Core Concepts

Encryption & Decryption

ChineseEnglishIPAExample
加密encryption/ɪnˈkrɪpʃən/“We use AES-256 for encryption.”
解密decryption/diːˈkrɪpʃən/“Decryption requires the private key.”
对称加密symmetric encryption/sɪˈmetrɪk/“AES is symmetric encryption.”
非对称加密asymmetric encryption/ˌeɪsɪˈmetrɪk/“RSA is asymmetric encryption.”
密钥key/kiː/“Generate a 256-bit key.”
密钥对key pair/kiː peər/“The key pair consists of public and private keys.”

Key Management

ChineseEnglishIPAExample
密钥管理服务Key Management Service (KMS)/kiː ˈmænɪdʒmənt/“Store keys in KMS, not in code.”
信封加密envelope encryption/ˈenvələʊp/“Envelope encryption protects data keys.”
密钥轮换key rotation/kiː rəʊˈteɪʃn/“Enable automatic key rotation.”
主密钥master key / Customer Master Key (CMK)/ˈmɑːstər kiː/“The CMK never leaves the HSM.”
数据密钥data key / Data Encryption Key (DEK)/ˈdeɪtə kiː/“Use the DEK to encrypt the data.”

Authentication & Authorization

ChineseEnglishIPAExample
认证authentication/ɔːˌθentɪˈkeɪʃn/“MFA provides stronger authentication.”
授权authorization/ˌɔːθəraɪˈzeɪʃn/“Authorization determines what you can access.”
身份提供商Identity Provider (IdP)/aɪˈdentəti prəˈvaɪdər/“Configure the IdP for SSO.”
多因素认证Multi-Factor Authentication (MFA)/ˈmʌlti ˈfæktər/“Enable MFA for all users.”
零信任Zero Trust/ˈzɪərəʊ trʌst/“Zero Trust assumes no implicit trust.”

Security Protocols

ChineseEnglishIPAExample
传输层安全Transport Layer Security (TLS)/trænˈspɔːrt ˈleɪər/“TLS 1.3 is the latest version.”
虚拟专用网络Virtual Private Network (VPN)/ˈvɜːrtʃuəl ˈpraɪvət/“Connect to the corporate network via VPN.”
访问控制列表Access Control List (ACL)/ˈækses kənˈtroʊl lɪst/“Configure the ACL to restrict access.”

Post-Quantum Cryptography

ChineseEnglishIPAExample
后量子密码Post-Quantum Cryptography (PQC)/pəʊst ˈkwɑːntəm/“PQC algorithms resist quantum attacks.”
基于格的密码lattice-based cryptography/ˈlætɪs beɪst/“ML-KEM is lattice-based.”
密钥封装机制Key Encapsulation Mechanism (KEM)/kiː ɪnˌkæpsjʊˈleɪʃn/“Use KEM for key exchange.”

Stress Patterns

  • encryption: en-CRYP-tion
  • authentication: au-then-ti-CA-tion
  • authorization: au-thor-i-ZA-tion
  • cryptography: cryp-TOG-ra-phy

Practice Scenarios

Scenario 1: KMS Architecture Discussion

Context: Explaining envelope encryption to a customer

“In our architecture, we use envelope encryption for data protection. The Customer Master Key (CMK) stays in the KMS and never leaves the Hardware Security Module (HSM). We generate a Data Encryption Key (DEK) for each encryption operation, use it to encrypt the data, and then encrypt the DEK with the CMK.”

Scenario 2: Security Audit

Context: Discussing security findings with a team

“The audit revealed several issues. First, key rotation is disabled, which violates compliance requirements. Second, MFA is not enforced for privileged accounts. Third, we found hardcoded credentials in the source code. We need to migrate these secrets to KMS or Secrets Manager.”

Scenario 3: Post-Quantum Migration

Context: Planning PQC migration strategy

“We’re evaluating Post-Quantum Cryptography (PQC) algorithms for our systems. ML-KEM (formerly Kyber) is a strong candidate for key encapsulation. However, we need to test interoperability with existing systems and plan a hybrid approach during the transition period.”

Memory Tricks

  • encryption → “en-CRYP-tion” → “cry” is in the middle (protecting data)
  • authentication → “au-then-ti-CA-tion” → proving who you are (“then” you can enter)
  • authorization → “au-thor-i-ZA-tion” → giving authority (“author” gives permission)
  • envelope encryption → like putting a letter in an envelope (DEK in CMK envelope)

Common Mistakes

❌ Wrong✅ CorrectNote
encrypt the keyencrypt the data with the keyKeys encrypt data, not other keys
the key of 256 bitsa 256-bit keyAdjective form: “256-bit” not “256 bits”
use the key to decryptuse the key for decryptionBoth correct, but “for decryption” is more formal