips/197/final
6. NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management. https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
7. NIST SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths. https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
8. NIST FIPS 186-5, Digital Signature Standard. https://csrc.nist.gov/pubs/fips/186-5/final