Fundamentals of Cryptography and Security

TL;DR

Cryptography is about securing communication and data using mathematical techniques, primarily focusing on confidentiality, integrity, and authenticity. It uses algorithms with keys to transform data so only authorized parties can access or verify it. Understanding its core techniques, like encryption and hashing, is crucial for building secure systems.

1. The Mental Model

Imagine you want to send a secret message or prove a document hasn't been tampered with. Cryptography gives you the tools, like special locks and seals, to achieve this, making sure only the right people can read your message or know it's truly yours.

2. The Core Material

Cryptography isn't just about hiding secrets; it's a broad field ensuring several vital aspects of communication and data handling. These are often called the "CIA Triad" – not the government agency, but Confidentiality, Integrity, and Availability, with Authenticity and Non-repudiation also being super important in security.

2.1 Confidentiality: Keeping Secrets Secret

Confidentiality means making sure that only authorized people can read or access information. Think of it like putting a message in a locked box. Only someone with the right key can open it. This is usually achieved through encryption.

• Symmetric Encryption: This uses a single key for both encrypting (scrambling) and decrypting (unscrambling) data. It's fast, but you need a secure way to share that secret key with the other person. Examples: AES, DES.

  mermaid graph TD A["Sender's Message (Plaintext)"] --> B{Encryption Algorithm ("Scramble")}; B --> C["Shared Key (Secret! )"]; C --> D["Encrypted Message (Ciphertext)"]; D --> E{Decryption Algorithm ("Unscramble")}; E --> C; E --> F["Receiver's Message (Plaintext)"];

• Asymmetric Encryption (Public-Key Cryptography): This uses a pair of keys: a public key for encryption (which anyone can have) and a private key for decryption (which only you have). If I want to send you a secret message, I encrypt it with your public key, and only you can decrypt it with your private key. It's slower than symmetric encryption but solves the key-sharing problem elegantly. Examples: RSA, Elliptic Curve Cryptography (ECC).

2.2 Integrity: Ensuring Data Hasn't Been Tampered With

Integrity means making sure data hasn't been changed, accidentally or maliciously, since it was created or sent. Imagine digitally "signing" a document in a way that if even a single character changes, the signature breaks. This is primarily done using hashing functions.

• Hashing Functions: These are one-way mathematical functions that take an input (any size of data) and produce a fixed-size string of characters called a hash value or digest. If even a tiny bit of the input changes, the hash output will be completely different. You can't reverse-engineer the original data from the hash. Examples: SHA-256, MD5 (though MD5 is now considered insecure for integrity checks due to collision vulnerabilities).

2.3 Authenticity: Proving Identity

Authenticity means verifying that someone or something is who or what it claims to be. "Is this really from Alice?" or "Is this website genuinely Google?".

• Digital Signatures: These use asymmetric encryption in reverse for integrity and authenticity. You encrypt a hash of your message with your private key. Anyone can then use your corresponding public key to decrypt the hash, re-compute the message's hash themselves, and compare the two. If they match, it proves:
  1. The message hasn't changed (integrity, because the hash matches).
  2. It truly came from you (authenticity, because only you have your private key).

2.4 Non-repudiation: Can't Deny Sending

Non-repudiation ensures that a sender cannot later deny having sent a message or signed a document. Digital signatures inherently provide this.

3. Worked Example

Let's say Alice wants to send Bob a secret message "Hello Bob!" and also prove it's from her and hasn't been changed.

1. Generate Keys: Bob generates an asymmetric key pair: Bob's Public Key and Bob's Private Key. Alice also generates her own: Alice's Public Key and Alice's Private Key. They exchange public keys.
2. Confidentiality (Encryption): Alice encrypts her message "Hello Bob!" using Bob's Public Key. The result is Encrypted Message (Ciphertext). Now only Bob can read it.
3. Integrity and Authenticity (Digital Signature):
   • Alice computes a hash of her original "Hello Bob!" message, let's say it's H1.
   • She then "signs" this hash by encrypting H1 using Alice's Private Key. This produces Signed Hash (Signature).
4. Send: Alice sends both the Encrypted Message and the Signed Hash to Bob.
5. Verification:
   • Bob first decrypts the Encrypted Message using Bob's Private Key, getting back "Hello Bob!". (Confidentiality achieved!)
   • Bob then takes the original message "Hello Bob!" and computes its hash himself, let's say it's H2.
   • Concurrently, Bob decrypts the Signed Hash (the signature) using Alice's Public Key. This reveals the original H1 that Alice generated.
   • Bob compares H1 and H2. If H1 equals H2, then Bob knows:
     • The message hasn't been tampered with (Integrity achieved!).
     • It definitively came from Alice (Authenticity & Non-repudiation achieved!).

4. Key Takeaways

• Cryptography uses mathematical algorithms to protect information for confidentiality, integrity, and authenticity.
• Symmetric encryption uses one shared key for both encryption and decryption and is very fast.
• Asymmetric encryption uses a public key (for encryption or verification) and a private key (for decryption or signing), solving secure key exchange.
• Hashing functions create a unique, fixed-size "fingerprint" of data, crucial for verifying integrity.
• Digital signatures combine hashing and asymmetric encryption to provide both integrity and authenticity, preventing denial.
• The "CIA Triad" (Confidentiality, Integrity, Availability) represents core security goals, with Authenticity and Non-repudiation also vital.

Common Mistakes to Avoid:
- Don't confuse encryption with hashing; encryption is two-way (scramble/unscramble), hashing is one-way (fingerprint).
- Never share your private key with anyone; it's the foundation of your digital identity and security.
- Don't rely on weak or outdated cryptographic algorithms (e.g., MD5 for integrity, DES for encryption).
- Thinking that simply encrypting data makes it secure; key management is equally, if not more, important.

5. Now Try It

Spend 15 minutes researching current industry standards for symmetric encryption (e.g., AES-256) and hashing (e.g., SHA-256). For each, write down a one-sentence explanation of why it's considered secure and one real-world application where you might encounter it.

Success looks like: You'll have a clear understanding of the current "best practices" for these fundamental cryptographic primitives and can identify where they're used in everyday digital life.