Modern digital encryption is a branch of applied mathematics the uses mathematical functions to obscure the content of transmitted messages. The functions used for encryption are referred to as ciphers. Ciphers are mathematical functions that take two inputs: the data to be encrypted, and a cryptographic key value. Most modern encryption algorithms are types of block ciphers: the plaintext message is broken into blocks of data, the cipher is applied to each block, and the resultant blocks produce the encrypted message, or ciphertext. Encryption methods are broadly classified as symmetric or asymmetric.
Symmetric Encryption
Symmetric encryption algorithms use the same key for encryption and decryption. Symmetric encryption algorithms are an area of continuing research, with algorithms designed to limit susceptibility to mathematical methods of code-breaking, or cryptanalysis. A non-mathematical cryptanalysis approach known as brute force method involves trying every possible key, so for most symmetric encryption algorithms, the relative security of the cipher can be measured by the key length. The first encryption alogrithm officially adopted by the US National Bureau of Standards was the Data Encryption Standard (DES), published as the official Federal Information Processing Standard (FIPS) in 1977. DES was criticized even at the time of publication for its relatively short key length (56 bits). By contrast, the current FIPS standard, AES, adopted in 2001, uses keys of length 128, 192, or 256 bits. For an AES-256 key, there are 2^256 possible key values, or roughly 10^77. For comparison, it is estimated that there are 10^78 atoms in the universe. While symmetric encryption may be resistant to brute force cryptanalysis attacks, it still has one major weakness: the fact that both encryption and decryption require the same key, which is why this is also referred to as shared secret encryption. If a malicious actor discovers the shared secret, no cryptanalsis methods are required - all messages encrypted with that key are compromised.
Asymmetric Encryption
By contrast, asymmetric encryption relies on different keys for encryption and decryption. Asymmetric encryption functions use two keys, referred to as a key pair that are mathematically related, but not deducible from one another, so the exposure of one of the keys will not threaten the other key. For this reason, they type of encryption is also referred to as public key encryption: one key is made public, while the other is kept private. Data encrypted with the public key must be decrypted with the private key, and data encrypted with the private key can be decrypted with the public key. The security of the private key from being deduced from the public key relies on the existence of one-way mathematical functions. One-way mathematical functions are functions are functions that are very easy to compute, but very difficult to reverse. For example, the RSA algorithm (first published in 1977) is based on the multiplication of large prime numbers: computing the product of two large prime numbers is computationally simple, while factoring a large number into primes is computationally complex.
Diffie-Hellman Key Exchange
In order to use asymmetric encryption for secure communications, both parties need not only the public key, but also the private key. This seems to create the same problem as share secret methods: how to securely share secrets. This specific problem is addressed by the Diffie-Hellman Key Exchange, first published in 1976. Diffie-Hellman describes a method for two parties to establish a shared public keys based on unshared private keys. This resolves the issue of secret transmission as the private keys are never transmitted. Once the shared public keys have been established, a message from User A is first encrypted with User A's private key, and the result is encrypted again using User B's public key. User B decrypts the message with their private key, and decrypts the result with User A's public key. With asymmetric encryption and DH key exchange, a malicious actor must discover both private keys in order to intercept an encrypted transmission.
Hybrid Approach
While symmetric encryption algorithms are generally more vulnerable than asymmetric methods, they are also generally much faster and less computationally intensive. To achieve a balance of security and performance, most communication protocols use a hybrid approach. In the hybrid approach, when a communication session is established, DHKE and asymmetric encryption are used to share a computer-generated shared secret. This shared secret is used for symmetric encryption of subsequent traffic. The shared secret is changed frequently, with the new values always being shared using asymmetric encryption.
Confidentiality vs Authenticity
Symmetric encryption, asymmetric encryption, and Diffie-Hellman key exchange primarily address the issue of confidentiality, or keeping the contents of messages secret. However, there is another important objective that must also be addressed: authenticity. To learn more about authenticity, read Public Key Infrastructure.