How To Become a Cryptanalyst
Cryptology is the study and art of writing and solving codes. In today's digital world, cryptology is an essential component of cyber security—encrypting sensitive information can help protect it against various cyber attacks. However, those same methods can be used by cyber criminals to commit cyber crime, which is where cryptanalysts come in.
Cryptanalysts decipher or "break" codes to unearth the information they are meant to obscure. Because of this, cryptanalysts are often employed by law enforcement, the military and other government entities to break codes that were made by cyber criminals, meaning their role in the cyber security ecosystem is essential for keeping precious data safe.
What is a cryptanalyst?
Cryptology is the study of codes, while cryptography is the art of writing and solving them. This means these two terms are nearly identical and may be used interchangeably in some contexts.
The people who encode information through encryption, ciphers algorithms and more are called cryptographers. In other words, they create the codes. Those that decipher or break the codes are called cryptanalysts. Many cyber security professionals that are well versed in cryptology do both, while others may choose to specialize in one or the other.
"Cryptanalysis is the discipline more commonly known as codebreaking. Foreign countries and terrorists use cryptography to encrypt their communications and to control access to their computer networks," said a spokesperson for the National Security Agency (NSA). "Cryptanalysts at NSA find ways to get around those protections so that the United States has the information it needs for national security."
What does a cryptanalyst do?
A cryptanalyst's job may vary a bit depending on who they work for and the cryptologic goals of their employer. It's quite common for cryptanalyst positions to include cryptography as part of their job duties (making codes) instead of just working on cryptanalysis (breaking codes) since they are in many ways two sides of the same coin.
With that in mind, a cryptanalyst's job duties typically include the following:
Receive and analyze intelligence information
Research and test cryptologic methods and applications
Evaluate weaknesses in cryptologic security systems and design modifications
Develop and implement cryptographic algorithms to protect secure information
Remain up-to-date on trends in cryptography through continuing education
"Codebreaking is almost never straightforward, and cryptanalysts have to think creatively and consider a wide range of approaches," the NSA spokesperson said. Those approaches include:
- "Finding mathematical weaknesses in an encryption algorithm."
- "Discovering that a programmer who wrote encryption-code made a mistake."
- "Collaborating with partners throughout the United States Government, and more."
"This work generally appeals to people who love to solve puzzles; in this case, the answers to the puzzles are vital to national security," the spokesperson said.
Ethical considerations in cryptanalysis and cryptography
Breaking a code meant to protect certain information, just as one might pick a lock on a safe, raises certain ethical questions about the balance between privacy and protection. Encryption can be used for good to protect personal information, but the inverse is also true: it can be used by criminals and perhaps hinder law enforcement efforts. Some people, therefore, see this sacrifice of overall security to be too great, while others may argue that it's worth it to uphold our individual right to privacy.
Encryption can be used for good to protect personal information, but the inverse is also true: it can be used by criminals and perhaps hinder law enforcement efforts.
The moral and ethical implications in the field of cryptography don't end there, however. Phil Rogaway, an esteemed cryptographer and professor at the University of California, Davis, discussed this topic in great detail as the 2015 International Association for Cryptologic Research (IACR) Distinguished Lecturer.
In the abstract of his paper which the lecture was based on, he wrote, "Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension… I call for a community-wide effort to develop more effective means to resist mass surveillance. I plead for a reinvention of our disciplinary culture to attend not only to puzzles and math, but, also, to the societal implications of our work."
How to become a cryptanalyst
There's no singular path that leads to a career as a cryptanalyst. To become a cryptanalyst, you'll need a combination of relevant cyber security education and training which can be supplemented with various credentials and certifications.
You'd be hard-pressed to find someone who learned cryptanalysis on their own, which is why education is so vital to building a foundation for a cryptanalysis career. Most cryptanalysts need at least a bachelor's degree in mathematics, computer science, or a closely related field such as cyber security, information technology or computer engineering. Some schools offer cryptography as a specialization or concentration within another major, such as a mathematics degree with a cryptography focus, but it is not an undergraduate major on its own.
"A degree in mathematics, engineering, computer science, data science, statistics or a related field is required for most cryptanalysis positions. Related fields may be considered relevant if the programs contain specific coursework," the NSA spokesperson said.
A job in cryptanalysis isn't usually an entry-level position, so you may need an advanced degree to land a cryptanalyst job or progress in the field. A cyber security related graduate degree has the added bonus of allowing students to specialize more, and it's at this level that you can find graduate cryptography programs such as a master's degree in cryptography. A master's degree in computer science or any of the subjects mentioned above can also benefit cryptanalysts.
If you wish to take your education to the very top—and if you want to truly be a master in your field—a doctoral degree in cryptography or computer science may be a good choice. This education level may even be necessary to access some of the most advanced positions, especially within government entities such as the NSA.
On-the-job training and the experience you accrue in various roles over time may be the most important aspect of becoming a cryptanalyst, but there are a few other ways to get trained outside of a traditional degree program:
- Government training programs:
- There are several government-sponsored training programs to prepare you for a career in cryptanalysis or cryptology in general, such as the ones offered by the National Security Agency (NSA). These programs are several years long and directly prepare you for full-time positions within the agency.
- Online cryptography courses:
- Online learning providers such as Coursera, edX and more offer courses in cryptography and cryptanalysis. These can give you a foundational understanding of cryptography and may award you a certificate of completion, but these are not usually considered sufficient substitutes for a traditional education. Rather, these may be best for those who wish to complement their degree with additional skills.
- Cryptography conferences and workshops:
- Organizations like the International Association for Cryptologic Research (IACR) put on several conferences per year. Attending events like these are a great way to network with professionals, gain exposure to the field and learn about other continuing education offerings they may have, such as workshops and other courses.
"The Cryptanalysis Development Program (CADP) is looking to hire people with degrees in STEM, for example math, computer science, statistics, physics, engineering or a related degree who have an aptitude for and an interest in solving challenging problems. It is a great program for those who love puzzles and love to learn!" the NSA spokesperson said. "In the CADP, employees will learn cryptanalysis on-the-job, working mission problems in a series of cryptanalysis offices, supported by technical mentors. They will also learn cryptanalysis through more formal two- to three-week in-house courses, which teach the tools and tradecraft of cryptanalysis. Throughout the program, employees are encouraged to build their professional networks within CADP and in their mission offices."
Bootcamps for aspiring cryptanalysts
Cyber security bootcamps are becoming an increasingly popular way for people to learn the knowledge and skills necessary to gain entry-level access to the field of cyber security. Most bootcamps are offered by academic providers (colleges and universities) or independent providers (skills academies and training companies). They typically take anywhere from three to nine months to complete, though some are shorter or longer.
Cryptography and cryptanalysis themselves are not really offered as the sole subject of a bootcamp, but most beginner-friendly cyber security bootcamps include coursework in both. This can still be an excellent way to break into the field.
Benefits of attending a bootcamp
Bootcamps provide a different learning experience compared to traditional degree programs. These differences come with their own unique benefits worth considering for anyone interested in a cyber security career:
- Shorter times to complete means they typically cost less and can get you into the workforce sooner
- Full-time and part-time options allow the flexibility to work with your schedule
- Fully online, hybrid or in-person learning formats mean there's a program to meet any learning style
- With a curriculum concentrated solely on cyber security, you'll gain exactly the knowledge and skills you need to succeed
Popular cryptanalysis bootcamps to consider
Here is a sample of some popular bootcamps you may consider to help prepare you for a cryptanalysis career:
Provider: Evolve Academy
Bootcamp name: Cybersecurity Bootcamp
Time to complete: 20 weeks
Cryptanalysis content: Includes coursework on cryptography, such as the core concepts of encryption, how to implement and manage encryption policies and how to use hacking tools to crack passwords
Provider: Flatiron School
Bootcamp name: Cybersecurity Engineering
Time to complete: 15 weeks (full-time) or 40 weeks (part-time)
Cryptanalysis content: Includes a nine-week course on applied cryptography which provides hands-on experience on configuring a web server with SSL/TLS, and interfacing with Certificate Authorities, issuing certificates, configuring SSH securely, and sending/receiving encrypted and signed email
Bootcamp name: Cybersecurity Career Track
Time to complete: Six months
Cryptanalysis content: Encryption and hashing concepts are covered in their Security Operations (SecOps) unit
Skills for cryptanalysts
Cryptanalysis requires a fair amount of technical, "hard" knowledge, but as with practically any job, technical skills may only get you so far. If you want to work in cryptanalysis, consider these skills which you may need to master to be successful:
|Hard skills||Soft skills|
|Understanding of multiple programming languages (Java, Python, etc.)||Ability to work under pressure|
|Advanced comprehension of mathematics||Critical thinking and analysis|
|Competency in known cryptanalysis techniques||Fine attention to detail|
|Comprehensive understanding of computer science and cyber security||Ability to communicate effectively and collaborate with others|
The spokesperson for the NSA also listed the following as important skills for cryptanalysts:
- "An aptitude for and an interest in solving challenging problems."
- "An interest in using programming and other computational tools to solve real-world problems – there is not a requirement for any particular programming background, but applicants need to be comfortable with the idea of learning and using computational tools."
- "A willingness to grow and apply technical communication skills, documenting and presenting progress and results."
- "The ability and willingness to work as part of a team to tackle challenging problems."
Career paths and job outlook
Cryptanalysts, like many other cyber security roles, typically have the option to work in one of two settings: in the public sector for government agencies or in the private sector for private companies and businesses.
Public sector government agencies include local law enforcement and state or federal agencies such as the NSA. In these roles, a cryptanalyst is usually focused on protecting the digital integrity of highly sensitive government information, from military intelligence to personally identifiable information (PII). Most cryptanalysis jobs are found in the public sector.
"The NSA's current cryptanalysis population works in a number of different organizations and across the extended enterprise (including Texas, Georgia, Hawaii and Colorado). The majority of the Agency's cryptanalysts are in The Cryptanalysis and Signals Analysis organization, which is responsible for delivering cryptanalytic and signals analytic results that yield the highest impact and security outcomes for NSA and the Nation," the NSA spokesperson said.
Cryptanalysts may work for private companies, however, or contract their services to a combination of the two. When working for a private company, a cryptanalyst is focused on decrypting and addressing cyber security attacks or threats to that particular company. Since their job scope is focused solely on that company, it's more likely that their job duties include cryptography and other cyber security tasks as well.
Cryptanalyst salary and job outlook
While the U.S. Bureau of Labor Statistics (BLS) does not track data for cryptanalysts specifically, it does report salary and job growth projection data for information security analysts. This position can encompass many different cyber security-related roles, including cryptographers and cryptanalysis. Read our guide to cyber security salaries to get an idea of the various industry roles and their associated wages.
According to the 2022 Occupational Employment and Wage Statistics from the BLS, the median annual salary for information security analysts is $112,000, with the top 10% earning upwards of $174,540. The bottom 10% earn $66,010, which is still higher than the annual mean wage across all occupations. The metropolitan areas of Washington D.C., San Jose, San Francisco and New York have some of the highest wages and employment numbers of this profession.
The BLS estimates that the employment of information security analysts will grow a staggering 31.5% through 2032
The BLS estimates that the employment of information security analysts will grow a staggering 31.5% through 2032, much faster than the average across all occupations. Unsurprisingly, they attribute this demand to the need for cyber security professionals to address increasing cyber security attacks and the need to secure new technologies from external threats.
Median Salary: $112,000
Projected job growth: 31.5%
10th Percentile: $66,010
25th Percentile: $85,270
75th Percentile: $141,130
90th Percentile: $174,540
Projected job growth: 31.5%
|State||Median Salary||Bottom 10%||Top 10%|
|District of Columbia||$123,140||$84,300||$177,240|
Source: U.S. Bureau of Labor Statistics (BLS) 2022 median salary; projected job growth through 2032. Actual salaries vary depending on location, level of education, years of experience, work environment, and other factors. Salaries may differ even more for those who are self-employed or work part time.
Cryptanalysis techniques and tools
Cryptanalysts utilize numerous techniques to break codes and decrypt information. In other words, the goal is to unearth the plaintext that is being hidden or coded. The plaintext can be words written in English or another language or in a programming language such as Java. Here are a few examples of some of those techniques:
- Statistical frequency analysis:
- Pioneered by Al Kindi in the ninth century, this basic form of cryptanalysis looks at ciphertext by analyzing the statistical frequency of certain letters in a language. By understanding which letters are statistically likely to be used in a message, the cryptanalyst may be able to crack the cipher alphabet.
- In this type of cryptanalysis, the cryptanalyst is already aware of some of the plaintext-ciphertext pairs. Analyzing these pairs can help the cryptanalyst deduce the encryption key to "unlock" the rest of the plaintext.
- In this scenario, the cryptanalyst only has access to some of the encrypted messages. In other words, they have the ciphertext but they don't know any of the corresponding plaintext or the encryption key used to obscure the plaintext. The cryptanalyst must rely on other known information, such as the language the plaintext is written or statistical frequency analysis, to break the code and reveal the plaintext.
- Cryptanalysts in this scenario have access to the encryption device or whatever the means of creating the ciphertext may be. They can input plaintext, analyze what ciphertext it spits out, and work backward to determine the encryption key.
- Brute force attack:
- This method is simple trial and error. The cryptanalyst guesses possible passwords and solutions to try to discover the plaintext.
Newer cryptanalysis trends
As encryption methods evolve, so do the means of decrypting information. Quantum cryptanalysis, for example, is an emerging field. PQSecure Technologies, a security solutions company that specializes in quantum-safe cryptographic solutions, defines quantum cryptanalysis as "the study and evaluation of cryptographic algorithms in the presence of a quantum-enabled adversary." Although quantum cryptanalysis (and quantum computing in general) is still in its relative infancy, quantum cryptanalysis could change the field dramatically if quantum computing continues to advance.
Blockchain encryption methods are also relatively new. Blockchains—chains of chronological groups of information known as blocks—are used for data storage, particularly for transactional data such as cryptocurrency. Encrypting blockchain data provides additional security measures and will be necessary as blockchain continues to evolve, especially with the rise of new virtual currencies.
Certifications are an essential component of IT, cyber security and related fields. Certifications validate an individual's skills and competencies, which is why so many IT and cyber security roles prefer or require candidates to possess certain certifications. They may also lead to better jobs and higher salaries. Here are a few information security certifications that any cryptanalyst may consider pursuing:
- Certified Encryption Specialist (CES) from EC-Council
- Certified Information Systems Security Professional (CISSP) from (IC2)2
- Security+ from CompTIA
- Certified Ethical Hacker (CEH) from EC-Council
In addition to certifications themselves, there are a few organizations and associations that emerging or current cryptanalysts should be aware of. Organizations may offer relevant certifications, member benefits, continuing education programs and more. Joining a professional association, if they offer membership, is also a great way to stay up to date on industry developments and trends. Check out the following organizations to see how they may be able to help your cryptanalyst career:
International Association for Cryptologic Research (IACR): This is the leading professional association in the field whose goal is to further cryptologic research. Members can join to access exclusive benefits which include access to all their publications, including the Journal of Cryptology. The IACR also hosts several international cryptologic conferences each year.
National Security Agency's Central Security Service (CSS): Their website states that the "Central Security Service (CSS) provides timely and accurate cryptologic support, knowledge, and assistance to the military cryptologic community." The CSS offers several entry-level cryptanalysis development programs which, upon completion, may lead to a full-time paid position in the NSA.
American Cryptogram Association (ACA): This nonprofit organization is dedicated to promoting the art and hobby of cryptanalysis. Members have access to their bi-monthly publication "The Cryptogram," in addition to several other benefits.
Are you ready for a career in cryptanalysis?
Cryptanalysis and cryptography are just two branches of the ever-expanding field of cyber security. As technology itself continues to evolve, as do the ways cyber criminals can commit crime, the need for competent cyber security professionals like cryptanalysts has seldom been greater.
A bachelor's degree in cyber security or mathematics is a good place to start, and there are other training programs out there to supplement a formal education, such as bootcamps, certifications or development programs from the NSA. If you aren't sure where to start, consider using our search feature to find relevant training programs for a cyber security career to last a lifetime.
Updated: October 25, 2023
Explore Cyber Security Careers
- Becoming a Cryptographer
- Cyber Security Salary
- How to Become a Cryptanalyst
- How to Become a Cyber Security Analyst
- How to Become a Database Analyst
- How to Become a Forensics Expert
- How to Become a Network Security Analyst
- How to Become a Security Auditor
- How to Become a Security Consultant
- How to Become a Security Engineer
- How to Become a Security Software Developer
- How to Become a Security Specialist
- SOC Analyst Career Guide