Encryption
Data Encryption
The transformation of readable data into an unreadable form using a cryptographic key, so that only parties holding the correct key can recover the original content.
Encryption is the foundation of internet security. Every HTTPS connection, VPN tunnel, and WPA2 Wi-Fi session uses encryption to prevent eavesdroppers from reading data in transit. Without encryption, anything you send over a network — passwords, messages, financial data — is readable by anyone who can intercept the packets.
Symmetric vs asymmetric encryption
| Type | Keys used | Speed | Common use |
|---|---|---|---|
| Symmetric | Same key encrypts and decrypts | Fast | Bulk data (AES in TLS, Wi-Fi) |
| Asymmetric | Public key encrypts; private key decrypts | Slow | Key exchange, digital signatures |
| Hybrid (TLS) | Asymmetric to exchange, then symmetric | Fast after handshake | HTTPS, VPN, SSH |
AES explained
AES (Advanced Encryption Standard) is the dominant symmetric cipher in use today. It operates as a block cipher — processing fixed 128-bit blocks of data using a secret key. Key sizes are 128, 192, or 256 bits; AES-128 is considered secure for most purposes and is faster; AES-256 provides a larger security margin. The cipher mode determines how blocks are chained together:
- GCM (Galois/Counter Mode): the preferred mode for TLS 1.3 and most modern protocols — provides both encryption and authentication (AEAD) in a single pass, and is parallelisable for high throughput
- CBC (Cipher Block Chaining): older mode used in TLS 1.2 and WPA2; each block depends on the previous, making it sequential and vulnerable to padding oracle attacks if not implemented carefully
- CTR (Counter Mode): turns AES into a stream cipher by encrypting successive counter values; fast and parallelisable but requires a unique nonce per message
RSA and elliptic curve cryptography
Asymmetric encryption uses mathematically linked key pairs. RSA bases its security on the difficulty of factoring large integers; RSA-2048 and RSA-4096 are common key sizes. Elliptic Curve Cryptography (ECC) achieves equivalent security with much smaller keys — a 256-bit ECC key (ECDH P-256) provides roughly the same security as RSA-3072 while being faster to compute. TLS 1.3 uses ECDH (Elliptic Curve Diffie-Hellman) for key exchange almost exclusively, with RSA and ECDSA used only for certificate signatures.
Encryption in TLS
TLS combines both approaches in a hybrid scheme. The handshake uses asymmetric cryptography (RSA or ECDH key exchange) to securely establish a shared secret between client and server without sending that secret over the network. The shared secret is then used to derive symmetric session keys. All subsequent bulk data is encrypted with AES-GCM (or ChaCha20-Poly1305 for devices without AES hardware acceleration). This hybrid design gives the security benefits of asymmetric key exchange with the performance of symmetric encryption.
At-rest vs in-transit encryption
Encryption in transit (TLS, VPN, WPA3) protects data while it travels across a network — preventing interception by anyone on the path. Encryption at rest protects data stored on disk or in a database — preventing access if physical media is stolen or a server is compromised. Both are necessary: a database that encrypts connections but stores passwords in plaintext is still vulnerable to a breach. Full-disk encryption (BitLocker, FileVault, LUKS) and database-level encryption address at-rest security.
End-to-end encryption vs transport encryption
Transport encryption (standard HTTPS) encrypts the connection between your device and the server — the server can read your data in plaintext. End-to-end encryption (E2EE) encrypts data so only the communicating endpoints can decrypt it — the server (or any intermediary) sees only ciphertext. Signal, WhatsApp, and iMessage use E2EE for messages; the service provider cannot read message content even with full server access. E2EE requires key management at the endpoint level, making it more complex to implement and recover from key loss.
Encryption performance: AES-NI hardware acceleration
Modern CPUs include dedicated AES instruction set extensions (AES-NI on x86, AES instructions on ARM). Hardware-accelerated AES-GCM on a current processor achieves 10–40 Gbps throughput per core — making encryption overhead negligible for network speeds available today. Devices without AES hardware acceleration (some older IoT hardware, embedded systems) can use ChaCha20-Poly1305 — a software-friendly cipher that achieves comparable throughput without dedicated hardware. TLS 1.3 supports both cipher suites and negotiates the appropriate one automatically.
Hashing vs encryption
Hashing and encryption are frequently confused but serve different purposes. Encryption is reversible with the correct key — the original data can be recovered. Hashing is a one-way function: it produces a fixed-length digest from input data, and it is computationally infeasible to reverse. Passwords should be stored as hashes (bcrypt, Argon2, scrypt), not encrypted — if the encryption key is compromised, all passwords are exposed. A hash function produces the same digest for the same input, which is why password databases use salted hashes to prevent rainbow table attacks.
Frequently Asked Questions
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses one key for both encryption and decryption — fast, but both parties must first share that key securely. Asymmetric uses a public key (anyone can encrypt) and a private key (only the owner decrypts). TLS uses asymmetric to exchange a symmetric session key, then switches to symmetric for bulk data.
What does HTTPS encryption protect?
HTTPS encrypts the content of your requests and responses using TLS. Your ISP or Wi-Fi network can see that you connected to a domain but cannot read the URLs, form data, cookies, or page content.
What encryption does Wi-Fi use?
Modern Wi-Fi uses WPA3 or WPA2 with AES-CCMP. WPA3 adds forward secrecy and stronger password protection. Older WEP and WPA-TKIP are cryptographically broken — check your router and use WPA2 or WPA3.