When people first learn encryption, they imagine a simple system where one key locks data and another unlocks it. But real cybersecurity uses a much richer architecture: AES, RSA, ECC, TLS handshakes, cipher suites, key exchange algorithms, certificate validation, and more. This article breaks down these pieces and explains how real-world encryption protects data across the internet.
Encryption: Two Way Protection
Encryption turns readable data into unreadable ciphertext. With the correct key, it can be reversed.
There are two types.
Symmetric Encryption
Uses a single key to both encrypt and decrypt data. The same key locks and unlocks the information. Used in:
- WiFi
- VPN
- Disk encryption
- TLS sessions
- AES
A modern and very strong symmetric encryption …
When people first learn encryption, they imagine a simple system where one key locks data and another unlocks it. But real cybersecurity uses a much richer architecture: AES, RSA, ECC, TLS handshakes, cipher suites, key exchange algorithms, certificate validation, and more. This article breaks down these pieces and explains how real-world encryption protects data across the internet.
Encryption: Two Way Protection
Encryption turns readable data into unreadable ciphertext. With the correct key, it can be reversed.
There are two types.
Symmetric Encryption
Uses a single key to both encrypt and decrypt data. The same key locks and unlocks the information. Used in:
- WiFi
- VPN
- Disk encryption
- TLS sessions
- AES
A modern and very strong symmetric encryption standard. It is used everywhere today because it is fast and secure.
- DES
An old symmetric cipher that is no longer safe. Its key size is too small, making it easy to crack.
- 3DES
An improved version of DES but still outdated. It is slower and weaker compared to modern AES.
Asymmetric Encryption Uses two different keys: one public and one private. The public key encrypts, and the private key decrypts. Used in:
- HTTPS
- Digital signatures
- Identity verification
- Secure email
- RSA
A well-known asymmetric algorithm that uses large keys. Reliable but slower and older compared to newer systems.
- ECC (Elliptic Curve Cryptography)
A modern asymmetric system with smaller keys and equal strength. It is faster, lighter, and widely used in modern security systems.
Cipher Modes (How Block Encryption Works)
Block ciphers like AES encrypt only fixed-size pieces of data, so we need “modes” to handle real messages. Think of AES as a machine that can only lock small boxes; cipher modes explain how to lock a whole suitcase full of boxes.
CBC (Cipher Block Chaining)
CBC encrypts each block by combining it with the previous encrypted block. This dependency creates a chain, but also makes CBC vulnerable to padding oracle attacks and outdated for modern use. Imagine linking boxes together—if the first link breaks, everything after it becomes unsafe.
GCM (Galois/Counter Mode)
GCM uses counter mode encryption plus a built-in integrity check. It provides confidentiality, integrity, and authenticity at the same time and is the standard in modern TLS. It’s like locking your box and also putting a tamper-proof seal on it.
TLS Handshake
The TLS handshake is the process where two sides securely agree on encryption before any data is exchanged. It sets up keys, verifies certificates, and chooses secure algorithms. It’s like two people agreeing on a secret language first, before they start talking.
During the handshake, the client and server:
- Agree on encryption algorithms
- Exchange public keys
- Verify certificates
- Create a temporary symmetric session key
This session key is what encrypts all data afterward.
Cipher Suites
A cipher suite is a predefined “recipe” listing which algorithms will be used during a TLS session. It defines the exact combination of AES mode, RSA/ECC method, hashing algorithm, and handshake mechanism. Imagine ordering a combo meal—everything in the combo is fixed: drink, burger, fries. A cipher suite is a “security combo.”
A typical modern cipher suite uses:
- ECDHE for key exchange
- AES-GCM for encryption
- SHA-256 for integrity
Each part plays a role in securing the connection.
TLS, Certificates, Keys, Trust
TLS (Transport Layer Security)
TLS provides a secure, encrypted connection between a client and a server. It combines AES, RSA/ECC, certificates, and key exchange to protect data. It’s like creating a private, locked tunnel between two computers so no one else can read the conversation.
SSL
SSL is the older version of TLS. It is outdated and no longer considered safe. Think of SSL like an old, broken lock—people used it before, but no one trusts it today.
Key Exchange Methods DH (Diffie–Hellman)
A method that allows two parties to create a shared secret key over an insecure network. No secret needs to be sent directly; both sides compute it separately. It’s like two people independently creating the same secret number without ever telling each other what it is.
ECDH (Elliptic Curve Diffie–Hellman)
The elliptic-curve version of Diffie–Hellman. It provides the same result but with smaller keys and better security per bit. It’s the faster, stronger, modern version of DH — same idea, better performance.
🔑 PKI (Public Key Infrastructure)
PKI is the full system that allows browsers to trust websites.
It includes:
Certificates
Certificate Authorities
Trust chain
OCSP
Revocation lists
PKI is not a tool. It is the entire trust framework of the internet.
Root Trust
Your device has a built-in list of trusted Certificate Authorities. If a CA is trusted, all its certificates are trusted.
CA (Certificate Authority)
Trusted organization that issues certificates.
CRL (Certificate Revocation List)
List of certificates that are no longer valid.
OCSP
Real time check if a certificate is valid.
Certificate Chain
Server certificate → intermediate certificate → root certificate
This is how trust is built.
EV Certificates
Extended validation. Stronger identity checks but same security.
Certificate Pinning
App only trusts one specific certificate or key. Stops fake certificates.
Key Lifecycle
Keys must be:
generated
stored
rotated
expired
destroyed
Securely and on schedule.
Code Signing
Software is signed with a private key. System checks signature before running it. Stops malware pretending to be real software.
Authentication and Identity Security
Kerberos
Authentication protocol used in Windows networks.
WPA3
Modern secure WiFi protocol.
PB (Password Based)
General term for password-based systems.
SAML
Old enterprise identity protocol.
OAuth2
Authorization system used in modern apps.
OIDC
Identity layer built on top of OAuth2.
Identity Provider (IdP)
Service that confirms user identity.
SSO (Single Sign On)
User logs in once and gets access to many apps.
JWT
Token format used by web systems.
Access Tokens
Short lived tokens for API access.
Federation
Identity sharing between systems.
Threat Modeling and Risk Terms
These terms help understand security risks.
STRIDE
Threat categories:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
DREAD
Old threat scoring model.
Attack Trees
Visual model of how an attacker can reach a goal.
Kill Chain
Stages of an attack.
MITRE ATTACK
Database of attacker techniques.
Attack Surface
All possible points where attacker can try to enter.
Vulnerabilities and Risk Metrics
CVE
Public identifier for vulnerabilities.
CVSS
Score that shows how dangerous a vulnerability is.
NVD
Database of official vulnerability records.
Threat Agents
Who might attack you.
Risk Scoring
How dangerous a situation is.
Infrastructure and Access Control
IAM
Identity and Access Management.
ACLs
Access control lists.
DMZ
A network zone between public internet and internal network.
Disaster Recovery Terms
RTO
How long system can be down.
RPO
How much data loss is acceptable.
DR Site
Backup location for disasters.
Backup Testing
Testing that backups actually work.
Encryption can seem overwhelming at first, but once you see how the algorithms, keys, and trust layers connect, the entire system becomes understandable. This foundation will help you learn even deeper cybersecurity concepts later.