Cryptography is the science of securing information. From ancient ciphers to the algorithms protecting every online transaction today, it is the mathematical bedrock on which digital certificates, PKI, and all modern security are built.
At its core, cryptography is the practice of converting readable information (called plaintext) into an unreadable format (called ciphertext) so that only authorized parties can access it. The word itself comes from the Greek kryptós (hidden) and graphein (to write).
Cryptography is not new. Over two thousand years ago, Julius Caesar used a simple letter-substitution cipher to send military orders: each letter in his message was shifted by three positions in the alphabet. If intercepted, the message looked like gibberish. This technique, now called the Caesar cipher, is one of the earliest documented encryption methods.
Fast-forward to the twentieth century. During World War II, the German Enigma machine used electromechanical rotors to produce ciphertext that was considered unbreakable, until Alan Turing and his team at Bletchley Park found a way to crack it. That breakthrough shortened the war and demonstrated a truth that still holds today: cryptographic strength is always relative to the computational power available to an attacker.
Modern cryptography relies on mathematical problems that are easy to compute in one direction but practically impossible to reverse. When you visit a website over HTTPS, send an encrypted email, or sign a software update, cryptographic algorithms are working behind the scenes, authenticating identities, protecting data in transit, and ensuring nothing has been tampered with. Understanding how they work is the first step to understanding digital certificates, key pairs, and the entire public key infrastructure.
Modern encryption falls into two broad categories, each with distinct strengths and trade-offs. Most real-world systems, including TLS, use both together.
Symmetric encryption uses a single shared key for both encryption and decryption. Think of it as a lockbox with one key: both the sender and the receiver need a copy of the same key to lock and unlock the data.
The main advantage is speed. Symmetric algorithms like AES can process large volumes of data extremely quickly, which is why they are used to encrypt the bulk of traffic in a TLS session. The challenge is key distribution: how do you securely share the key with the other party in the first place? If the key is intercepted during transmission, all encrypted data is compromised.
Common algorithms: AES-128, AES-256, ChaCha20
Asymmetric encryption, also called public-key cryptography, uses a pair of mathematically related keys: a public key that anyone can know, and a private key that must remain secret. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa.
This solves the key distribution problem. You can freely share your public key (post it on a website, include it in a certificate) and anyone can use it to send you encrypted messages. Only you, holding the private key, can read them. The trade-off is performance: asymmetric operations are orders of magnitude slower than symmetric ones.
Common algorithms: RSA, Elliptic Curve Cryptography (ECC), Diffie-Hellman
In practice, the two approaches complement each other. During a TLS handshake, asymmetric cryptography is used to authenticate the server and securely exchange a temporary symmetric key. That symmetric key then encrypts the actual data flowing between client and server, combining the trust properties of asymmetric encryption with the speed of symmetric encryption.
Encryption protects confidentiality, keeping data secret. But cryptography also solves two other critical problems: integrity (has the data been altered?) and authenticity (who sent it?). That's where hash functions and digital signatures come in.
A hash function takes an input of any size and produces a fixed-length output, the hash or digest. Even a one-bit change in the input produces a completely different hash. This property makes hashes ideal for verifying data integrity.
Cryptographic hashes are one-way: you can easily compute the hash from the input, but it is computationally infeasible to reconstruct the original input from the hash. This is what makes them useful for password storage and data verification.
A digital signature is created by hashing a message and then encrypting the hash with the signer's private key. Anyone with the signer's public key can verify the signature, confirming both the identity of the signer and the integrity of the message.
Because only the holder of the private key can produce a valid signature, digital signatures provide non-repudiation: the signer cannot later deny having signed the document. This property is legally significant in many jurisdictions.
Digital signatures are at the heart of how digital certificates work. When a Certificate Authority issues a certificate, it signs the certificate data with its own private key. Any system that trusts the CA can verify that signature and, by extension, trust the certificate's contents.
Public Key Infrastructure is, at its foundation, an organized application of cryptography. Every component of PKI depends on the cryptographic primitives described above:
When a CA issues a certificate, it uses its private key to produce a digital signature over the certificate data. This signature binds the subject's identity to their public key in a tamper-evident way.
Browsers and operating systems verify certificates by checking the CA's digital signature using the CA's public key. If the signature is valid and the CA is trusted, the certificate, and the identity it represents, is accepted.
TLS uses the public key in a server's certificate to establish an encrypted session. Asymmetric cryptography negotiates a shared secret; symmetric cryptography encrypts the data stream. Without cryptography, there is no TLS.
The entire chain of trust, from root CA to intermediate CA to end-entity certificate, is held together by nested digital signatures. Each link in the chain is a cryptographic assertion of trust.
This is why cryptographic choices matter so much in a PKI context. The algorithm used to sign a certificate, the key length chosen for a key pair, and the hash function embedded in a digital signature all directly determine how long that certificate remains secure. As computational power grows, and especially as quantum computing advances, organizations need the ability to migrate to stronger algorithms without disrupting operations.
You don't need to understand the underlying mathematics to work with PKI, but familiarity with the most common algorithms helps you make informed decisions about key lengths, certificate policies, and future-readiness.
The most widely deployed asymmetric algorithm. RSA's security rests on the difficulty of factoring very large numbers. Key sizes of 2048 bits are the current minimum; 4096 bits provide a greater margin. RSA is used for digital signatures and key exchange in certificates and TLS.
ECC achieves the same level of security as RSA with much shorter key lengths. A 256-bit ECC key provides roughly equivalent security to a 3072-bit RSA key. This means smaller certificates, faster handshakes, and less computational overhead, making ECC increasingly popular for TLS and IoT device certificates.
The global standard for symmetric encryption, adopted by NIST in 2001. AES supports key sizes of 128, 192, and 256 bits. It is the algorithm that encrypts the bulk of data in a TLS session after the initial handshake. AES-256 is widely considered secure against foreseeable advances, including quantum computing.
Part of the SHA-2 family, SHA-256 produces a 256-bit hash and is the standard hash function used in digital certificates today. It replaced the older SHA-1 algorithm, which was found to be vulnerable to collision attacks. When you see "SHA256withRSA" or "SHA256withECDSA" in a certificate's signature algorithm field, SHA-256 is the hash function being used.
The choice of algorithm is not permanent. As threats evolve, particularly the looming threat of quantum computers capable of breaking RSA and ECC, organizations need crypto-agility: the ability to transition to new algorithms (such as post-quantum lattice-based schemes) across their entire certificate estate without causing outages. This is one of the most pressing challenges in PKI today, and it is covered in depth in the chapter on crypto-agility and post-quantum cryptography.
Full algorithm visibility: Evertrust CLM discovers every certificate across your infrastructure and inventories the algorithms and key lengths in use, so you know exactly where RSA-2048, ECC P-256, or legacy algorithms are deployed.
Policy enforcement: Define organizational rules on minimum key lengths, approved algorithms, and hash functions. Evertrust flags non-compliant certificates automatically, preventing weak cryptography from reaching production.
Crypto-agility ready: When the time comes to migrate from RSA to ECC, or from classical to post-quantum algorithms, Evertrust PKI lets you re-issue certificates at scale with new algorithms, across all your CAs and environments.
Compliance reporting: Generate audit-ready reports showing which cryptographic standards are in use across your certificate estate, essential for meeting regulatory requirements like eIDAS, NIS2, and DORA.
