How Encryption Works: Symmetric, Asymmetric, and Public Key Cryptography

What Is Encryption?

Encryption is the process of converting readable data—plaintext—into an unintelligible scrambled form called ciphertext, using a mathematical algorithm and a key. Only parties who possess the correct decryption key can convert the ciphertext back into readable plaintext. Encryption is the fundamental building block of digital security, protecting everything from your bank transactions to your private messages to classified government communications.

The practice of secret writing is ancient—Julius Caesar used a simple substitution cipher to protect military communications, shifting each letter by a fixed number of positions in the alphabet. Modern encryption is incomparably more sophisticated, relying on number theory, abstract algebra, and computational complexity to create systems that are effectively unbreakable with current and foreseeable future technology. Where Caesar's cipher could be broken in minutes by hand, AES-256 encrypted data cannot be brute-forced by all the computers in the world working for the lifetime of the universe.

Encryption serves three of the foundational goals of information security: confidentiality (data cannot be read by unauthorized parties), integrity (encrypted data that has been tampered with will fail decryption verification), and authentication (cryptographic signatures verify the identity of the sender). Modern encryption systems address all three simultaneously, which is why they underpin virtually every secure digital communication protocol, from HTTPS to Signal to SSH.

Symmetric Encryption: One Key for All

Symmetric encryption uses the same key to both encrypt and decrypt data. The sender encrypts the message with the shared key, sends the ciphertext, and the recipient uses the same key to decrypt it. This is the oldest form of encryption and remains in wide use today because it is extremely fast and computationally efficient—ideal for encrypting large amounts of data.

The most widely used modern symmetric cipher is AES (Advanced Encryption Standard), adopted by the U.S. government in 2001 after a rigorous public competition. AES operates on fixed-size blocks of data (128 bits) using key sizes of 128, 192, or 256 bits. AES-256 is considered quantum-resistant for practical purposes—even a quantum computer using Grover's algorithm would only halve the effective key length to 128 bits, which remains astronomically secure. AES is implemented in hardware on modern processors, making it extraordinarily fast—capable of encrypting gigabytes per second on commodity hardware.

Other symmetric ciphers include ChaCha20, which is favored in contexts where hardware AES acceleration is unavailable (such as older mobile devices), and 3DES (Triple DES), an older cipher now deprecated in most applications. Symmetric encryption has one critical weakness: key distribution. If Alice and Bob want to communicate securely, they must somehow share the secret key without an eavesdropper intercepting it. This is trivial when they can meet in person but becomes a fundamental problem for two parties who have never met and are communicating over a network. Asymmetric encryption solves this problem.

Asymmetric Encryption: The Public Key Revolution

Asymmetric encryption, also called public key cryptography, uses a pair of mathematically linked keys: a public key and a private key. The public key can be freely shared with anyone. The private key must be kept secret by its owner and never shared. Data encrypted with the public key can only be decrypted with the corresponding private key. Data encrypted with the private key can only be decrypted with the corresponding public key.

This asymmetry solves the key distribution problem elegantly. If Alice wants to send Bob a secret message, she simply uses Bob's publicly available public key to encrypt it. Only Bob, who has the corresponding private key, can decrypt it—not even Alice can decrypt it once she sends it. Bob never needs to share a secret with Alice in advance. Anyone can look up Bob's public key and send him an encrypted message that only Bob can read.

The mathematical foundation of most asymmetric encryption is the difficulty of certain mathematical problems. RSA (Rivest-Shamir-Adleman), the pioneering public key algorithm invented in 1977, relies on the computational difficulty of factoring the product of two large prime numbers. Multiplying two 2048-bit primes takes microseconds; factoring their product is computationally infeasible with current methods. Elliptic Curve Cryptography (ECC) relies on the elliptic curve discrete logarithm problem and achieves equivalent security to RSA with much shorter key lengths—a 256-bit ECC key provides security comparable to a 3072-bit RSA key.

Public Key Infrastructure and Digital Signatures

Public Key Infrastructure (PKI) is the system of policies, procedures, and technologies that manages the creation, distribution, and verification of public keys. The central challenge is trust: if Alice wants to use Bob's public key, how does she know the key she found actually belongs to Bob and not to an attacker who created a fake key claiming to be Bob? PKI solves this with Certificate Authorities (CAs)—trusted third parties that verify identities and issue digital certificates binding a public key to an identity.

A digital certificate contains the entity's public key, identity information (domain name, organization, etc.), the certificate's validity period, and a digital signature from the CA vouching that the information is accurate. Web browsers and operating systems come pre-installed with the public keys of trusted root CAs. When you visit an HTTPS website, your browser checks the site's certificate: is it signed by a trusted CA? Is it for the correct domain? Is it within its validity period? If all checks pass, your browser can be confident it is talking to the legitimate site and not an impersonator.

Digital signatures use asymmetric cryptography for authentication and integrity verification. To sign a document, the signer uses their private key to encrypt a hash of the document—creating the signature. Anyone with the signer's public key can decrypt the signature, compute the hash of the document themselves, and compare. If the hashes match, the document was signed by the private key holder and has not been modified since signing. Digital signatures are legally recognized in most jurisdictions and are used in software distribution (code signing), email authentication (S/MIME and PGP), and financial transactions.

Hybrid Encryption: The Best of Both Worlds

In practice, almost no real-world system uses pure asymmetric encryption for bulk data. Asymmetric operations are orders of magnitude slower than symmetric operations—RSA encryption of a 1 MB file takes thousands of times longer than AES encryption of the same file. The solution is hybrid encryption, which uses asymmetric encryption to solve the key distribution problem and symmetric encryption for the actual data.

In a hybrid system, the sender generates a random symmetric session key, encrypts the actual data with AES using that session key, then encrypts the session key with the recipient's public key. The recipient uses their private key to decrypt the session key, then uses the session key to decrypt the data. TLS (Transport Layer Security), the protocol securing all HTTPS web traffic, uses exactly this approach: asymmetric cryptography (ECDHE) for key exchange, and AES for bulk data encryption. SSH, PGP, and Signal all use variants of hybrid encryption.

The ephemeral nature of session keys in protocols like TLS 1.3 provides Perfect Forward Secrecy (PFS). Because a new random session key is generated for each connection and the private key of the server is only used during the key exchange (never to directly encrypt data), recording encrypted traffic and later compromising the server's private key does not allow decryption of past sessions. This is a critical property that protects against mass surveillance and retroactive decryption.

Hashing: One-Way Cryptographic Functions

Closely related to encryption, cryptographic hash functions transform input data of any size into a fixed-size output (called a hash, digest, or fingerprint) in a one-way process—you cannot reverse the hash to recover the original input. The same input always produces the same hash, but any change to the input—even a single bit—produces a completely different hash. Collision resistance ensures that it is computationally infeasible to find two different inputs that produce the same hash.

SHA-256 and SHA-3 are the most widely used modern hash functions. Hashing is used for password storage (databases store the hash of a password, not the password itself; when a user logs in, their input is hashed and compared to the stored hash), data integrity verification (file downloads include a hash so recipients can verify the file was not corrupted or tampered with), and as a component of digital signatures (signing the hash of a document rather than the document itself).

The future of encryption is already being shaped by quantum computing. Shor's algorithm, running on a sufficiently powerful quantum computer, could break RSA and ECC by solving the mathematical problems that underlie them. The National Institute of Standards and Technology (NIST) completed a multi-year process in 2024, standardizing post-quantum cryptographic algorithms—including CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures—designed to be secure against both classical and quantum computers. Organizations managing sensitive long-lived data are already beginning the transition, as data encrypted today with classical cryptography could theoretically be stored by an adversary and decrypted in the future once quantum computers mature—a threat known as "harvest now, decrypt later."