The exact method of communication varies depending on the device.
Photon and P1s (Wi-Fi) devices use CoAP, AES encrypted, over TCP. The connection is made outbound from the device to the Particle cloud and is kept open. This allows requests to be sent to the Photon even if it’s behind a firewall. It is also safer because no ports are open on the Photon so there’s less attack surface.
Electrons (cellular) use CoAP over DTLS, over UDP. Even though it’s UDP and the cellular network uses NAT, it’s still possible to send requests to the device because there’s a temporary UDP back-channel set up when the Electron sends a packet. This allows requests to be made to the device as well as from the device.
In both case, the connection is mutually authenticated using RSA public/private key pairs.
The CoAP protocol allows a single TCP or UDP connection to handle things like publish, subscribe, variables, functions, and over-the-air code flashing over a single connection.