Introduction to cryptography

Howard Poston
August 17, 2020 by
Howard Poston

The field of cryptology

Cryptology — literally “the study of secrets” — is composed of cryptography (making codes) and cryptanalysis (breaking codes). However, many people use the term cryptography interchangeably with cryptology. 

Cryptographic algorithms underpin many of the digital technologies that we use today, and their security is essential to allowing the internet (and other systems) to work as intended. Understanding how they work and how they can be broken is essential to using them effectively and securely.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

Classifying cryptosystems

Many different cryptographic algorithms exist and they can be classified in a few different ways. One of the fundamental classifications is encryption algorithms (which perform a reversible transformation on data) versus hash algorithms (which are a one-way transformation). Encryption and hash algorithms use many of the same mathematical concepts but have different objectives.

Within the space of encryption algorithms, there are a few different types of algorithms. Common classifications are symmetric versus asymmetric ciphers and — within the space of symmetric ciphers — block versus stream ciphers.

Symmetric vs. asymmetric ciphers

Symmetric and asymmetric encryption algorithms both have the same goal: to protect the confidentiality of data from anyone who doesn’t have a decryption key. However, they accomplish this in different ways.

Symmetric ciphers use the same secret key for encryption and decryption. In general, these algorithms are faster to run, making them better for bulk data encryption.

Asymmetric encryption algorithms use a private and public key that are related by a certain mathematical operation. The public key is used for encryption and the private key is used for decryption. This makes it possible to send an encrypted message without sharing a secret key first.

Block vs. stream ciphers

Symmetric encryption algorithms are further broken down into block and stream ciphers. These algorithms are differentiated by how they organize data for encryption.

A block cipher performs encryption and decryption on fixed-size chunks of data padded to the correct length. If the plaintext length is greater than the block size, these algorithms use block cipher modes of operation to define how to encrypt each chunk.

Stream ciphers, on the other hand, encrypt data on a per-bit basis. The encryption algorithm and secret key are used to create a stream of bits that are exclusive-ored (XORed) with the plaintext to create the ciphertext. At the other end, the process is repeated to retrieve the original plaintext (XORing the plaintext twice with the same bit stream results in the original plaintext).

The fundamental principles of cryptography

As a scientific field, it should come as no surprise that cryptography has its own fundamental principles (like gravity in physics). Three of the most important fundamental concepts in cryptography are the CIA triad, the principles of confusion and diffusion and Kerckhoffs’ Law.

CIA: Applications of cryptography

The CIA triad defines the three primary applications of cryptographic algorithms:

  • Confidentiality: Keeping data secret from unauthorized parties
  • Integrity: Ensuring that data has not been modified
  • Authentication: Validating the identity of a message sender

Different types of cryptographic algorithms provide these features at varying levels. For example, a symmetric cipher validates that the sender of a message is one of the holders of the encryption key, but an asymmetric algorithm can prove that the owner of a specific private key signed a message.

Confusion and diffusion

Confusion and diffusion are two properties of a cipher that were defined by Claude Shannon, the father of information security. The property of confusion states that every bit of the ciphertext should depend on multiple bits of the secret key, and the property of diffusion states that changing a single bit of the plaintext should change approximately half of the bits of the ciphertext.

These principles are used to evaluate the effectiveness of ciphers, but they are not essential to security. For example, the one-time pad — the only provably secure cipher — meets neither of these criteria. A symmetric block cipher, on the other hand, likely requires both for security.

Kerckhoffs’ Law

In theory, it seems like the more you can keep a secret about a cryptosystem, the harder it will be to attack. However, taking this approach to cryptography actually breaks one of the fundamental “laws” of cryptography.

Auguste Kerckhoffs was a Dutch cryptographer in the 19th century. He invented Kerckhoffs’ Law, which states that “a cryptosystem should be secure even if everything about the system, except the key, is public knowledge”.

The secret key in a cryptosystem is designed to be secret and is essential for differentiating between legitimate users and an attacker. However, according to Kerckhoffs, this is the only thing that should be secret in a cryptosystem.

The reason for this is that something that is intended to be a secret doesn’t always remain that way. A cryptosystem that relies upon secrecy for security, like Enigma, can potentially be broken by a sufficiently motivated attacker.

It is much better to make the details of a cryptosystem public and allow everyone to try to break it. If it survives unbroken, then it is probably resilient against attack. This philosophy is why NIST made the process for selecting AES an open contest, which turned out to be a good thing since several of the contestants — created by professional cryptographers — were shown to be insecure early in the process.

Getting started with cryptography

Cryptographic algorithms can seem complex, and understanding some of them at a deep level may require an advanced mathematics degree. However, many of the most commonly-used algorithms are based on simple operations, and understanding the types of cryptographic algorithms — and what they are designed to do — can go a long way towards avoiding misusing them in an application.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at