Cryptography: The Key to Digital Security, How It Works, and Why It Matters

People hear about cryptography in so many ways without actually understanding what it does. Cryptocurrencies, hacking, quantum computers breaking encryption, end to end encrypted messaging. But what is all of the fuss about, how does cryptography actually work, and how does it protect you? Keith Martin, a professor of information security at Royal Holloway in London, wrote Cryptography: The Key to Digital Security, How It Works, and Why It Matters to answer those questions for non-technical readers, and he does a great job of it.

The thing that makes the book work is that Martin does not try to explain cryptography from the lens of a computer scientist. Instead, he leans on analogies that anyone can follow.

He starts with an analogy for symmetric and asymmetric encryption built around the idea of sending physical mail securely. Symmetric encryption is like if you and the person you are writing to both have copies of the same key to a safe, and you mail the safe back and forth with your messages inside. Both parties can lock and unlock it because they share the key. The problem is, how do you get that shared key to the other person in the first place without anyone intercepting it? That is where asymmetric encryption comes in. Asymmetric encryption is like if you mail someone an open safe that locks shut once they close it, and only you have the combination to open it again. They can put a message inside, slam it shut, and send it back, and only you can ever open it. You never had to share the combination. The trick is that asymmetric encryption is slow and computationally expensive, so in practice it is used to safely send a one-time symmetric key, and then the rest of the conversation uses symmetric encryption to actually move data.

The other important aspect of secure data transmission is making sure the message has not been tampered with along the way. The metaphor Martin uses for this concept is a tamper-evident seal on a package, like the foil seal on a bottle of medicine. The seal does not encrypt anything. It just lets the recipient see at a glance whether the package was opened in transit. Hash functions are the digital version of that seal. A hash function takes any input and produces a short fixed length fingerprint of it. If even a single bit of the input changes, the fingerprint (hash output) changes completely. The sender uses the message to compute a fingerprint (hash) of it and sends that fingerprint along with the message itself. The receiver computes their own fingerprint (hash) and checks whether they are the same. If they match, the message is intact. If they do not, the seal is broken and you know something has been altered. The way modern systems make this attacker-proof is a protocol called HMAC, which mixes a shared secret into the fingerprint so a forger cannot just compute a new fingerprint to cover their tracks. The standard hash algorithm in widespread use today is SHA-256.

The big practical takeaway from the book is something I think everyone should hear. Do not create your own cryptography. Use the well-studied, battle-tested algorithms that the world’s best cryptographers have spent decades trying and failing to break. For symmetric encryption that is AES. For asymmetric encryption that is RSA or ECC. For hashing and integrity that is SHA-256 with HMAC. These are not perfect, but they are as close as we have, and any homegrown algorithm you come up with is overwhelmingly likely to be much worse. The history of broken encryption schemes is littered with smart people who thought they could do better.

The book is very well written and surprisingly easy to follow even if you do not have a technical background. One of the most important things Martin gets across is that almost every real world security failure has nothing to do with the algorithms themselves. AES has never been meaningfully broken. RSA with appropriate key sizes is solid (although RSA may soon be cracked by quantum via Shor’s algorithm). The vulnerabilities come from somewhere else entirely. You reuse passwords across sites. You connect to a sketchy public wifi. You click a phishing link that captures your credentials. You leave your phone unlocked. The crypto is doing its job. The humans are the weak link.

If you have ever wondered what is actually happening when you see the little lock icon in your browser, or how your messages stay private even though they travel across networks owned by total strangers, whether quantum computers are going to break all of this someday, or what WhatsApp means when it says end-to-end encryption, this is the book for you. You will come out of it with a working mental model of how digital security actually works and a much better sense of what to worry about and what not to.