Cryptography
Cryptography is the science of encrypting and securing information using symmetric and asymmetric methods as well as hash functions, in order to ensure the confidentiality, integrity and authenticity of data.
Cryptography comprises the mathematical methods used to transform information so that only authorised parties can read it or verify its authenticity. It serves the classic protection goals of information security: confidentiality (secrecy), integrity (freedom from tampering), authenticity (proof of origin) and non-repudiation. Three fundamental building blocks are distinguished: symmetric encryption, asymmetric encryption and cryptographic hash functions.
In symmetric encryption, sender and recipient use the same secret key to encrypt and decrypt; established methods such as AES (Advanced Encryption Standard) are highly performant and well suited to large volumes of data, but require a secure channel for exchanging the key. Asymmetric methods (public-key cryptography) such as RSA or elliptic curves (ECC) use a key pair consisting of a public and a private key; they solve the key-exchange problem and enable digital signatures, but are more computationally intensive. In practice both are combined (hybrid encryption), for example in TLS, where a symmetric session key is negotiated asymmetrically.
Cryptographic hash functions such as SHA-256 produce a fixed, irreversible checksum from arbitrary input, thereby protecting the integrity of data, serving as the basis for digital signatures and enabling the secure storage of passwords (with a salt and methods such as bcrypt or Argon2). For regulated organisations, cryptography is a central technical and organisational safeguard: it is explicitly required as a risk-treatment measure under the NIS2 Directive and the German IT Security Act, and is at the same time a recognised technical and organisational measure for protecting personal data under the GDPR. What matters is the use of current algorithms and key lengths regarded as secure, in line with the technical guidelines of the German Federal Office for Information Security (BSI).
Legal Basis
Art. 21(2)(h) NIS2 Directive (EU) 2022/2555 (cryptography and encryption); Art. 32(1)(a) GDPR (encryption of personal data); ISO/IEC 27001 Annex A 8.24 (use of cryptography); BSI TR-02102 (cryptographic mechanisms)
Practical Example
The information security officer of a mid-sized mechanical engineering firm defines in the cryptography policy which methods are approved within the company: laptop hard drives are fully encrypted with AES-256, email traffic with business partners is signed and encrypted via S/MIME certificates, and the customer portal uses TLS 1.3 exclusively. During the annual review she checks against BSI TR-02102 whether the algorithms and key lengths in use are still considered secure, has outdated TLS versions disabled, and documents key management as evidence for the upcoming ISO 27001 audit.