Cryptography Essentials – Kernel of Truth

Contents

1 🔐 Symmetric vs Asymmetric Encryption
2 🧠 Summary
3 🔐 Digital Certificates & Public Key Infrastructure (PKI) Explained
4 📄 What Is a Digital Certificate?
- 4.1 🔍 Contains:
- 4.2 🧾 Common Formats:
5 🏛️ What Is PKI (Public Key Infrastructure)?
- 5.1 🔧 Core Components:
6 🔐 How It Works
7 🧠 What Is It Used For?
8 🧭 PKI vs SSL vs TLS
9 🧪 Real-World Examples
10 ✅ Best Practices
11 🔐 Hashing Algorithms and Salt Usage
12 🔐 SSL/TLS Implementation Guide
13 🔐 Modern Cryptography Standards – A 2025 Overview

🔐 Symmetric vs Asymmetric Encryption

Feature	Symmetric Encryption	Asymmetric Encryption
🔑 Key Usage	Same key for encryption and decryption	Public key to encrypt, private key to decrypt
👥 Parties Involved	Requires both parties to share the same key	Uses a key pair: public (shared), private (kept secret)
⚡ Speed	Fast and efficient	Slower due to complex mathematics
🔄 Common Use Cases	Encrypting files, VPNs, full disk encryption	Secure email, SSL/TLS, digital signatures
📦 Examples	AES, DES, Blowfish	RSA, ECC, DSA

🔐 Symmetric Encryption – Quick Overview

How it works:
One secret key is used for both encrypting and decrypting the message.
Challenge:
Securely sharing that key between sender and receiver.
Analogy:
Like a shared safe key—if both people have it, they can lock/unlock the box.

✅ Fast for large volumes of data
❌ Risky if the key is intercepted

🔐 Asymmetric Encryption – Quick Overview

How it works:
Each party has a key pair: a public key (shared with anyone) and a private key (kept secret).
What one key encrypts, the other can decrypt.
Challenge:
Slower performance, but safer for exchanging secrets initially.
Analogy:
Like sending a message in a lockbox with an open padlock—only the owner has the key to open it.

✅ Enables secure key exchange and digital signatures
❌ Slower for bulk data

🔄 Hybrid Approach (TLS Example)

Modern systems (like HTTPS/TLS) use both:

Asymmetric encryption to exchange a symmetric session key securely.
Symmetric encryption for the rest of the session (for speed).

🧠 Summary

Task	Best Method
Encrypt large files	Symmetric (AES)
Exchange keys securely	Asymmetric (RSA, ECC)
Digital signatures	Asymmetric (RSA/DSA)
Secure session (TLS)	Hybrid (Asymmetric + Symmetric)

🔐 Symmetric is fast. Asymmetric is smart. Together—they’re secure.

🔐 Digital Certificates & Public Key Infrastructure (PKI) Explained

In today’s digital world, trust is everything. Whether it’s a secure website, encrypted email, or authenticated software, Digital Certificates and PKI make it possible to verify identities and protect sensitive data online.

📄 What Is a Digital Certificate?

A digital certificate is like an online passport — it binds a public key to the identity of a person, system, or organisation, and confirms that the key belongs to them.

🔍 Contains:

Public Key
Owner’s identity (domain, email, organisation name)
Issuer information (Certificate Authority or CA)
Expiry date
Digital Signature from the CA

🧾 Common Formats:

.crt, .pem, .cer — for websites
.pfx, .p12 — includes private key for client certs
.csr — certificate signing request

🏛️ What Is PKI (Public Key Infrastructure)?

PKI is the system that manages keys and certificates. It defines the roles, policies, hardware, and software used to issue, store, revoke, and manage digital certificates.

🔧 Core Components:

Component	Role
Certificate Authority (CA)	Issues and signs digital certificates
Registration Authority (RA)	Verifies identity before certs are issued
Public & Private Keys	Asymmetric encryption for authentication and encryption
CRL/OCSP	Check if a certificate has been revoked
Certificate Store	Secure local storage for trusted certs

🔐 How It Works

Key Pair Generation
A public/private key pair is created. The private key is kept secret, and the public key is shared.
CSR Submission
A Certificate Signing Request (CSR) is sent to the CA with the public key and identity details.
Verification by CA/RA
The CA checks the requester’s identity (via DNS, business registration, etc.)
Certificate Issuance
The CA signs the public key with its private key and issues a certificate.
Certificate Use
The certificate is installed (e.g. on a web server). Users verify the certificate using the CA’s trusted root.
Revocation (if needed)
The cert can be revoked by the CA and listed in a CRL or through OCSP.

🧠 What Is It Used For?

Use Case	Example
Web Security (HTTPS)	SSL/TLS certificates for sites like `https://yourdomain.com`
Email Encryption/Signing	S/MIME for Outlook or Thunderbird
Code Signing	Certs to sign software or drivers
VPN Access & Authentication	Client certificates for mutual TLS
Secure Messaging	Apps like Signal use PKI in background
Document Signing	Digital signatures in PDFs and contracts

🧭 PKI vs SSL vs TLS

PKI is the infrastructure that manages keys and certs
SSL/TLS is the protocol used to secure communications
SSL is deprecated; TLS 1.2+ is now standard

🧪 Real-World Examples

🔒 A browser warning: “Your connection is not private” = expired or invalid certificate
🧾 A digitally signed contract PDF = embedded certificate signature
💻 SSH key-pair logins (not certificates) still use public-key crypto

✅ Best Practices

🔄 Rotate certificates before expiry
🧪 Validate chain of trust using OpenSSL or certutil
🔐 Store private keys securely (e.g. HSM or encrypted vault)
🚫 Revoke compromised certs immediately
🔍 Monitor for rogue cert issuance (e.g. via CAA or CT logs)

🧠 Digital certificates are the glue of trust in the digital world — from websites to software, they help verify identity and secure data integrity.

🔐 Hashing Algorithms and Salt Usage

🔄 What Is Hashing?

Hashing is a one-way cryptographic function that converts data (like a password or file) into a fixed-length string (the hash). It’s designed so that:

The same input always produces the same output
The output cannot be reversed to recover the original input
Any small change in input yields a drastically different hash (avalanche effect)

📦 Example:

Input: "password123"  
SHA-256: ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

📚 Common Hashing Algorithms

Algorithm	Output Size	Strength / Use Case
MD5	128-bit	Fast but broken — avoid for security use
SHA-1	160-bit	Also broken — only for legacy support
SHA-256	256-bit	Strong and widely used (TLS, Bitcoin)
SHA-512	512-bit	Higher bit length = more security
bcrypt	Variable	Purpose-built for password hashing
scrypt / Argon2	Variable	Slow and memory-hard — ideal for modern password storage

🧂 What Is a Salt?

A salt is a random value added to the input before hashing. It prevents:

Attackers from using precomputed hashes (rainbow tables)
Identical passwords from producing identical hashes

📌 Why use it?
To make brute-force and lookup attacks impractical, even if two users choose the same password.

📦 Example:

Password:     "password123"  
Salt:         "Z8x@w9!"  
Hashed Output (bcrypt): $2a$12$Z8xw9abcdefgh...

💥 Without Salt — What’s the Risk?

Two users with the same password will have identical hashes
Makes systems vulnerable to rainbow table attacks
Easier for attackers to detect reused or weak passwords

✅ Best Practices

Always use a unique salt per user when storing passwords
Use bcrypt, scrypt, or Argon2 for password hashing (they handle salting internally)
Never use MD5 or SHA-1 for password storage
Do not encrypt passwords—use hash + salt

🧠 Summary

Feature	Hashing	Salting
One-way Function	✅	❌ (not standalone)
Prevents Reversal	✅	❌
Stops Lookup Attacks	❌ (on its own)	✅
Password Storage Use	✅	✅ (combined)

🔐 Hashing ensures integrity. Salting ensures uniqueness.
Together, they keep your users’ secrets safe.

🔐 SSL/TLS Implementation Guide

SSL/TLS (Secure Sockets Layer / Transport Layer Security) encrypts data in transit, ensuring that information exchanged between systems (like a user and a website) cannot be intercepted or modified.

🌐 “If you’re transmitting sensitive data online—encrypt it or risk exposure.”

📘 What Is SSL/TLS?

SSL is the original encryption protocol (now deprecated)
TLS is its modern, secure replacement (current version: TLS 1.3)
Ensures:
- 🔒 Confidentiality (via encryption)
- ✅ Integrity (via message authentication)
- 🧾 Authenticity (via certificates)

🔑 Key Components of SSL/TLS

Component	Purpose
Certificate	Proves server identity (issued by CA)
Private Key	Decrypts traffic / signs content
Public Key	Distributed via cert for clients to use
Handshake	Negotiates secure parameters
Session Key	Symmetric key used for bulk data encryption

🚀 How to Implement SSL/TLS

🧰 1. Get a Certificate

Use a Certificate Authority (CA) like:
- Let’s Encrypt (free)
- DigiCert, Sectigo, GlobalSign (paid)
Or generate self-signed (for internal use/testing)

# Generate private key + CSR (Certificate Signing Request)
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

⚙️ 2. Configure Your Web Server

Nginx Example:

server {
  listen 443 ssl;
  server_name example.com;

  ssl_certificate     /etc/ssl/certs/example.crt;
  ssl_certificate_key /etc/ssl/private/example.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  location / {
    try_files $uri $uri/ =404;
  }
}

Apache Example:

<VirtualHost *:443>
  ServerName example.com

  SSLEngine on
  SSLCertificateFile    /etc/ssl/certs/example.crt
  SSLCertificateKeyFile /etc/ssl/private/example.key
  SSLProtocol all -SSLv2 -SSLv3

  DocumentRoot /var/www/html
</VirtualHost>

🔁 3. Redirect HTTP to HTTPS

Force encryption with a redirect or HSTS header:

return 301 https://$host$request_uri;

🧪 4. Test Your TLS Configuration

✅ SSL Labs Test
🔧 Use nmap or testssl.sh:

testssl.sh https://example.com

💡 Security Best Practices

Setting	Recommendation
Minimum TLS	Enforce TLS 1.2 or higher
Disable SSLv2/3	Obsolete and insecure
Use HSTS	Enforce HTTPS permanently
ECDHE Key Exchange	Enables forward secrecy
Renew Certs	Automatically with Certbot/cron
Monitor Expiry	Alerts before cert expiration

⚠️ Common SSL/TLS Mistakes

❌ Expired or self-signed certificates on public sites
❌ Using outdated protocols like TLS 1.0/1.1
❌ Missing intermediate certificates (chain incomplete)
❌ Not redirecting from HTTP → HTTPS
❌ Reusing private keys across services

🔒 Summary

SSL/TLS is your frontline defence for secure communication online. It’s mandatory for any site handling sensitive data, including logins, APIs, and admin panels.

✅ Encrypt everything, verify authenticity, stay compliant.

🔐 Modern Cryptography Standards – A 2025 Overview

Cryptography underpins the confidentiality, integrity, and authenticity of digital communication. As threats evolve, so must the standards we use to encrypt and protect our data.

💡 “Obsolete crypto isn’t weak because it’s old. It’s weak because attackers have gotten smarter.”

📚 Categories of Cryptographic Standards

Type	Purpose	Common Algorithms
Symmetric	Fast, secure encryption	AES, ChaCha20
Asymmetric	Key exchange, digital signatures	RSA, ECC, Ed25519
Hash Functions	One-way data integrity	SHA-2, SHA-3, BLAKE3
Key Derivation	Password security, session keys	PBKDF2, bcrypt, Argon2
Post-Quantum	Resistance to quantum attacks	Kyber, Dilithium (NIST finalists)

🔐 Symmetric Encryption

✅ AES (Advanced Encryption Standard)

Key sizes: 128, 192, 256 bits
Block cipher, widely adopted (TLS, full-disk encryption, VPNs)
Often used in GCM or CBC modes

🌀 ChaCha20

Stream cipher alternative to AES, used in mobile and TLS
Resistant to timing attacks and suitable for low-power devices

🔑 Asymmetric Encryption

✅ RSA (2048/3072/4096 bits)

Widely used in TLS, SSH, digital signatures
Slower than symmetric but essential for key exchange

🧬 Elliptic Curve Cryptography (ECC)

More efficient key sizes (e.g., 256-bit ECC = 3072-bit RSA)
Popular curves: secp256r1, Curve25519

⚡ Ed25519

Optimised for fast, secure digital signatures
Increasingly preferred over traditional RSA in SSH, Git, etc.

📎 Hashing Algorithms

✅ SHA-2 (SHA-256, SHA-512)

Standard for digital signatures, HMACs, and integrity checks

🔄 SHA-3

Newer standard by NIST, Keccak-based
Less common but gaining traction

⚡ BLAKE3

Fast, secure, and suitable for large-scale integrity checks

🔐 Key Derivation & Password Hashing

Algorithm	Use Case	Notes
bcrypt	Password hashing	Includes salt + configurable cost
Argon2	Modern memory-hard hashing	Winner of the Password Hashing Competition
PBKDF2	Legacy password hashing	Still used in enterprise, e.g. Wi-Fi WPA2

🛡️ Digital Signatures

Algorithm	Use Case
RSA	Certificates, PGP, code signing
ECDSA	TLS, JWTs, blockchain
EdDSA (Ed25519)	Git commits, SSH, passports

🧠 Post-Quantum Cryptography (PQC)

Quantum computers threaten traditional encryption. NIST is finalising standards expected to replace or augment RSA/ECC.

Algorithm	Type	Status (as of 2025)
Kyber	Key Encapsulation	NIST finalist for standardisation
Dilithium	Digital Signatures	Lightweight, quantum-safe
Falcon	Digital Signatures	For constrained devices

🚨 TLS 1.3 + PQ hybrid key exchange is now appearing in forward-looking systems.

🔒 Modern TLS Standards (2025)

Feature	Recommendation
Protocol	TLS 1.2 (minimum) / TLS 1.3
Ciphersuites	AES-GCM, ChaCha20-Poly1305
Key Exchange	ECDHE, X25519, Kyber hybrid
Auth	ECDSA, RSA, Ed25519

Use tools like SSL Labs to validate secure configurations.

⚠️ Algorithms to Avoid

Algorithm	Reason
MD5	Broken, collision-prone
SHA-1	Deprecated, insecure
RC4	Weak stream cipher
DES/3DES	Obsolete key length
RSA < 2048	Too short to be secure

✅ Summary Cheat Sheet

Task	Recommended Standard
Data Encryption	AES-256 / ChaCha20
Key Exchange	ECDHE / Kyber hybrid
Password Hashing	Argon2 / bcrypt
Digital Signatures	Ed25519 / ECDSA
TLS	TLS 1.3
File Integrity	SHA-256 / BLAKE3

🔐 Modern crypto is about using the right tool for the right task—securely, efficiently, and with future threats in mind.