When people first learn encryption, they imagine a simple system where one key locks data and another unlocks it. But real cybersecurity uses a much richer architecture: AES, RSA, ECC, TLS handshakes, cipher suites, key exchange algorithms, certificate validation, and more. This article breaks down these pieces and explains how real-world encryption protects data across the internet.
Encryption: Two Way Protection
Encryption turns readable data into unreadable ciphertext. With the correct key, it can be reversed.
There are two types.
Symmetric Encryption
Uses a single key to both encrypt and decrypt data. The same key locks and unlocks the information.
Used in:
- WiFi
- VPN
- Disk encryption
- TLS sessions
- AES
A modern and very strong symmetric encryption standard.
It is used everywhere today because it is fast and secure.
- DES
An old symmetric cipher that is no longer safe.
Its key size is too small, making it easy to crack.
- 3DES
An improved version of DES but still outdated.
It is slower and weaker compared to modern AES.
Asymmetric Encryption
Uses two different keys: one public and one private. The public key encrypts, and the private key decrypts.
Used in:
- HTTPS
- Digital signatures
- Identity verification
- Secure email
- RSA
A well-known asymmetric algorithm that uses large keys.
Reliable but slower and older compared to newer systems.
- ECC (Elliptic Curve Cryptography)
A modern asymmetric system with smaller keys and equal strength.
It is faster, lighter, and widely used in modern security systems.
Cipher Modes (How Block Encryption Works)
Block ciphers like AES encrypt only fixed-size pieces of data, so we need “modes” to handle real messages.
Think of AES as a machine that can only lock small boxes; cipher modes explain how to lock a whole suitcase full of boxes.
CBC (Cipher Block Chaining)
CBC encrypts each block by combining it with the previous encrypted block.
This dependency creates a chain, but also makes CBC vulnerable to padding oracle attacks and outdated for modern use.
Imagine linking boxes together—if the first link breaks, everything after it becomes unsafe.
GCM (Galois/Counter Mode)
GCM uses counter mode encryption plus a built-in integrity check.
It provides confidentiality, integrity, and authenticity at the same time and is the standard in modern TLS.
It’s like locking your box and also putting a tamper-proof seal on it.
TLS Handshake
The TLS handshake is the process where two sides securely agree on encryption before any data is exchanged.
It sets up keys, verifies certificates, and chooses secure algorithms.
It’s like two people agreeing on a secret language first, before they start talking.
During the handshake, the client and server:
- Agree on encryption algorithms
- Exchange public keys
- Verify certificates
- Create a temporary symmetric session key
This session key is what encrypts all data afterward.
Cipher Suites
A cipher suite is a predefined “recipe” listing which algorithms will be used during a TLS session.
It defines the exact combination of AES mode, RSA/ECC method, hashing algorithm, and handshake mechanism.
Imagine ordering a combo meal—everything in the combo is fixed: drink, burger, fries. A cipher suite is a “security combo.”
A typical modern cipher suite uses:
- ECDHE for key exchange
- AES-GCM for encryption
- SHA-256 for integrity
Each part plays a role in securing the connection.
TLS, Certificates, Keys, Trust
TLS (Transport Layer Security)
TLS provides a secure, encrypted connection between a client and a server.
It combines AES, RSA/ECC, certificates, and key exchange to protect data.
It’s like creating a private, locked tunnel between two computers so no one else can read the conversation.
SSL
SSL is the older version of TLS.
It is outdated and no longer considered safe.
Think of SSL like an old, broken lock—people used it before, but no one trusts it today.
Key Exchange Methods
DH (Diffie–Hellman)
A method that allows two parties to create a shared secret key over an insecure network.
No secret needs to be sent directly; both sides compute it separately.
It’s like two people independently creating the same secret number without ever telling each other what it is.
ECDH (Elliptic Curve Diffie–Hellman)
The elliptic-curve version of Diffie–Hellman.
It provides the same result but with smaller keys and better security per bit.
It’s the faster, stronger, modern version of DH — same idea, better performance.
PKI (Public Key Infrastructure)
PKI is the full system that makes browsers and devices trust websites.
It includes certificates, certificate authorities, trust chains, revocation, and validation systems.
PKI is like the world’s ID system for the internet — it proves who is real.
PKI is not a single tool.
It is the entire trust framework that the internet depends on.
Root Trust
Your device contains a built-in list of trusted Certificate Authorities (CAs).
If a root CA is trusted, any certificate issued under it is trusted automatically.
It’s like your phone already knowing which ID offices are legitimate.
Certificate
A digital document that proves the identity of a website, server, or software.
It contains the public key, domain name, issuer, expiration date, and cryptographic signatures.
A certificate is like an online ID card that proves a website is really who it claims to be.
Server Certificate
The certificate installed on a website or API server.
Browsers check it during the TLS handshake to confirm identity.
Non-tech: It’s like the website showing its ID before you talk to it.
Intermediate Certificate
A certificate issued by a trusted root CA and used to sign server certificates.
It forms part of the certificate chain and helps distribute trust securely.
Non-tech: Think of it as a manager who verifies employees on behalf of the company owner.
Root Certificate
The top-level certificate stored directly in your device’s trust store.
If a root certificate is trusted, all certificates beneath it are trusted.
Non-tech: The root certificate is like the highest authority that everyone trusts by default.
Certificate Validity
Certificates have expiration dates to limit risk.
Expired certificates immediately lose trust and must be renewed.
Non-tech: Just like passports, certificates are not valid forever.
Self-Signed Certificate
A certificate that is signed by itself instead of a CA.
Useful for development, internal systems, or testing, but not trusted publicly.
Non-tech: It’s like writing your own ID at home—useful privately, useless publicly.
Wildcard Certificate
A certificate that covers all subdomains of a domain (e.g., *.example.com).
It simplifies management for large systems.
Non-tech: It’s like one ID badge that unlocks every room in a building.
Certificate Authorities
Trust chain
OCSP
Revocation lists
PKI is not a tool.
It is the entire trust framework of the internet.
Root Trust
Your device has a built-in list of trusted Certificate Authorities.
If a CA is trusted, all its certificates are trusted.
CA (Certificate Authority)
Trusted organization that issues certificates.
CRL (Certificate Revocation List)
List of certificates that are no longer valid.
OCSP
Real time check if a certificate is valid.
Certificate Chain
Server certificate
→ intermediate certificate
→ root certificate
This is how trust is built.
EV Certificates
Extended validation.
Stronger identity checks but same security.
Certificate Pinning
App only trusts one specific certificate or key.
Stops fake certificates.
Key Lifecycle
Keys must be:
generated
stored
rotated
expired
destroyed
Securely and on schedule.
Code Signing
Software is signed with a private key.
System checks signature before running it.
Stops malware pretending to be real software.
Authentication and Identity Security
Kerberos
Authentication protocol used in Windows networks.
WPA3
Modern secure WiFi protocol.
PB (Password Based)
General term for password-based systems.
SAML
Old enterprise identity protocol.
OAuth2
Authorization system used in modern apps.
OIDC
Identity layer built on top of OAuth2.
Identity Provider (IdP)
Service that confirms user identity.
SSO (Single Sign On)
User logs in once and gets access to many apps.
JWT
Token format used by web systems.
Access Tokens
Short lived tokens for API access.
Federation
Identity sharing between systems.
Threat Modeling and Risk Terms
These terms help understand security risks.
STRIDE
Threat categories:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
DREAD
Old threat scoring model.
Attack Trees
Visual model of how an attacker can reach a goal.
Kill Chain
Stages of an attack.
MITRE ATTACK
Database of attacker techniques.
Attack Surface
All possible points where attacker can try to enter.
Vulnerabilities and Risk Metrics
CVE
Public identifier for vulnerabilities.
CVSS
Score that shows how dangerous a vulnerability is.
NVD
Database of official vulnerability records.
Threat Agents
Who might attack you.
Risk Scoring
How dangerous a situation is.
Infrastructure and Access Control
IAM
Identity and Access Management.
ACLs
Access control lists.
DMZ
A network zone between public internet and internal network.
Disaster Recovery Terms
RTO
How long system can be down.
RPO
How much data loss is acceptable.
DR Site
Backup location for disasters.
Backup Testing
Testing that backups actually work.
Encryption can seem overwhelming at first, but once you see how the algorithms, keys, and trust layers connect, the entire system becomes understandable. This foundation will help you learn even deeper cybersecurity concepts later.
Top comments (0)