Cloud Security

Fundamental Cloud Security Concepts Part 3 – Encryption and Cryptography

One of the important tools at our disposal for ensuring that confidentiality of data can be maintained is Encryption. This post discusses encryption and related topics such as Hashing and Tokenization.

Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Encryption includes the source message (also known as clear-text), the encryption algorithm (see examples below) and an encryption key which when applied to the source message, generate the ciphertext.

There are many different encryption algorithms which generally fall into two main categories – Symmetric and Asymmetric.

Symmetric Encryption

When using symmetric encryption, both the sender and receiver use the same encryption key for both encryption (from clear-text to ciphertext) and decryption process (from ciphertext to the original clear-text).

Advantages of using symmetric encryption:

  • Offers confidentiality
  • Offers integrity of data
  • Speed of encrypt/decrypt process
  • Less computer resources required for encrypt/decrypt process

Disadvantages of using symmetric encryption:

  • Symmetric encryption cannot be used for non-repudiation purpose
  • Need to secure the channel for exchanging the encryption key between the sender and the receiver
  • Need to manage a lot of encryption keys (new key for each communication channel between a sender and a receiver)

Common use case for symmetric encryption:

  • A teacher and a student exchange emails regarding sensitive research data (with healthcare information). The entire communication between them is encrypted using SSL/TLS protocol

The following are examples of common symmetric algorithms:

  • AES (Advanced Encryption Standard)

  • 3DES (Triple DES)

Asymmetric encryption

With asymmetric encryption (also known as public key encryption – PKI), public keys are used to encrypt messages and private keys to decrypt messages.

Advantages of using asymmetric encryption:

  • Offers message authentication using digital signatures
  • Allows non-repudiation
  • Detect tampering using digital signatures

Disadvantages of using asymmetric encryption:

  • Slow process for encryption/decryption
  • Its public keys are not authenticated
  • Losing the private key will prevent the message from being decrypted

Common use case for asymmetric encryption:

  • A student submits homework through a university-secured web site. The student is using the teacher’s public key in order to encrypt the document. The teacher uses his or her private key in order to decrypt the homework and validate that the document submitted by the student was not changed/altered

The following are examples of common asymmetric algorithms:

  • RSA (Rivest, Shamir, Adleman)

  • ECC (Elliptic-curve cryptography)

Cryptographic Hash Function

This is a one-way mathematical function which takes a string of any size and produces a bit string of a fixed size. Cryptographic hash functions are commonly used to store passwords in an irreversible form and identify files using checksum.

Common use case of hash:

  • A genomic database stores genome sequence as hash table, for easier searching after a specific genome sequence

The following are examples of common hash functions: SHA-2 (Secure Hash Algorithm 2)

  • SHA-3 (Secure Hash Algorithm 3)


Tokenization is an alternative to encryption for protecting the confidentiality of data. Tokenization substitutes sensitive information with non-sensitive information. Tokenization is commonly used to store credit card information in a database or storing PII (such as social security numbers)

Common use case for tokenization:

  • A student logs on to the university website and uses his credit card number to pay for his studies in the coming semester. His credit card numbers are stored in the university database using tokenized form in-order to avoid breach of sensitive data. The tokenized numbers are then compared against the credit card company to make sure the credit details are valid in order to complete the payment process.


About the author

Eyal Estrin, cloud architect.


Skip to content