~/netref / Cryptography Basics
##

Cryptography Basics

The three jobs of crypto — keep secret (encrypt), prove unchanged (hash), prove origin (sign) — and the algorithms behind them.

Symmetric
One shared key (AES, ChaCha20) — fast, bulk data
Asymmetric
Public/private key pair (RSA, ECC, DH) — exchange & signatures
Hashing
One-way digest (SHA-256, SHA-3) — integrity, not reversible
AlgorithmClassUsed for
AESSymmetricBulk encryption (128 / 256-bit)
RSAAsymmetricKey exchange & signatures
ECC / ECDSAAsymmetricSmaller keys — TLS, mobile
Diffie-HellmanKey exchangeDerive a shared secret
SHA-256 / SHA-3HashIntegrity / fingerprints
HMACHash + keyAuthenticated integrity
bcrypt / Argon2KDFSalted password storage

// key ideas

  • Confidentiality = encryption · Integrity = hashing · Authenticity = signatures
  • Symmetric is fast but needs a secure key exchange
  • Asymmetric is slow → used to wrap a symmetric session key
  • Salt makes identical passwords hash differently (beats rainbow tables)
  • A digital signature = a hash encrypted with the private key
  • Never roll your own crypto — use vetted libraries

// PKI chain of trust

Root CA
self-signed
signs ▶
Intermediate CA
signs ▶
Server cert
example.com
A client trusts the leaf because it chains up to a Root CA already in its trust store.
// PKI components
Root CASelf-signed trust anchor (offline, protected)
Intermediate CAIssues certs on the root’s behalf
Leaf / server certIdentity bound to a public key
CSRCertificate Signing Request — sent to the CA
CRL / OCSPRevocation — static list vs live check
// certificate formats
PEMBase64 text (.pem .crt .cer) — most common
DERBinary encoding (.der)
PKCS#12Cert + private key bundle (.pfx .p12)
PKCS#7Cert chain, no key (.p7b)

// key exchange & signatures

  • Diffie-Hellman derives a shared secret over an open channel
  • ECDHE = elliptic-curve ephemeral — gives forward secrecy (PFS)
  • Sign with the private key; verify with the public key
  • TLS uses asymmetric crypto to agree a fast symmetric session key