Encryption vs. cryptography: What's the difference (and why does it matter?)

Encryption keeps data safe from prying eyes. But what about cryptography? Is this just another name for the same concept?

Not quite. While these terms are often used interchangeably, they're not identical. Here's a look at what each term means in practice, how they're used in cybersecurity and why the difference matters. 

What is encryption?

Encryption converts readable information into unreadable information using a key. Readable information is also known as plaintext, while unreadable information is called ciphertext. Once data is encrypted, it is effectively "locked" — only someone with the right key can open the lock and decrypt the data. 

Here's an example.

Bob wants to send Susan an email update about the sensitive project they're working on. His message is simple: "Stage 1 is complete." If he sends this message without encryption, it's possible for attackers to digitally eavesdrop on the conversation and read his message. 

Encryption changes Bob's message into what seems like gibberish. Using an encryption key, the message now says: "2gnew Ln aog noaglss." It's worth noting that the ciphertext does not need to be the same length as the original. Susan receives the message and, using her decryption key, converts it back into plaintext. 

There are two common approaches to encryption: symmetrical and asymmetrical.

In symmetrical encryption, the key to encode and decode messages is the same. This means it must always be kept private. Symmetrical encryption is simple and fast, but it carries risk if keys are accidentally leaked or stolen.

In asymmetrical encryption, two different keys are used. A public key is used to encrypt data. This key can be freely shared since its only purpose is to convert plaintext into ciphertext. Private keys are used to decrypt data and must be kept secret.

One of the most common symmetric frameworks is the Advanced Encryption Standard (AES), which uses three different key lengths: 128, 192 and 256 bits. The more bits, the more difficult the key is to crack. In theory, a 256-bit key would take millions of years for a computer to crack. 

What is cryptography?

Cryptography is the field of study that deals with secure communication. It covers three broad areas: confidentiality, integrity and authentication.

Confidentiality: This aspect of cryptography focuses on obfuscating the contents of a message. Encryption falls under this heading. 

Integrity: Data integrity ensures that original messages remain unchanged. This is accomplished by protecting the message itself from tampering or modification. In practice, it could take the form of protected business networks or virtual private networks (VPNs) that prevent digital eavesdropping. 

Authentication: Authentication is about identity. Is the sender of the message who they say they are? Is the person trying to access the message the intended recipient? On the sender side, advanced email protection tools use AI algorithms to detect and eliminate potential threats. On the receiver side, solutions such as multifactor authentication (MFA) can help verify user identities. 

How do they impact cybersecurity?

Without effective encryption, companies can lose financial, intellectual and personal data. 

Consider the recent leak of more than 184 million user login credentials. Stored in a publicly available database, the credentials cover everything from Google and Apple logins to those for government services and video game platforms. 

The common thread? No encryption. Once inside the database — which itself was not password-protected — there was nothing to stop cybercriminals from taking what they wanted and using it to compromise accounts. Thankfully, the data leak was found by security researchers before malicious actors could access it, and the database is now offline.

Even if the database was encrypted, however, this doesn't guarantee security. As technologies evolve, attackers become more adept at finding and exploiting flaws in encryption processes. For example, older methods such as the Data Encryption Standard use smaller key lengths that make them vulnerable to attackers.

Cryptography research helps discover and test new encryption methods. For example, NIST recently released its first set of quantum-resistant encryption algorithms. This comes in response to the rapid evolution of quantum computers, which may be able to reduce the time required to break current standards such as AES 256. 

Why does the difference matter?

Given the overlap between encryption and cryptography, it's no surprise that the terms are often conflated. In general, this has minimal impact on the outcome of cybersecurity. As long as data is protected, the terminology is less important.

Where the difference matters is in the development of new solutions and security techniques. While encryption is a key component of effective defense, it is only one part of a larger whole. Alone, it keeps attackers from accessing sensitive data, but it doesn't address issues with integrity or authenticity. 

For companies, encryption acts as the first line of defense: Even if data is stolen, it remains unusable. Integrity and authentication, meanwhile, help create a holistic approach to cybersecurity that reduces total risk.