Lesson 6	Encrypting and Decrypting Data
Objective	Types and uses of encryption

Encrypting and Decrypting Data

Encryption protects sensitive information from being read or modified by anyone who is not authorized to see it. In simple terms, encryption converts readable data (plaintext) into unreadable data (ciphertext) using a mathematical process called an algorithm and one or more keys. Decryption reverses that process for an authorized recipient.

Modern security depends on encryption. It is used to secure web traffic (HTTPS/TLS), protect stored data (disk and database encryption), sign software, authenticate systems, and enable private messaging. You cannot safely run an online business, process payments, or protect regulated data (financial, healthcare, identity data) without encryption.

How Encryption Works

All practical encryption systems rely on two ideas:

An algorithm: The published mathematical procedure used to scramble and unscramble data.
A key: A piece of secret input (for example, a 256-bit value) that controls how the algorithm transforms the data. If an attacker does not have the correct key, the ciphertext should remain useless to them.

The security of modern cryptography is based on protecting the keys, not on hiding how the algorithm works. Strong algorithms are public, peer-reviewed, and hardened over time. Weak or homegrown encryption is not acceptable security practice.

Core Encryption Models

1. Symmetric Encryption

Symmetric encryption uses one key. The same key is used to encrypt and decrypt the data. Because it is fast and efficient, symmetric encryption is used for:

Data at rest: Full-disk encryption, database column encryption, encrypted backups, encrypted cloud object storage.
Bulk data in transit: After two systems agree on a shared session key, large payloads (files, video streams, API responses) are encrypted symmetrically for speed.

Modern symmetric standard: AES (Advanced Encryption Standard), typically with 128-bit or 256-bit keys. DES and RC4 are obsolete. Use of DES, 3DES, or RC4 today creates compliance and confidentiality risk.

Typical workflow in practice:


// Pseudocode
ciphertext = AES-256-Encrypt(plaintext, shared_secret_key)
plaintext  = AES-256-Decrypt(ciphertext, shared_secret_key)

Network Security and Firewalls

2. Asymmetric Encryption (Public-Key Encryption)

Asymmetric encryption uses a mathematically related key pair:

Public key: Safe to share. Used to encrypt data for you or to verify your digital signature.
Private key: Must remain secret. Used to decrypt data sent to you or to create your digital signature.

Asymmetric encryption solves the “key exchange” problem: two parties that have never met can still start a secure session without first sharing a secret in person.

Common real-world uses:

Establishing secure connections: TLS handshakes in HTTPS use asymmetric cryptography to negotiate a temporary symmetric session key.
Digital signatures: Software packages, container images, firmware updates, and documents are signed with a private key so recipients can verify authenticity and integrity using the public key.
Zero-trust authentication: SSH key-based login and modern API/service identity models often rely on public/private key infrastructure.

Modern asymmetric standards include RSA (with strong, long keys) and Elliptic Curve Cryptography (ECC), which achieves equivalent security with shorter keys and better performance.

3. One-Way Functions (Cryptographic Hashing)

A cryptographic hash function (for example, SHA-256) takes input data and produces a fixed-length digest. A proper hash is:

Deterministic: Same input → same output.
One-way: You cannot “decrypt” a hash to recover the original input.
Collision-resistant: It should be computationally infeasible to find two different inputs that generate the same hash.

Typical uses of hashing:

Password storage: Systems should store salted password hashes, not plaintext passwords.
Integrity checking: Verifying that a file, message, or software update was not modified in transit.
Digital signatures: The data is hashed first, and then the hash is signed with a private key to produce a compact, verifiable signature.

Note: Hashing is often (incorrectly) called “one-way encryption.” It is not encryption. Encryption is reversible with the right key. Hashing is intentionally not reversible.

Summary Table: Encryption Types and Common Uses

Encryption type	Description	Common Uses
Symmetric	Single shared key is used to encrypt and decrypt data (e.g., AES-256)	Disk encryption, database encryption, bulk TLS session traffic
Asymmetric	Public/private key pair; data encrypted with the public key can only be decrypted with the private key	HTTPS/TLS setup, SSH, digital signatures, code signing, key exchange
One-way (Hashing)	Irreversible digest of data; cannot be “decrypted” back to the original input	Password storage, integrity checks, message digests
Applied / Hybrid	Uses multiple techniques together for end-to-end security	Modern HTTPS: asymmetric keys establish trust and negotiate an AES session key; symmetric keys then carry the traffic

Encryption Strength

When we say encryption is “strong,” we are talking about how difficult it is for an attacker to recover the plaintext or the key. Strength depends on:

Algorithm quality: Is the algorithm still considered secure by the cryptographic community? For example, AES and modern ECC curves are strong; DES and RC4 are obsolete.
Key secrecy: Even the best algorithm fails if the private key leaks.
Key length / key space: Longer keys make brute-force guessing infeasible. Today, 256-bit symmetric keys and sufficiently long asymmetric keys are standard for regulated environments and payment workflows.

Export rules historically tried to limit “strong encryption,” but modern global commerce depends on it. Anything less than strong, publicly vetted encryption is generally unacceptable for financial transactions, healthcare data, identity data, or government workloads.

Key Management (Why Good Encryption Still Fails)

Most breaches do not happen because AES is broken. They happen because keys are stolen, mishandled, or never rotated.

Key generation: Keys must be generated using high-quality randomness. Guessable keys = no security.
Key storage: Store private keys in a protected system such as an HSM (Hardware Security Module), TPM, secure enclave, or a vetted Key Management Service (KMS). Never leave keys in plaintext in source code, config files, or email.
Key rotation: Rotate keys on a schedule and after any suspected exposure. Short-lived TLS certificates and short-lived API tokens reduce blast radius.

In zero-trust environments, services are expected to prove their identity continuously. Keys and certificates are now treated like per-service credentials, not something you set once and forget.

Threats and Countermeasures

Attackers rarely “crack AES-256.” Instead, they go after people, endpoints, and key handling. Common threats:

Credential theft / key theft: Someone finds the private key on a developer’s laptop, in a Git repo, or in an unsecured backup.
Password guessing / dictionary attacks: Automated tools try common or leaked passwords to get access to encrypted stores.
Sniffing unencrypted traffic: If data travels without TLS, it can be captured and replayed. Plain HTTP, legacy telnet, and unencrypted IMAP/POP/SMTP are all unacceptable on modern networks.
Outdated algorithms: Legacy ciphers such as DES, 3DES, and RC4 are fast to break with current hardware. Leaving them enabled in “compatibility mode” is a serious risk.

Recommended countermeasures:

Enforce TLS 1.2+ (preferably TLS 1.3) everywhere possible.
Disable legacy ciphers and key exchange methods in servers and network appliances.
Protect private keys using least privilege and hardware-backed storage.
Rotate credentials and certificates on a defined schedule.
Use multi-factor authentication (MFA) so that a stolen password alone is not enough.

Practical View for Security Specialists

This section summarizes the relevant parts of “Encryption Methods,” which previously lived on a separate non-workflow page. The goal is to keep everything that matters in one place.

What you must know to secure data

Symmetric vs. Asymmetric: Symmetric is fast and protects large data streams. Asymmetric is slower but enables trust, identity, and secure key exchange. In practice, most real systems use both.
Key management is security: If you leak the private key, the encryption might as well not exist. Use HSMs/KMS, store keys separately from data, and rotate keys.
Modern algorithms only: Use AES (symmetric), RSA/ECC (asymmetric), and SHA-256 or better for hashing. Retire DES, 3DES, RC4, MD5, and SHA-1.
Integrity and authenticity: Encryption alone does not prove who sent the data or whether it was modified. Digital signatures, certificate chains, and message authentication codes (MACs/HMACs) solve that problem.
Compliance and auditing: For regulated data, you must be able to prove that sensitive data was encrypted in transit and at rest, keys were controlled, and unauthorized access would not expose cleartext.

In other words: encryption is more than scrambling bytes. It is policy, identity, and lifecycle management.

Glossary

Algorithm: A defined, testable procedure for encryption or hashing.
Plaintext: Original readable data before encryption (or after decryption).
Ciphertext: The encrypted output. It should look meaningless to anyone without the correct key.
Key: The secret value that controls encryption and decryption. In symmetric crypto, both sides share the same key. In asymmetric crypto, you keep the private key secret and distribute the public key.
Digital signature: A cryptographic proof that data came from a specific party and was not altered.
Hash / message digest: A one-way fingerprint of data (for example, SHA-256). Used for integrity checks and password storage, not for reversible encryption.

Takeaway: Strong, modern encryption plus disciplined key management is mandatory for secure communication, payment processing, identity assurance, and regulatory compliance. Weak ciphers, exposed private keys, and unencrypted network traffic are unacceptable in modern environments.