Cryptography is the science of keeping information secure by transforming it into form that unintended recipients cannot understand.
In cryptography, an original human readable message, referred to as plaintext, is changed by means of an algorithm, or series of mathematical operations, into something that to an uninformed observer would look like gibberish; this gibberish is called ciphertext.
Cryptographic systems require some method for the intended recipient to be able to make use of the encrypted message — usually, though not always, by transforming the ciphertext back into plaintext.
Cryptography vs. encryption
Encryption is what we call the process of turning plaintext into ciphertext. (Crypt may make you think of tombs, but it comes from a Greek word that means "hidden" or "secret.") Encryption is an important part of cryptography, but doesn't encompass the entire science. Its opposite is decryption.
One important aspect of the encryption process is that it almost always involves both an algorithm and a key. A key is just another piece of information, almost always a number, that specifies how the algorithm is applied to the plaintext in order to encrypt it. Even if you know the method by which some message is encrypted, it's difficult or impossible to decrypt without that key.
History of cryptography
This is all very abstract, and a good way to understand the specifics of what we're talking about is to look at one of the earliest known forms of cryptography.
It's known as the Caesar cipher, because Julius Caesar used it for his confidential correspondence; as his biographer Suetonius described it, "if he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet ... If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others."
Suetonius's description can be broken down into the two cryptographic elements we've discussed, the algorithm and the key. The algorithm here is simple: each letter is replaced by another letter from later in the alphabet.
The key is how many letters later in the alphabet you need to go to create your ciphertext. It's three in the version of the cipher Suetonius describes, but obviously other variations are possible — with a key of four, A would become E, for instance.
A few things should be clear from this example. Encryption like this offers a fairly simple way to secretly send any message you like. Contrast that with a system of code phrases where, say, "Let's order pizza" means "I'm going to invade Gaul."
To translate that sort of code, people at both ends of the communication chain would need a book of code phrases, and you'd have no way to encode new phrases you hadn't thought of in advance. With the Caesar cipher, you can encrypt any message you can think of.
The tricky part is that everyone communicating needs to know the algorithm and the key in advance, though it's much easier to safely pass on and keep that information than it would be with a complex code book.
The Caesar cipher is what's known as a substitution cipher, because each letter is substituted with another one; other variations on this, then, would substitute letter blocks or whole words. For most of history, cryptography consisted of various substitution ciphers deployed to keep government and military communications secure.
Medieval Arab mathematicians pushed the science forward, particularly the art of decryption — once researchers realised that certain letters in a given language are more common than others, it becomes easier to recognise patterns, for instance.
But most pre-modern encryption is incredibly simple by modern standards, for the obvious reason that, before the advent of computers, it was difficult to perform mathematical transformations quickly enough to make encryption or decryption worthwhile.
In fact, the development of computers and advances in cryptography went hand in hand. Charles Babbage, whose idea for the Difference Engine presaged modern computers, was also interested in cryptography.
During World War II, the Germans used the electromechanical Enigma machine to encrypt messages — and, famously, Alan Turing led a team in Britain that developed a similar machine to break the code, in the process laying some of the groundwork for the first modern computers.
Cryptography got radically more complex as computers became available, but remained the province of spies and generals for several more decades. However, that began to change in the 1960s.
Cryptography in network security
It was the formation of the first computer networks that started civilians thinking about the importance of cryptography.
Computers were talking to each other over the open network, not just via direct connections to one another; that sort of networking was transformative in many great ways, but also made it trivially easy to snoop on data traveling across the network. And with financial services being an early use case for computer communication, it was necessary to find a way to keep information secret.
IBM led the way in the late 1960s with an encryption method known as "Lucifer", which was eventually codified by the US National Bureau of Standards as the first Data Encryption Standard (DES). As the internet began to grow in importance, more and better encryption was needed, and today a significant portion of data flying around the world is encrypted using varying techniques that we'll discuss in more detail in a moment.
What is cryptography used for?
We've already discussed some of the specific applications of cryptography, from keeping military secrets to transmitting financial data safely across the internet.
In the bigger picture, though, there are some broad cyber security goals that we use cryptography to help us achieve, as cyber security consultant Gary Kessler explains. Using cryptographic techniques, security pros can:
- Keep the contents of data confidential
- Authenticate the identity of a message's sender and receiver
- Ensure the integrity of the data, showing that it hasn't been altered
- Demonstrate that the supposed sender really sent this message, a principle known as non-repudiation
You may recognise some of these principles from variations of the CIA triad. The first of these uses is the obvious one — you can keep data secret by encrypting it. The others take a bit of explanation, which we'll get into as we describe the different types of cryptography.
Types of cryptography
There are numerous cryptographic algorithms in use, but in general they can be broken into three categories: secret key cryptography, public key cryptography, and hash functions. Each has its own role to play within the cryptographic landscape.
Secret key cryptography:
The Caesar cipher we discussed above is a great example of secret key cryptography. In the example we used, if encrypted messages were being exchanged between Caesar and one of his centurions, both parties would have to know the key — in this case, how many letters forward or backwards in the alphabet you need to move to transform plaintext to ciphertext or vice versa.
But the key needs to stay a secret between the two of them. You couldn't send the key along with the message, for instance, because if both fell into enemy hands the message would be easy for them to decipher, defeating the whole purpose of encrypting it in the first place.
Caesar and his centurion would presumably have to discuss the key when they saw each other in person, though obviously this is less than ideal when wars are being fought over long distances.
Secret key cryptography, sometimes also called symmetric key, is widely used to keep data confidential. It can be very useful for keeping a local hard drive private, for instance; since the same user is generally encrypting and decrypting the protected data, sharing the secret key is not an issue.
Secret key cryptography can also be used to keep messages transmitted across the internet confidential; however, to successfully make this happen, you need to deploy our next form of cryptography in tandem with it.
Public key cryptography:
Caesar may have been able to confer with his centurions in person, but you don't want to go into your bank and talk to the teller just to learn what the private key is for encrypting your electronic communication with the bank — that would defeat the purpose of online banking.
In general, in order to function securely, the internet needs a way for communicating parties to establish a secure communications channel while only talking to each other across an inherently insecure network. The way this works is via public key cryptography.
In public key cryptography, sometimes also called asymmetric key, each participant has two keys. One is public, and is sent to anyone the party wishes to communicate with. That's the key used to encrypt messages. But the other key is private, shared with nobody, and it's necessary to decrypt those messages.
To use a metaphor: think of the public key as opening a slot on a mailbox just wide enough to drop a letter in. You give those dimensions to anyone who you think might send you a letter. The private key is what you use to open the mailbox so you can get the letters out.
The mathematics of how you can use one key to encrypt a message and another to decrypt it are much less intuitive than the way the key to the Caesar cipher works. The Infosec Institute has a deep dive if you're interested.
The core principle that makes the process work is that the two keys are actually related to each other mathematically such that it's easy to derive the public key from the private key but not vice versa. For instance, the private key might be two very large prime numbers, which you'd multiply together to get the public key.
The computations needed for public key cryptography are much more complex and resource intensive that those behind secret key infrastructure. Fortunately, you don't need to use it to protect every message you send online.
Instead, what usually happens is that one party will use public key cryptography to encrypt a message containing yet another cryptographic key. This key, having been safely transmitted across the insecure internet, will then become the private key that encodes a much longer communications session encrypted via secret key encryption.
In this way, public key cryptography assists the cause of confidentiality. But these public keys are also part of a larger set of functions known as public key infrastructure, or PKI. PKI provides ways to be sure that any given public key is associated with a specific person or institution. A message encrypted with a public key thus confirms the identity of the sender, establishing authentication and non-repudiation.
Public and private key cryptographic algorithms both involve transforming plaintext into ciphertext and then back into plaintext. By contrast, a hash function is one-way encryption algorithm: once you've encrypted your plaintext, you can't ever recover it from the resulting ciphertext (referred to as a hash).
This might make hash functions seem like a somewhat pointless exercise. But the key to their usefulness is that, for any given hash function, no two plaintexts will produce the same hash. Mathematically, this isn't quite correct, but for any hash function actually in use, the chances of it happening are generally vanishingly small and can be safely ignored.
This makes hashing algorithms a great tool for ensuring data integrity. For instance, a message can be sent along with its own hash. Upon receiving the message, you can run the same hashing algorithm on the message text; if the hash you produce is different from the one accompanying the message, you know the message has been modified in transit.
Hashing is also used to ensure the confidentiality of passwords. Storing passwords as plaintext is a big security no-no because that makes users prone to account and identity theft in the wake of data breaches (which sadly doesn't stop big players from doing it).
If instead you store a hashed version of a user's password, hackers won't be able to decrypt it and use it elsewhere even if they do manage to breach your defences. When a legitimate user logs in with their password, you can just hash it and check against the hash you have on file.
Cryptography examples and techniques
There are numerous techniques and algorithms that implement each of the three types of encryption discussed above. They are generally quite complex and beyond the scope of this article; we've included links here where you can learn more about some of the most commonly used examples.
Secret key encryption:
- Triple DES, the modern successor to DES discussed above
- Advanced Encryption Standard (AES)
- Blowfish and its successor Twofish, both from security legend Bruce Schneier
Public key encryption:
There are a wide range of hash functions with different specialised purposes. The list on Wikipedia is a good place to start.