It can be traced back to the ancient Egyptians and refers to the practice of encoding and decoding information: Join us in deciphering modern cryptography and why it’s an indispensable cyber tool in our digital age. From government documents and private communications to credit card details, cybercriminals are lurking to access, intercept, and pounce on data not intended for them. Find out how cryptographic methods work and what the risks are—and be sure to take charge of your cyber-safety with Avira Internet Security.
What is cryptography?
If you wanted to send a secret message as a child, you might have created your own code by assigning each letter a random symbol or using lemon juice as invisible ‘ink’. Little did you know that you were a junior cryptographer. Cryptography or cryptology is the practice of using various techniques to obscure and secure communications to prevent unauthorised third parties (like your mother, to get back to our original analogy) from reading private messages. Only those with the right tools and permissions can decrypt and understand what was sent.
Here is some essential cryptography vocabulary you’ll encounter in any discussions on the subject, so it’s a good place to start:
Cipher: A method of transforming a message to conceal its meaning. It refers to a set of algorithms that are applied to data (also called plaintext or cleartext) to transform it into an unrecognisable form.
Ciphertext: Unreadable text after it’s been transformed by a cipher.
Cryptographic algorithm: The well-defined procedure or sequence of rules behind the cipher. It could be a series of mathematical equations.
Cryptographic key: A sequence of random characters used in encryption protocols to modify data. The information remains unreadable for anyone who does not have the key.
Cryptography vs encryption: Aren’t they the same thing? Not quite. Encryption refers specifically to the process of converting data into code. It’s an essential part of cryptography but cryptography is even more and involves a complex series of steps to code, decode, and transmit information securely.
Cryptography techniques are based on algorithms and ciphers used to encrypt and decrypt. You’ve probably heard of 128-bit and 256-bit encryption keys for example. The Advanced Encryption Standard (AES) is a modern cipher that’s considered virtually unhackable.
How does cryptography work?
Modern cryptography blends various disciplines like engineering, computer science, and advanced mathematics to transform data from readable plaintext into jumbled ciphertext. Of course, it also entails cryptanalysis to reverse the process so the intended recipient can decode the scrambled data. Many different cryptography techniques are used, including symmetric and asymmetric encryption and digital signatures, and we’ll go into more detail on these later.
So, where once knights and forts prevented unwanted access, in today’s digital age cryptography does battle with hackers and online threats to help keep our data secure. It’s a widely deployed defence, and you probably encounter it unwittingly every day—when online banking, shopping, or entering a password, for example.
From mummies to machines: The history of cryptography
The word “cryptography” is derived from the Greek kryptós, which means hidden. The first part or prefix (crypt-) means “hidden” or “vault,” and the suffix (-graphy) means “writing.” Man has been using this “hidden writing” for thousands of years. In fact, the first cryptography was found in the tomb of an Ancient Egyptian nobleman, in an inscription carved around 1900 BC. Fast forward to the Roman empire and Julius Caesar was known to send encrypted messages to his army generals. His ‘Caesar’s cypher’ was a substitution cypher which shifted each character by three spaces. So ‘A’ was replaced by ‘D’, for example. You can see that once their secret is out, substitution cyphers are easy to crack. To introduce more variables and greater complexity, the French created the Vigenère cipher in the sixteenth century. This uses an encryption key based on the Vigenère square (the alphabet written out 26 times in different rows). At different points in the encryption process, the cipher chooses a different alphabet from one of the rows.
At the start of the 19th century, the Hebern rotor machine embedded the secret key in a rotating disc. This key encoded a substitution table and each key press from the keyboard created an output of cipher text. During World War II, the German Enigma machine took this method further and used four or more rotors to produce cipher text.
After the war, cryptography attracted attention beyond the military as businesses clamoured to secure their data from competitors. Major computer manufacturers started taking note. In the 1970s, IBM formed a ‘crypto group’ that designed a cipher called Lucifer. Devilishly hard to crack, Lucifer came to be accepted as the DES or Data Encryption Standard. It stood its ground for many years but in 1997, the DES was broken. The small size of its encryption key proved to be the chink in its armour—and as computing power increased it became easy to brute force different combinations of the key to read the plain text. (During a brute-force attack, hackers use trial and error to try and crack a message or password by inserting endless random characters, symbols, letters, and more).
In 2000, the AES or the Advanced Encryption Standard emerged and today it’s the widely accepted standard for encryption. Avira uses the AES-256 as it offers more combination possibilities than there are stars in the universe (apparently, that’s a septillion or 1042 stars if you’re curious and have no time to count).
Why is cryptography important and where is it used?
The practice of managing data-related risks and protecting our communications systems is called information assurance or IA. Cryptography is essential in safeguarding the five pillars of IA: integrity, availability, authentication, confidentiality, and non-repudiation. And in case you’re wondering what non-repudiation is, it provides proof of the origin, authenticity, and integrity of data, so it also combines two pillars. With it, neither party can deny that a message was sent, received, and processed.
Here are the most common examples of cryptography in action:
Passwords: Cryptography has a two-fold duty here. It’s used to validate the authenticity of passwords and obscures stored passwords. A plaintext database of passwords would be more vulnerable to hackers.
Secure web browsing: A website with an SSL certificate uses cryptography to create a more secure connection so it can protect information that’s moving from the browser to the website’s server. In this way, users are better protected from eavesdropping and man-in-the-middle (MitM) attacks. Learn how to check the security of a website to help protect your privacy and data.
Secure communications: Do you use WhatsApp or Signal? End-to-end encryption provides a high level of security and privacy for users of communication apps. It’s used for message authentication and helps protect two-way communications like video conversations.
Authentication: Cryptography can help confirm a user’s identity and verify their access privileges such as when they’re logging in to an online bank account or accessing a secure network for work.
Electronic signatures: These e-signatures are used to sign documents online and are often enforceable by law. They are created with cryptography and can be validated to prevent fraud.
Cryptocurrency: Cryptocurrencies like Bitcoin and Ethereum are built on complex data encryptions that require significant amounts of computational power to decrypt. Through these decryption processes, new coins are “minted” and enter circulation. Cryptocurrencies also rely on advanced cryptography to help safeguard crypto wallets, verify transactions and prevent fraud.
Virtual private network (VPN): This redirects web traffic through a private tunnel and encrypts the connection. It also masks your IP address, so your real location is unknown. Avira Phantom VPN is free and masks users’ online activities to help them become anonymous online ‘ghosts’. Consider the Pro version for unlimited data that powers near-endless surfing and downloading. And remember: Always use a VPN if you’re surfing on public Wi-Fi!
Meet the types of cryptographic algorithms
Cryptography uses many different types of algorithms depending on the type of information being shared and its level of sensitivity. Here are the main types you’ll encounter:
Single key cryptography or symmetric encryption: This uses a single key to both encrypt and decrypt a message. So, the sender uses the key to encrypt a plaintext message into a fixed length of bits called a block cipher. The recipient then uses the same key to unlock the message. One example of symmetric-key cryptography is the Advanced Encryption Standard (AES). CON: If the message is intercepted, the key is included and can be used to decode the message!
Public key cryptography (PKC) or asymmetric encryption: Mathematical functions create codes that are very difficult to crack. The sender uses the public key to encrypt a message, and the recipient then uses a private key to decrypt it. RSA was the first and remains the most common PKC implementation. The algorithm is named after its MIT mathematician developers, Ronald Rivest, Adi Shamir, and Leonard Adleman, and is used in data encryption, digital signatures, and key exchanges. PRO: If the message is intercepted, the contents can’t be decoded without the private key. This allows people to communicate securely over even non-secure channels.
Hash functions or hashing: This process doesn’t rely on cryptographic keys. Instead, hashing takes any amount of input data (a Word document, audio file, video file, etc.) and applies a hashing algorithm to scramble it into a value with a fixed length. So, a one-word message and a 1000-page book will produce the same volume of encoded text (called the hash value). Among the various cryptographic hash functions used, MD5-Hash, SHA-1, and SHA-256 are prominent examples. Find out more about the commonly used MD5-hash and why it’s considered so secure. PRO: It’s nearly impossible to decode content that’s been hashed, which is why hashing is generally considered a very secure option and popular for authentication purposes. You probably encounter hashing on a daily basis. For example, an online service provider won’t save your password, but a hash value.
Different types of cryptography have different functions. Encryption helps to maintain the confidentiality of data, while hashing allows us to check the integrity of that data and be sure that what we’ve received is the same as what was sent (in other words, has it been fiddled with in transit?). A common example is downloading software. The company distributing the software also puts up the hash value of the file. If the file you downloaded produces the same hash output as the original, then you can be sure that it hasn’t been altered (by being laced with malware, for example).
The vulnerabilities of cryptography: cryptographic key attacks and failures
No matter how complex they are, codes can be cracked. Just ask the creators of Enigma. ‘Cryptographic failures’ are a major security hazard as they allow hackers to access the messages and data protected by encryption algorithms. Sadly, cybercriminals have a number of attack techniques in their arsenal:
- Man-in-the-Middle attacks: By exploiting encryption, attackers can insert themselves into a communication channel between two parties and intercept their traffic.
- Brute force attacks: Attackers rapidly test possible key combinations until they find the correct key. Smaller encryption key sizes are most vulnerable here.
- Hash collision attacks: Cybercriminals find two files that produce the same hash value so they can replace a legitimate file with an altered one. These attacks are most often used to undermine the security of digital signatures.
- Birthday attacks: A type of brute force attack whereby hackers produce mathematically likely hash collisions.
- Downgrade attacks: When organisations use outdated SSL/TLS protocols, a cybercriminal can force client connections to use weaker legacy versions that are easier to hack.
Data breaches can wreak havoc in our digital world. The hacker to-do list is long and includes stealing intellectual property, committing financial fraud, stealing identities and hijacking online accounts, plus infiltrating and disrupting systems. Exposing sensitive information, via doxxing for example, can also cause serious reputational damage to companies and individuals.
The future of cryptography—and should we be worried?
Did you know that the most powerful supercomputers on earth would need thousands of years to mathematically crack encryption algorithms (like the AES)? According to Shor’s Algorithm, it would take a hacker many lifetimes before they’d stand a chance of breaking a complex code. So far so good but… that was before quantum computers appeared as a possibility on the IT horizon. These super-machines could, in theory, find the solution in mere minutes, representing a grave threat to current cybersecurity systems. The search is on for post-quantum cryptography!
In 2016, the National Institute of Standards and Technology (NIST) in the US called on the mathematical and science communities to create new public key cryptography standards that could withstand an assault by the quantum giants. They delivered. In May 2024 NIST released its first post-quantum cryptography standards and is looking to transfer all high-priority systems to quantum-resistant cryptography by 2035. If you’re still feeling worried—relax (for now). According to Dustin Moody, a mathematician in the NIST Computer Security Division: “Currently, there isn’t a large enough quantum computer that threatens the current level of security, but agencies need to be prepared ahead of future attacks”.
Quantum cryptography uses the principles of quantum mechanics to secure data but other
cryptographic techniques are also evolving. Elliptical curve cryptography is a public key cryptosystem that takes the mathematical properties of elliptic curves to provide secure communication and encryption. It’s especially ideal for encrypting internet traffic on devices with limited computing power or memory and is also used to secure cryptocurrency networks like Bitcoin.
How can the risks of cryptography be reduced—and what can we all do?
As with most things in life, it pays to be prepared. Companies and all online service providers must be proactive in modernising their encryption security to stay a step ahead of cybercriminals: Large key sizes, robust algorithms, and the latest TLS protocols are the cornerstones of strong encryption defences. (If you’re wondering, TLS is standard practice for building secure web apps and provides data integrity for internet communications.) They should also monitor for anomalies like abnormal encryption traffic and have response plans in place should an incident occur.
It’s not all up to the geeks in IT though. We have a part to play in our own defences! Never reuse passwords and always create strong, unique passwords for every online account. Store and manage them with a robust password manager and keep software and apps rigorously up to date so they’re more likely to be free of the security loopholes known to hackers. A software updater helps provide safe, clean updates—and auto updates take the time and hassle out of doing it all yourself. Avira Internet Security offers a range of premium tools to help bolster your privacy and security, including a password manager, software updater, plus antivirus protection. There’s also Browser Safety, the discrete Avira browser add-in that helps block trackers, ads, and infected websites.