After the client has authenticated itself, it now has the option of selecting an encryption algorithm through which the rest of the exchanged messages will be encrypted. The client selects the algorithm using the following message:
ENCRYPT_BY algorithm initialization_data
algorithm is a standardized identifier representing a particular encryption algorithm. initialization_data is a hex string containing whatever initialization data is required for the requested algorithm.
If the server accepts the selected algorithm, it will send an ENCRYPT_ACCEPTED message, which may be followed (on the same line) by additional data necessary to establish the encryption, depending on the selected encryption method. Otherwise, it will send an ENCRYPT_REJECTED message and the client must try again or give up.
From that point on, all characters in both streams will be encrypted. Note that because a single message is considered to be a line of text followed by CRLF, encryption begins immediately after the CRLF.
Encryption algorithms will be invented and standardized by third-party developers. For now, all clients and servers must support the PLAIN encryption method, which is the "null-cipher." Although PLAIN "encryption" doesn't offer any security, this mode is available as the least common denominator of compatibility between all clients and servers. Additionally, this mode is useful for manual operation and debugging of the server through a telnet connection.