Encryption Explained: Keeping Secrets on the Internet

Throughout this series, encryption has kept showing up. HTTPS encrypts web traffic. Password hashes protect credentials. JWTs use cryptographic signatures. Reverse shells can be encrypted with TLS.

This post explains how all of that actually works - without the math. You don’t need to understand the algebra behind RSA to use it effectively. You need to understand what it does, when to use it, and how it breaks.

What Is Encryption?

Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using a key. Only someone with the correct key can reverse it (decryption).

Plaintext   +  Key  →  Encryption  →  Ciphertext
"hello"     +  key  →     ????     →  "x7$kQ2m"

Ciphertext  +  Key  →  Decryption  →  Plaintext
"x7$kQ2m"   +  key  →     ????     →  "hello"

Without the key, the ciphertext is meaningless. That’s the whole point.

The Two Types of Encryption

There are two fundamentally different approaches to encryption. Understanding the difference is essential.

Symmetric Encryption: One Key

One key does both encryption and decryption. Same key locks and unlocks.

Alice encrypts: "hello" + SecretKey → "x7$kQ2m"
Alice sends ciphertext to Bob
Bob decrypts:   "x7$kQ2m" + SecretKey → "hello"

Analogy: A padlock where both people have copies of the same key. Either person can lock or unlock it.

The problem: How do Alice and Bob agree on the secret key in the first place? If they send it over the internet, anyone listening can intercept it. This is the key distribution problem.

Common Symmetric Algorithms

Algorithm	Key Size	Status	Notes
AES-128	128-bit	Secure	Standard for most uses
AES-256	256-bit	Secure	Used when higher security needed
ChaCha20	256-bit	Secure	Fast in software, used in TLS
DES	56-bit	Broken	Too short, brute-forceable
3DES	168-bit	Deprecated	Slow, being phased out
RC4	Variable	Broken	Known biases, don’t use

AES (Advanced Encryption Standard) is the dominant symmetric algorithm. When someone says “encrypted,” they usually mean AES. It’s fast, well-studied, and has no known practical attacks at 128-bit or 256-bit key sizes.

Strengths and Weaknesses

Strengths:

• Very fast (hardware acceleration on modern CPUs)
• Efficient for large amounts of data
• Well-understood, extensively analyzed

Weaknesses:

• Key distribution problem - both parties need the same key
• Key management at scale - 100 users talking to each other need thousands of shared keys

Asymmetric Encryption: Two Keys

Two mathematically related keys: a public key and a private key. What one encrypts, only the other can decrypt.

Bob's Public Key (shared with everyone):  Used to ENCRYPT messages to Bob
Bob's Private Key (kept secret by Bob):   Used to DECRYPT messages from anyone

Alice encrypts: "hello" + Bob's Public Key → "x7$kQ2m"
Alice sends ciphertext to Bob
Bob decrypts:   "x7$kQ2m" + Bob's Private Key → "hello"

Analogy: A mailbox. Anyone can put mail in (public key = the slot). Only Bob has the key to open it (private key).

The key insight: Bob’s public key is truly public. He can post it online, email it, print it on a billboard. Anyone can encrypt a message to Bob. Only Bob can read it.

This solves the key distribution problem. No shared secret needs to be exchanged.

Common Asymmetric Algorithms

Algorithm	Use	Status
RSA	Encryption, signatures	Secure at 2048+ bits
ECDSA	Digital signatures	Secure, smaller keys than RSA
ECDH	Key exchange	Secure, widely used in TLS
Ed25519	Digital signatures	Modern, fast, secure
DSA	Digital signatures	Being phased out

Strengths and Weaknesses

Strengths:

• Solves key distribution (no shared secret)
• Enables digital signatures (proof of identity)
• Scales better (N users need N key pairs, not N² shared keys)

Weaknesses:

• Much slower than symmetric encryption (100-1000x)
• Not practical for encrypting large amounts of data
• Key sizes are larger (2048-4096 bits vs 128-256 bits)

How They Work Together

In practice, you use both. Asymmetric encryption solves the key exchange problem. Symmetric encryption does the heavy lifting.

1. Alice and Bob use asymmetric encryption to securely exchange a symmetric key
2. They use the symmetric key to encrypt their actual communication
3. Fast symmetric encryption handles the bulk data
4. Secure asymmetric encryption handled the key exchange

This is exactly how TLS (HTTPS) works. We’ll cover that in the next post.

Key Exchange: The Diffie-Hellman Concept

How do two people who’ve never met create a shared secret over a public channel? This is the problem Diffie-Hellman solves.

The concept (without math):

1. Alice and Bob agree on public parameters (visible to everyone)
2. Alice picks a private secret (only she knows)
3. Bob picks a private secret (only he knows)
4. Alice does a calculation with her secret + public parameters → sends result to Bob
5. Bob does a calculation with his secret + public parameters → sends result to Alice
6. Alice combines Bob's result with her secret → gets SHARED KEY
7. Bob combines Alice's result with his secret → gets SAME SHARED KEY

An eavesdropper sees the public parameters and both results, but cannot derive the shared key without one of the private secrets. The math makes it computationally impossible to reverse.

The paint mixing analogy:

1. Alice and Bob agree on a common color: Yellow
2. Alice picks a secret color: Red → mixes with Yellow → gets Orange → sends Orange to Bob
3. Bob picks a secret color: Blue → mixes with Yellow → gets Green → sends Green to Alice
4. Alice mixes Bob's Green + her secret Red → gets Brown
5. Bob mixes Alice's Orange + his secret Blue → gets SAME Brown

An eavesdropper sees Yellow, Orange, and Green, but can’t unmix the colors to find Red or Blue. Both Alice and Bob arrive at Brown (the shared secret) independently.

This shared secret becomes the symmetric encryption key for their session.

Encryption Modes: How Data Is Actually Encrypted

When encrypting data larger than a single block (AES works on 128-bit blocks), you need a mode of operation that determines how blocks are chained together.

Modes You Should Know

Mode	Name	Use It?
ECB	Electronic Codebook	Never - identical plaintext blocks produce identical ciphertext blocks
CBC	Cipher Block Chaining	Acceptable with random IV, but being replaced
CTR	Counter	Good - turns block cipher into stream cipher
GCM	Galois/Counter Mode	Best - encryption + authentication in one

Why ECB Is Dangerous

ECB encrypts each block independently. If two blocks have the same plaintext, they produce the same ciphertext. This leaks patterns.

The classic demonstration: encrypt an image with ECB vs CBC.

ECB: You can still see the outline of the image in the ciphertext
CBC: Ciphertext looks like random noise (no patterns visible)

If you ever see “AES-ECB” in a security review, flag it. Always use AES-GCM or AES-CBC with a random IV at minimum.

Authenticated Encryption (AEAD)

Regular encryption protects confidentiality (nobody can read it) but not integrity (nobody has modified it). An attacker might not be able to read the ciphertext, but they could flip bits and change the content.

Authenticated Encryption with Associated Data (AEAD) provides both:

• Confidentiality: Data is unreadable without the key
• Integrity: Any modification is detected and rejected

AES-GCM is AEAD. It’s the standard for modern encryption.

Common Encryption Mistakes

Mistake 1: Using Encryption When You Need Hashing

Encrypting passwords is wrong. You should hash them. Encryption is reversible (that’s the point). If someone steals the encryption key, all passwords are exposed. Hashing is one-way - there’s no key to steal.

We’ll cover hashing in the next post.

Mistake 2: Reusing Keys and IVs

An IV (Initialization Vector) or nonce is random data mixed in to ensure the same plaintext produces different ciphertext each time. Reusing an IV with the same key can completely break encryption in some modes.

AES-GCM with nonce reuse → attacker can recover plaintext
AES-CTR with nonce reuse → XOR of two plaintexts is exposed

Always generate a fresh random IV/nonce for each encryption operation.

Mistake 3: Rolling Your Own Crypto

Cryptography is one area where “build it yourself” is always wrong. Custom encryption algorithms invariably have flaws that experts would catch. Use established libraries:

• Python: cryptography library
• Node.js: crypto module (built-in)
• Java: JCA/JCE
• Go: crypto package (standard library)

Use standard algorithms (AES-GCM, ChaCha20-Poly1305) with standard libraries. The algorithm choice has been solved - the implementation is where mistakes happen.

Mistake 4: Weak Key Generation

Encryption is only as strong as the key. A 256-bit key generated from Math.random() or a user’s password (without a proper key derivation function) undermines the whole system.

Use cryptographically secure random number generators:

• os.urandom() (Python)
• crypto.randomBytes() (Node.js)
• SecureRandom (Java)
• /dev/urandom (Linux)

For key derivation from passwords, use PBKDF2, scrypt, or Argon2.

Encryption in the Real World

Data at Rest

Data stored on disk (files, databases, backups):

What	How
Full disk encryption	BitLocker (Windows), FileVault (Mac), LUKS (Linux)
Database encryption	Transparent Data Encryption (TDE)
File encryption	GPG, age, 7-Zip with AES
Cloud storage	Provider-managed keys or customer-managed keys

Data in Transit

Data moving over a network:

What	How
Web traffic	TLS (HTTPS)
Email	TLS (SMTP), S/MIME, PGP
VPN	IPsec, WireGuard, OpenVPN
SSH	SSH protocol (built-in encryption)
API calls	TLS (HTTPS)

Data in Use

Data being processed in memory. This is the hardest to protect:

• Confidential computing (Intel SGX, AMD SEV) encrypts data in memory
• Still emerging technology with its own vulnerabilities
• Generally, data in use is the weakest link

When Encryption Fails

Encryption doesn’t fail because the math breaks. It fails because of everything around it:

Failure	Example
Key management	Encryption key stored next to the encrypted data
Implementation bugs	Heartbleed exposed TLS memory contents
Side channels	Timing attacks reveal information about the key
Human factors	Password used as encryption key is “password123”
Obsolete algorithms	Using DES, RC4, or MD5
Protocol flaws	SSL 3.0 POODLE attack, TLS 1.0 BEAST attack

The algorithm is rarely the problem. The ecosystem around it is.

Try It Yourself

Safe exploration with command-line tools:

# Generate a random encryption key (32 bytes = 256 bits)
openssl rand -hex 32

# Encrypt a file with AES-256-CBC
openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc -pass pass:mypassword

# Decrypt it
openssl enc -aes-256-cbc -d -in secret.enc -out decrypted.txt -pass pass:mypassword

# Generate an RSA key pair
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

# Encrypt with the public key
echo "hello" | openssl rsautl -encrypt -pubin -inkey public.pem -out message.enc

# Decrypt with the private key
openssl rsautl -decrypt -inkey private.pem -in message.enc

What’s Next

Encryption keeps data secret. But there are two more pieces to the puzzle:

• Hashing - How do you verify data hasn’t been changed? How do you store passwords safely?
• Certificates and TLS - How do you verify you’re talking to the right server, not an impostor?

The next post covers both: hashing, digital signatures, certificates, and how TLS ties everything together into the secure web.

References

• Cloudflare - What is Encryption?
• Practical Cryptography for Developers
• Crypto101 - Free introductory cryptography book

---

Encryption is a tool, not a solution. Encrypting everything means nothing if the key is stored in a plaintext config file. Understand not just how encryption works, but how the keys are managed.