5.3 Protecting Stored Data with Cryptography

Unit 5 — Securing Applications and Data | Topic 5.3

Protecting Stored Data with Cryptography

Encryption fundamentals, symmetric vs. asymmetric, block vs. stream ciphers, AES, and OpenSSL commands.

Lesson 3 of 6~40 minLO 5.3.A – 5.3.BSkills: Mitigate Risk
★ AP Exam Focus — Topic 5.3

• Know the four vocabulary terms: plaintext (input), ciphertext (output), key (parameter), keyspace (2n for an n-bit key)

• Distinguish symmetric (one shared key) from asymmetric (public/private key pair) — this distinction appears in 5.3 AND 5.4

• Distinguish block cipher (fixed-size chunks; AES) from stream cipher (continuous, one element at a time)

• Know AES: symmetric block cipher, ALWAYS 128-bit blocks, key lengths 128/192/256 — longer key = more security but slower

• Interpret OpenSSL AES commands: -e=encrypt, -d=decrypt, -in=input file, -out=output file, -k=passphrase

• Brute-force average = 2n-1 guesses for an n-bit key (half the keyspace on average)

• Key-length comparisons are ONLY valid within the same algorithm (AES-128 vs AES-256: valid; AES-128 vs RSA-2048: invalid)

College Board Essential Knowledge Coverage

Topic 5.3 — What Is Testable

CED Ref Essential Knowledge Covered In
5.3.A.1 Cryptography hides information. Encryption converts plaintext to ciphertext; decryption reverses it. Section 2 — Core Vocabulary
5.3.A.2 An encryption algorithm combines plaintext with a key to produce ciphertext; the key is required to decrypt. Section 2 — Core Vocabulary
5.3.A.3 Keyspace = total possible keys; an n-bit key has keyspace 2n; larger keyspace = harder brute force. Section 2 — Keyspace
5.3.A.4 Symmetric: same key for encrypt and decrypt. Asymmetric: two different keys (public + private). Section 2 — Symmetric vs Asymmetric
5.3.A.5 Block cipher: fixed-size chunks (AES uses 128-bit blocks). Stream cipher: continuous, one element at a time. Section 3 — Block vs Stream
5.3.B.1 AES is the most common symmetric algorithm; used for Wi-Fi, HTTPS, file encryption, hardware encryption. Section 3 — AES
5.3.B.2 AES: symmetric key block cipher; always 128-bit blocks; key lengths 128, 192, or 256 bits; longer = more secure but slower. Section 3 — AES Properties
5.3.B.3 Symmetric encryption/decryption: command-line (OpenSSL), specialized software (AES Crypt), or web tools. Section 3 — Tools
5.3.B.4 OpenSSL AES encrypt: openssl enc -aes-128-cbc -e -in test -k password -out test.enc; decrypt: replace -e with -d, swap -in/-out files. Section 3 — OpenSSL Commands
♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. An encryption algorithm uses a 3-bit key. List all possible keys. How many guesses does an adversary need on average to find the correct key by brute force?
  2. A company encrypts backup files using AES and the same key used to restore them. A friend sends a message encrypted using two different keys — one to encrypt and a different one to decrypt. Which is symmetric and which is asymmetric? What is the key-sharing problem with symmetric encryption?
  3. An administrator runs: openssl enc -aes-128-cbc -e -in payroll.csv -k secretkey -out payroll.enc. Write the command that decrypts payroll.enc back to a file named payroll_restored.csv.

Q1: 3-bit key: 000,001,010,011,100,101,110,111 = 8 possible keys (23=8). On average the adversary finds the key after 23/2 = 22 = 4 guesses (halfway through the keyspace).

Q2: The company backup is symmetric (same key). The friend's message is asymmetric (different keys). Key-sharing problem: both parties must have the same key before communicating; transmitting the key over an insecure channel risks interception.

Q3: openssl enc -aes-128-cbc -d -in payroll.enc -k secretkey -out payroll_restored.csv. Change -e to -d, swap -in and -out file names.

1 5.3.1 — Learning Objectives

  • Define plaintext, ciphertext, key, and keyspace; calculate keyspace size (2n) and average brute-force guesses (2n-1) for an n-bit key (5.3.A)
  • Distinguish symmetric from asymmetric encryption and block ciphers from stream ciphers (5.3.A)
  • Describe AES properties: symmetric, block cipher, 128-bit block size, key lengths 128/192/256, trade-off between key length and performance (5.3.B)
  • Interpret and write OpenSSL AES encrypt/decrypt commands (5.3.B.4)
Key Terms
Plaintext
The original, readable data before encryption is applied.
Ciphertext
The encrypted, unreadable output produced by the encryption algorithm.
Key
The secret parameter that controls how the algorithm encrypts and decrypts data.
Keyspace
The total set of possible keys. An n-bit key has a keyspace of 2n.
Symmetric encryption
Uses the same key for both encryption and decryption.
Asymmetric encryption
Uses a key pair: one key to encrypt, the other (its inverse) to decrypt.
Block cipher
Encrypts data in fixed-size chunks. AES uses 128-bit blocks.
Stream cipher
Encrypts data continuously, one element at a time.
AES
Advanced Encryption Standard. Symmetric block cipher; 128-bit blocks; key lengths 128/192/256 bits.

2 5.3.2 — Core Cryptography Vocabulary (5.3.A)

The purpose of cryptography is to hide information. An encryption algorithm defines a process for combining the information to be encrypted (plaintext) with a key to produce an unreadable output (ciphertext). Decryption reverses this: given the ciphertext and the correct key, the algorithm recovers the original plaintext.

Four Core Terms
  • Plaintext: The original readable data. Input to the encryption algorithm.
  • Ciphertext: The unreadable encrypted output. Cannot be read without the correct key.
  • Key: The secret parameter that controls the encryption. Without it, decryption is not feasible.
  • Keyspace: The total number of possible keys. An n-bit key has a keyspace of 2n. Larger keyspace = adversary must try more keys to find the correct one by brute force.

Brute-force average: On average, an adversary finds the correct key after testing 2n−1 keys (halfway through the keyspace). A 128-bit key requires an average of 2127 ≈ 1.7 × 1038 guesses — infeasible with any foreseeable technology.

Two Classification Axes

Axis Type 1 Type 2
Number of keys Symmetric — one shared key for both encrypt and decrypt. Fast. Key-sharing problem. Asymmetric — public key + private key. No pre-shared secret needed. Slower.
Processing method Block cipher — data divided into fixed-size chunks; each block encrypted independently Stream cipher — data processed continuously, one element at a time
AP Exam Tip: Key-Length Comparison Rule

Key-length comparisons are ONLY valid within the same algorithm. AES-128 vs AES-256: valid comparison. AES-128 vs RSA-2048: invalid comparison — they are fundamentally different algorithms with different mathematical structures. The CED states this explicitly in 5.4.B.5.

3 5.3.3 — AES and Symmetric Encryption (5.3.B)

The Advanced Encryption Standard (AES) is the dominant symmetric encryption algorithm. It is used everywhere: WPA2/WPA3 Wi-Fi, HTTPS web browsing, BitLocker and FileVault disk encryption, and hardware-level encryption on modern processors.

Property AES Value
Encryption type Symmetric (one key for both encrypt and decrypt)
Cipher type Block cipher
Block size 128 bits (16 bytes) — ALWAYS fixed, regardless of key length
Key lengths 128, 192, or 256 bits (your choice)
Trade-off Longer key = larger keyspace = more secure; also requires more processing time
AES Block Size vs Key Length — Common Confusion

The block size is ALWAYS 128 bits. This does not change when you use AES-128, AES-192, or AES-256. Only the key length changes. Students frequently confuse block size with key length — they are different properties.

AES-128 keyspace: 2128
AES-256 keyspace: 2256 = (2128)2 — the 256-bit keyspace is 2128 times larger than the 128-bit keyspace, not just twice as large.

4 5.3.4 — OpenSSL Commands (5.3.B.4)

OpenSSL is a command-line cryptography toolkit. For the AP exam, know what each flag means and be able to distinguish encryption from decryption commands.

OpenSSL AES Commands (5.3.B.4 — CED Exact)
# ENCRYPT a file named "test" using AES-128-CBC
openssl enc -aes-128-cbc -e -in test -k password -out test.enc

# DECRYPT the encrypted file back to plaintext
openssl enc -aes-128-cbc -d -in test.enc -k password -out text

Flag meanings:

  • enc — use the OpenSSL encryption command
  • -aes-128-cbc — algorithm: AES with 128-bit key in CBC mode
  • -e — ENCRYPT (produce ciphertext)
  • -d — DECRYPT (recover plaintext)
  • -in [file] — input file (plaintext when encrypting; ciphertext when decrypting)
  • -k [passphrase] — passphrase (OpenSSL derives the actual key from this)
  • -out [file] — output file (ciphertext when encrypting; plaintext when decrypting)
AP Free-Response Connection

The AP FRQ may provide an OpenSSL command and ask: (1) Is this encrypting or decrypting? (Look at -e vs -d.) (2) What is the input file? (-in) (3) What file is produced? (-out) (4) What algorithm is used? (the flag after enc) Master these four questions and no OpenSSL item will slow you down.

Check for Understanding — Topic 5.3

1. An encryption algorithm uses a 4-bit key. What is the keyspace size, and on average how many guesses will an adversary need to find the correct key by brute force?

2. A developer says: "We use the same key to lock and unlock our backup files." A security researcher says: "I send messages using the recipient's public key, which only their private key can unlock." Which classification correctly identifies both systems?

3. An analyst examines this command: openssl enc -aes-128-cbc -d -in backup.enc -k restore99 -out backup_plain.txt. What does this command do?

4. Which of the following is a TRUE statement about AES?

5. A company's cryptography policy requires symmetric encryption with a minimum 128-bit key for all data at rest. A developer encrypts files using AES-256. Is this compliant, and why?

6. An adversary intercepts an AES-256 encrypted database backup. They have access to a supercomputer capable of testing 1015 keys per second. The keyspace of AES-256 is approximately 1.16 × 1077. On average, how many seconds would an exhaustive search take?

7. A security team debates key length. Engineer A: "AES-128 is fast and AES-128's keyspace (2128) is already beyond any realistic brute force attack." Engineer B: "AES-256 provides stronger security because its keyspace (2256) is exponentially larger." Which engineers' claims are accurate?

8. What is the fundamental limitation of symmetric encryption that motivates the use of asymmetric encryption?

9. A developer comments: "I can compare AES-256 to RSA-2048 and say AES-256 is more secure because 256 > 2048 is false, so RSA is stronger since 2048 > 256." Which statement BEST evaluates this reasoning?

10. Which of the following OpenSSL commands correctly encrypts a file named grades.csv using AES-128-CBC with the passphrase teacher2026 and saves the output to grades.enc?

Score:

⚠ Common AP Exam Mistakes — Topic 5.3

Common Mistake Why It's Wrong Correct Thinking
Saying AES block size varies with key length AES always uses 128-bit blocks. The key length varies (128/192/256); the block size does not. Many students think AES-256 uses 256-bit blocks. AES block = 128 bits always. Key length is separate from block size. Only the key length changes between AES-128/192/256.
Treating doubling key length as doubling security Going from 128 to 256 bits does not double the keyspace; it squares it. 2256 = (2128)2. The improvement is exponential, not linear. Security improvement from longer keys is exponential. Doubling key length squares the keyspace. This is a massive, not modest, improvement.
Cross-algorithm key comparisons Students compare AES-128 to RSA-2048 and conclude RSA is stronger because 2048 > 128. This is explicitly wrong — key lengths can only be compared within the same algorithm. Key-length comparison rule: same algorithm only. AES-128 vs AES-256: valid. AES-128 vs RSA-2048: invalid. The CED states this explicitly.
Confusing -e and -d in OpenSSL The -e flag encrypts (plaintext in, ciphertext out). The -d flag decrypts (ciphertext in, plaintext out). Students frequently reverse them. Remember: -e = encrypt. -d = decrypt. The input and output files also swap: when decrypting, the ciphertext file is -in and the plaintext file is -out.
Saying plaintext = simple or unimportant text Plaintext in cryptography just means unencrypted data — it is the input to the encryption algorithm. A TOP SECRET document is plaintext until encrypted. The "plain" refers to the absence of encryption, not the content's sensitivity. Plaintext = pre-encryption input, regardless of sensitivity. Ciphertext = post-encryption output. These are state descriptors, not content descriptors.

8 5.3.7 — Key Terms & FAQ

Frequently Asked Questions

Q: Can I encrypt data while it is in use?
A: No. A CPU must have plaintext to process data. Encryption must be reversed (decrypted) before data can be computed with. This is why data in use is protected by access controls, not encryption.

Q: If AES-128 is already computationally infeasible to brute-force, why use AES-256?
A: Two reasons: (1) Computational power increases over time. Key-length recommendations are periodically increased as hardware improves. AES-256 provides a much larger safety margin for data that must remain secret for decades. (2) Some algorithms may have mathematical weaknesses discovered in the future. Larger keys provide defense in depth.

Q: What is CBC mode in -aes-128-cbc?
A: CBC (Cipher Block Chaining) mode chains each ciphertext block to the previous one, so identical plaintext blocks produce different ciphertext. This prevents an adversary from detecting patterns in the encrypted data. The AP CED does not require you to know the details of CBC — just recognize it as a common AES operating mode.

Q: Is the passphrase in -k password the actual encryption key?
A: No. OpenSSL derives the actual 128-bit key from the passphrase using a key derivation function. The passphrase is a human-readable input; the algorithm converts it to the fixed-length key the cipher requires. The security of the encryption depends on the passphrase being kept secret.

📋 Exit Ticket — Topic 5.3 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Define all four core cryptography terms: plaintext, ciphertext, key, and keyspace. For a 128-bit key, state the keyspace size and the average number of brute-force guesses required to find the correct key. (AP Skill: Define Concepts)
  2. An administrator runs: openssl enc -aes-128-cbc -e -in records.db -k vault2026 -out records.enc. Identify: (a) operation performed, (b) input file, (c) output file, (d) passphrase, (e) algorithm. (AP Skill: Interpret Commands)
  3. A company needs to encrypt laptop hard drives. Their policy allows symmetric algorithms with minimum 128-bit keys. Two options: AES-128 or AES-256. Compare their keyspaces and state which complies with the policy, then explain the trade-off between the two. (AP Skill: Evaluate Controls)
  4. Explain why AES is classified as a block cipher rather than a stream cipher, and state the specific block size AES always uses. (AP Skill: Classify Algorithms)
  5. A developer says: "Using AES-256 is 128 bits more secure than AES-128 since 256−128=128." Identify the error in this reasoning and provide the correct comparison. (AP Skill: Analyze Statements)

Q1: Plaintext = original readable data (input). Ciphertext = encrypted unreadable output. Key = secret parameter controlling the algorithm. Keyspace = total possible keys; 2128 ≈ 3.4 × 1038. Average brute-force guesses = 2127 ≈ 1.7 × 1038 (half the keyspace).

Q2: (a) Encrypting (flag -e). (b) Input: records.db (plaintext). (c) Output: records.enc (ciphertext). (d) Passphrase: vault2026. (e) Algorithm: AES-128-CBC.

Q3: AES-128 keyspace: 2128. AES-256 keyspace: 2256 = (2128)2. Both comply with the policy (both symmetric; both ≥128-bit keys). Trade-off: AES-256 is exponentially more secure but slower to encrypt/decrypt. AES-128 is faster and sufficient for most current use cases.

Q4: AES processes data in fixed 128-bit chunks (blocks) — block cipher. A stream cipher would process data continuously one element at a time. AES block size = 128 bits always, regardless of key length.

Q5: The error: security improvement is not linear (not simply 256-128=128 more secure). The correct comparison: AES-256 keyspace (2256) is 2128 times LARGER than AES-128 keyspace (2128), an exponential increase. Doubling key length squares the keyspace.

Struggling with AP Cybersecurity cryptography and AES?

Tanner Crow is an AP CS teacher with 11+ years of experience and a 5.0 Wyzant rating. Book a session.

Book a Session →

Tanner Crow

AP Computer Science Teacher — Blue Valley North High School, Overland Park KS

11+ years teaching AP CS courses. 5.0 Wyzant rating, 2,067+ tutoring hours.

11+ Years Teaching2,067+ Tutoring Hours499+ Five-Star Reviews

Continue Learning

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]