What is cryptography?

Cryptography is the science of securing information so that only the intended recipient can access it. It’s the invisible engine that secures the digital world, and it’s responsible for protecting everything from your private messages to your financial data.

This article explains how cryptography works, why it matters, and where it’s headed. Along the way, we’ll also clear up common misconceptions and highlight cryptography’s real-world applications.

Cryptography explained in simple terms

Cryptography is the process that ensures nobody can read a piece of information unless they have permission to do so. Basically, it involves turning readable data (or plaintext) into unreadable data (or ciphertext) in a process known as “encryption.”

A simple example of cryptography is the Caesar cipher, an ancient method whereby a fixed shift value (called the key) is used to transform each letter in a message. For example, with a shift of three (n = 3), A would become D, B would become E, and so on. Using this key, HELLO would become KHOOR.

Of course, the modern cybersecurity world uses far more complex codes (or ciphers) to protect sensitive information. These ciphers rely on advanced mathematics to create puzzles so difficult that only someone with the correct cryptographic key can possibly solve them and reveal the original message.

Why cryptography matters in the digital world

Every day, vast quantities of sensitive information travel across the internet and are stored on servers worldwide. This may include personal messages, banking details, medical records, and business data. Without protection, this data is vulnerable to interception, theft, or tampering.

If a cybercriminal gets their hands on this data, they could steal someone’s identity, commit financial fraud, leak confidential information, or disrupt essential services. And if such breaches became commonplace, nobody would trust online systems, which would be a huge problem in our increasingly digital world.

So cryptography doesn’t just protect data: it also assures our trust in digital communications and transactions by ensuring information protection, maintaining integrity, and enabling authentication.

A brief history of cryptography

Cryptography isn’t a new thing: it’s been around for thousands of years. Here’s a quick overview of how it evolved from simple substitution techniques, like swapping letters with numbers, to the complex digital encryption systems we rely on today.

From Caesar cipher to modern encryption

The Caesar cipher described above was used by Julius Caesar in the first century BC to safeguard sensitive military information.

In the 15th century, Italian architect Leon Battista Alberti developed the first polyalphabetic cipher, which used multiple alphabet shifts within a single message. This made simple pattern-guessing much less effective.

By the 20th century, cryptography had moved into the mechanical age. The Enigma machine, used by Nazi Germany during World War II, employed a system of rotating disks to produce a constantly changing cipher.

Finally, the development of computers brought cryptography into the digital era. Encryption shifted from mechanical devices to mathematical algorithms, setting the stage for the complex systems we rely on today.

Milestones in modern cryptographic development

One of the most important developments in modern cryptography was the creation of the Data Encryption Standard (DES) in 1975. It became the first encryption algorithm officially approved by the U.S. government as a federal standard, and it provided a widely accepted and standardized way to protect electronic data.

Another major breakthrough came in 1976 with the invention of public-key cryptography. Before this, people had to share the same secret key to lock and unlock messages, which was risky because the key could be intercepted or stolen.

Public-key cryptography changed this by using two different keys: a public key and a private key. You can share your public key openly with anyone who wants to send you a message, but only you have the private key that can unlock (decrypt) it. Since the private key never needs to be shared or sent, it’s much harder for attackers to steal it. This made sending secret messages much safer, especially between people who didn’t know or trust each other.

Soon after, the RSA (Rivest–Shamir–Adleman) algorithm was created. As one of the first public-key methods secure and efficient enough for real-world use, RSA helped make secure online activities, like sending private emails, shopping, and banking, possible by providing a reliable way to encrypt and decrypt information. It’s still widely used today.

Over time, newer encryption methods have replaced older ones to provide stronger security. For example, the Advanced Encryption Standard (AES) was introduced in 2001 to replace the older DES algorithm. As computers became faster and more powerful, DES became vulnerable to being cracked. AES offers stronger protection with faster performance, making it the most widely used encryption method today.

The basic principles of cryptography

Cryptographic systems rely on a few key principles and processes. Here’s a quick overview.

Confidentiality, integrity, and authentication

Cryptography supports three core information security goals: confidentiality, integrity, and authentication.

• Confidentiality (or data confidentiality) means keeping information secret so that only authorized people can access it.
• Integrity ensures that information hasn’t been changed, deleted, or tampered with during storage or transmission.
• Authentication confirms the identities of the parties involved in communication. In other words, it’s about making sure you’re interacting with the right person or system, not an imposter.

Encryption vs. decryption

At the heart of cryptography are two key processes: encryption and decryption.

Encryption is like putting a lock around your data. It transforms readable information into unreadable gibberish (ciphertext), so that even if an unauthorized person were to gain access to it, it would be useless to them.

Decryption is the key. It reverses the process, taking the information that’s been scrambled into an unreadable format and converting it back into something that can be understood.

In most cryptographic systems, only the service provider (like an email provider or instant messaging service) and the intended recipient have the key to decrypt the data. Some systems go one step further: they prevent even the service provider from accessing the message. This is known as end-to-end encryption.

Types of cryptography and how they work

There are several types of cryptography, each with different strengths and use cases. Some focus on encrypting and decrypting data, while others help verify that information hasn’t been altered. Here’s how the main types work.

Symmetric key cryptography

In symmetric key cryptography, the same key is used to both encrypt and decrypt the data. It’s fast and efficient, since the process is simple and uses less computing power than asymmetric key cryptography. For this reason, it’s often used to encrypt large amounts of data, such as files, databases, or communications within a trusted network.

Since there’s only one key involved in the process, a secure key exchange mechanism is vital to ensure third parties can’t get hold of the key and gain unauthorized access to data.

AES is an example of a widely used symmetric algorithm. It’s trusted by security experts and is the basis of ExpressVPN’s encryption.

Asymmetric key cryptography

Asymmetric key cryptography (also known as public-key cryptography) uses two separate cryptographic keys: a public key that can be freely shared, and a private key that must be kept secret. In end-to-end encryption, the sender encrypts a message using the recipient’s public key, and only the recipient can decrypt it using their private key.

One of the key advantages of asymmetric key cryptography over symmetric key cryptography is that the decryption key doesn’t need to be shared.

Asymmetric encryption also enables authentication and integrity through something like a digital “seal” on a letter. When the sender digitally “seals” a message with their private key, it proves the message came from them (authentication) and shows that the message hasn’t been opened or changed since it was sealed (integrity). Anyone with the sender’s public key can check this seal to confirm both.

RSA and ECC (Elliptic Curve Cryptography) are two widely used asymmetric algorithms.

Hash functions

A hash function takes any piece of data and turns it into a fixed-length string of characters called a hash. It’s different from encryption because it’s a one-way process; once data is turned into a hash, it’s practically impossible to get the original data back.

Hashing is valuable for verifying data integrity and storing sensitive information like passwords securely. By comparing hashes, systems can quickly check if data has been altered or confirm a user’s password without exposing the actual password.

Popular hash functions include SHA-256 (Secure Hash Algorithm-256).

Cryptographic key management

No matter how strong an encryption method is, it only works if the cryptographic keys are handled properly. Cryptographic key management is the process of creating, storing, distributing, and eventually destroying these keys securely. Good key management ensures that only authorized people or systems can access the keys, preventing unauthorized use or theft.

Cryptographic algorithms

While cryptography relies on broad principles like symmetric and asymmetric encryption, in practice, security depends on the algorithms that implement those principles. Here's a quick overview of three of the most widely used cryptographic algorithms today.

• AES: AES is a fast and reliable symmetric encryption method that’s ideal for storing files, protecting hard drives, and securing internet traffic like VPN connections. It’s valued by banks, governments, and tech companies around the world for its strong security and high performance.
• RSA: RSA is a well-established asymmetric encryption method that’s widely used in digital signatures, secure email, and website encryption (e.g., HTTPS).
• ECC: ECC is a newer asymmetric encryption method that offers similar protection to RSA, but with much shorter keys. This makes it faster and more efficient, especially for smartphones, IoT devices, and other systems with limited processing power. ECC is increasingly replacing RSA in modern apps and platforms.

How cryptography is used in cybersecurity

Cryptography serves several key functions in cybersecurity, including:

• Data protection and privacy: Cryptography enhances data security by encrypting sensitive information, preventing unauthorized access, and ensuring personal details, financial data, and business secrets remain private and secure.
• Digital signatures and non-repudiation: Digital signatures use cryptographic keys to verify the authenticity of messages or documents, preventing the sender from denying their involvement (non-repudiation).
• Entity authentication and secure sessions: Cryptographic protocols confirm the identity of users or devices and establish secure communication channels, protecting against impersonation and eavesdropping.
• VPNs: VPNs like ExpressVPN use cryptography to create encrypted tunnels over public networks, allowing users to protect their data from third parties. Various VPN protocols, each with different encryption methods and security features, help ensure the strength and reliability of these connections.
• Emails and web security: Cryptography secures email communications and web traffic through encryption and protocols like Transport Layer Security (TLS) and Secure Sockets Layer (SSL), safeguarding information from interception and tampering.

Applications of cryptography in real life

Cryptography plays a crucial role in protecting sensitive information and enabling secure interactions across many important areas of everyday life, including:

• E-commerce and online banking: Cryptography safeguards financial transactions and personal information by encrypting data exchanged between customers and banks or online stores. Secure protocols like HTTPS rely on cryptographic methods to protect credit card details, login credentials, and purchase histories, ensuring privacy and preventing fraud.
• Military and government communication: Governments use cryptography to protect classified information and secure communication channels between military units, intelligence agencies, and diplomatic missions. Strong encryption helps prevent espionage, ensures message authenticity, and protects national security interests.
• Intellectual property and digital rights: Cryptographic techniques help protect digital content such as software, music, videos, and ebooks through digital rights management (DRM). Encryption controls access and usage rights, preventing unauthorized copying and distribution and thereby safeguarding creators’ intellectual property.
• Healthcare and secure patient data: Healthcare organizations rely on cryptography to secure sensitive patient records and comply with privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA). Encryption protects data both in storage and during transmission between doctors, hospitals, and insurance providers, maintaining patient confidentiality and preventing data breaches.

Standards and regulations for cryptography

Cryptography is essential to cybersecurity and digital infrastructure, so there are international standards and government regulations to help ensure encryption methods are secure, interoperable, and ready for future threats.

NIST guidelines and global standards

The U.S. National Institute of Standards and Technology (NIST) plays a central role in defining how cryptography is used to protect digital information. It led the selection process for AES and adopted widely used public-key methods like RSA into official standards. NIST’s leadership in cryptographic development is internationally recognized, and its open, vetted processes are trusted by both U.S. institutions and global partners.

Alongside NIST, international bodies like the International Organization for Standardization (ISO), the Internet Engineering Task Force (IETF), and the European Union Agency for Cybersecurity (ENISA) develop global standards that ensure cryptographic tools are interoperable and secure across borders and industries. These efforts help create consistent, reliable protections in an interconnected world.

Compliance in regulated industries

Industries that handle sensitive information, like banking, healthcare, and online identity, are legally required to protect that data using strong, standardized cryptographic methods. In the U.S., for example, healthcare providers must comply with HIPAA, financial institutions follow the Gramm-Leach-Bliley Act (GLBA), and government agencies are subject to the Federal Information Security Modernization Act (FISMA).

Organizations that fail to meet these requirements can face audits, fines, and other regulatory consequences.

Future-proofing against quantum threats

Quantum computers are a new technology that uses the principles of quantum physics to solve problems in fundamentally different ways than classical computers. Research has shown that a sufficiently powerful quantum computer could break widely used encryption methods like RSA and ECC.

Currently, there aren’t any quantum computers powerful enough to do this, but experts agree that it's only a matter of time. For this reason, NIST is leading the global effort to develop quantum-resistant algorithms. The first official standards were published in 2024, marking the start of a global transition toward post-quantum cryptography.

Governments, banks, and other organizations are now being encouraged to adopt post-quantum cryptography to prepare for future threats and ensure long-term data security.

ExpressVPN recently integrated the NIST-approved ML-KEM post-quantum standard into its own Lightway protocol, ensuring future-proof data security for its users.

Common myths about cryptography

Despite its critical role in security, cryptography is often misunderstood. Here are some common misconceptions.

Encryption is unbreakable

Technically, encryption has never been truly unbreakable. That said, modern encryption methods are designed so that cracking them with current technology would take an impractically long time, often in the millions or even billions of years. This makes them extremely secure for real-world use, as long as you’re using them correctly.

However, advancements like quantum computing mean cryptographic standards must continually evolve to maintain security against future threats.

Only cybercriminals use cryptography

Cryptography is a fundamental tool for protecting privacy and security, used every day by governments, businesses, and regular people alike. Your online banking, messaging apps, and even the websites you visit are all secured by cryptography. So far from being just a tool for criminals, it’s what keeps modern digital life safe.

Cryptography is the same as cybersecurity

Cybersecurity is a broad field that includes everything from securing networks and devices to managing user access, detecting threats, and responding to attacks. Cryptography is just one tool in the wider cybersecurity toolbox.