2.4.2. Encryption Methods and Algorithms

💡 First Principle: Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using a key and algorithm. Strength depends on the algorithm, key length, and implementation — all three must be sound.

Encryption levels:

Transport/communication encryption protects data in transit: TLS (HTTPS), IPSec (VPNs), SSH (remote administration).

Symmetric algorithms use one shared key and are fast: AES (current standard, 128/192/256-bit), DES (deprecated, 56-bit), 3DES (being phased out). Asymmetric algorithms use key pairs and are slower: RSA (2048/4096-bit), ECC (smaller keys, equivalent security), Diffie-Hellman (key exchange).

Key exchange — Diffie-Hellman and ECDHE allow two parties to establish a shared secret over an insecure channel. This is how TLS creates a symmetric session key using asymmetric methods. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) provides forward secrecy — if the server's long-term key is later compromised, past sessions remain protected because each session used a unique ephemeral key.

Key length directly affects security — longer keys resist brute-force. AES-256 is the standard for sensitive data.

Post-quantum cryptography is emerging as quantum computers threaten current asymmetric algorithms. RSA and ECC are vulnerable to quantum attacks (Shor's algorithm), while symmetric algorithms like AES and hash functions remain relatively safe with doubled key sizes. NIST has standardized new post-quantum algorithms (CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium for signatures). Organizations should begin crypto agility planning — the ability to swap algorithms when needed.

⚠️ Exam Trap: DES is deprecated (56-bit key). 3DES is being phased out. AES is the current standard. When a question asks which algorithm for sensitive data, AES-256 is almost always correct.