it

A Deep Cybersecurity View of Encryption

Published: (December 4, 2025 at 05:36 PM EST)
4 min read
Source: Dev.to

Source: Dev.to

Encryption: Two‑Way Protection

Encryption turns readable data into unreadable ciphertext. With the correct key, it can be reversed.

Symmetric Encryption

Uses a single key to both encrypt and decrypt data.

Common uses

  • Wi‑Fi
  • VPN
  • Disk encryption
  • TLS sessions

Algorithms

  • AES – Modern, fast, and secure symmetric standard.
  • DES – Old cipher; key size too small, no longer safe.
  • 3DES – Improved DES but still outdated; slower and weaker than AES.

Asymmetric Encryption

Uses a public key to encrypt and a private key to decrypt.

Common uses

  • HTTPS
  • Digital signatures
  • Identity verification
  • Secure email

Algorithms

  • RSA – Well‑known, reliable but slower and older than newer systems.
  • ECC (Elliptic Curve Cryptography) – Modern asymmetric system with smaller keys, offering equal strength, faster and lighter.

Cipher Modes (How Block Encryption Works)

Block ciphers like AES encrypt fixed‑size pieces of data; modes define how to handle longer messages.

  • CBC (Cipher Block Chaining) – Each block is combined with the previous ciphertext block. Vulnerable to padding‑oracle attacks; considered outdated.
  • GCM (Galois/Counter Mode) – Counter‑mode encryption with built‑in integrity check, providing confidentiality, integrity, and authenticity. Standard in modern TLS.

TLS Handshake

The TLS handshake securely negotiates encryption before any data is exchanged.

  • Agree on encryption algorithms
  • Exchange public keys
  • Verify certificates
  • Create a temporary symmetric session key (used for all subsequent data)

Cipher Suites

A cipher suite is a predefined “recipe” that specifies the algorithms used in a TLS session (key exchange, encryption, hashing, etc.).

Typical modern suite:

  • ECDHE for key exchange
  • AES‑GCM for encryption
  • SHA‑256 for integrity

TLS, Certificates, Keys, Trust

TLS (Transport Layer Security)

Provides an encrypted connection between client and server, combining AES, RSA/ECC, certificates, and key exchange.

SSL

Older version of TLS; now considered insecure.

Key Exchange Methods

  • DH (Diffie–Hellman) – Creates a shared secret over an insecure network without transmitting the secret directly.
  • ECDH (Elliptic Curve Diffie–Hellman) – Same concept with smaller keys and better security per bit.

PKI (Public Key Infrastructure)

Components:

  • Certificates
  • Certificate Authorities (CAs)
  • Trust chain (root → intermediate → server)
  • OCSP (Online Certificate Status Protocol)
  • CRL (Certificate Revocation List)

Root Trust – Devices store a built‑in list of trusted CAs; any certificate issued by a trusted CA is accepted.

EV Certificates – Extended Validation; stronger identity checks but same cryptographic security.

Certificate Pinning – Application trusts only a specific certificate or key, preventing fake certificates.

Key Lifecycle

  • Generation
  • Secure storage
  • Rotation
  • Expiration
  • Secure destruction

Code Signing

Software is signed with a private key; systems verify the signature before execution, helping prevent malware impersonation.

Authentication and Identity Security

  • Kerberos – Authentication protocol for Windows networks.
  • WPA3 – Modern secure Wi‑Fi protocol.
  • Password‑Based (PB) – General term for password‑based systems.
  • SAML – Older enterprise identity protocol.
  • OAuth 2 – Authorization framework for modern apps.
  • OIDC (OpenID Connect) – Identity layer built on OAuth 2.
  • Identity Provider (IdP) – Service that confirms user identity.
  • SSO (Single Sign‑On) – One login grants access to multiple applications.
  • JWT (JSON Web Token) – Token format used in web systems.
  • Access Tokens – Short‑lived tokens for API access.
  • Federation – Sharing identity information across systems.

Threat Modeling and Risk Terms

  • STRIDE – Threat categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
  • DREAD – Older threat‑scoring model.
  • Attack Trees – Visual model of attacker paths to a goal.
  • Kill Chain – Stages of an attack.
  • MITRE ATT&CK – Database of attacker techniques.
  • Attack Surface – All points where an attacker could attempt entry.

Vulnerabilities and Risk Metrics

  • CVE – Public identifier for known vulnerabilities.
  • CVSS – Scoring system indicating severity of a vulnerability.
  • NVD – National Vulnerability Database; official repository of vulnerability records.
  • Threat Agents – Entities that might launch attacks.
  • Risk Scoring – Assessment of how dangerous a situation is.

Infrastructure and Access Control

  • IAM (Identity and Access Management) – Framework for managing user identities and permissions.
  • ACLs (Access Control Lists) – Lists defining who can access which resources.
  • DMZ (Demilitarized Zone) – Network segment separating public internet from internal network.

Disaster Recovery Terms

  • RTO (Recovery Time Objective) – Maximum acceptable downtime.
  • RPO (Recovery Point Objective) – Maximum acceptable data loss.
  • DR Site – Backup location for disaster recovery.
  • Backup Testing – Verifying that backups function correctly.

Encryption may seem overwhelming at first, but understanding how algorithms, keys, and trust layers interconnect makes the system comprehensible and provides a solid foundation for deeper cybersecurity concepts.

Back to Blog

Related posts

Read more »