MODULE 05 — CRYPTOGRAPHY

Cryptography Fundamentals

The science of keeping secrets. From Caesar ciphers to quantum-resistant algorithms, cryptography is the backbone of all digital security — authentication, confidentiality, integrity, and non-repudiation.

What is Cryptography?

Cryptography is the practice of securing communication so that only intended recipients can read it. It provides four core guarantees in security, often called the CIA Triad + Non-Repudiation:

Confidentiality

Only authorized parties can read the data. Achieved through encryption.

Integrity

Data hasn't been tampered with in transit. Achieved through hashing.

Authentication

Verify the identity of the sender. Achieved through digital signatures and certificates.

Non-Repudiation

The sender cannot deny sending the message. Achieved through digital signatures.

Real-world analogy: Encryption is putting a letter in a locked box. Hashing is putting a tamper-evident seal on the envelope. A digital signature is notarizing the letter — proving who wrote it and that it hasn't been changed.

Key Terms

Plaintext — The original, readable message before encryption.
Ciphertext — The scrambled, unreadable output after encryption.
Key — A piece of data used by the algorithm to encrypt/decrypt. Like a password for the cipher.
Algorithm (Cipher) — The mathematical function that transforms plaintext to ciphertext (e.g., AES, RSA).
Hash — A fixed-length fingerprint of data. One-way: you can't reverse it back to the original.
PKI — Public Key Infrastructure. The system of certificates, CAs, and trust that makes HTTPS work.

Symmetric vs Asymmetric Encryption

Symmetric (Same Key)

Plaintext --[KEY]--> Ciphertext --[SAME KEY]--> Plaintext
  • One key for both encryption and decryption
  • Fast — ideal for bulk data encryption
  • Problem: How do you securely share the key?
  • Algorithms: AES-256, ChaCha20, 3DES (legacy), Blowfish
  • Used for: Disk encryption, VPNs, TLS data transfer, Wi-Fi (WPA2)

Asymmetric (Key Pair)

Plaintext --[PUBLIC KEY]--> Ciphertext --[PRIVATE KEY]--> Plaintext
  • Two keys — public (shared) and private (secret)
  • Slow — not used for bulk data, used for key exchange
  • Solves: The key distribution problem
  • Algorithms: RSA-2048, ECC (Elliptic Curve), Diffie-Hellman, DSA
  • Used for: TLS handshake, digital signatures, email (PGP), SSH keys

In practice, both are used together. TLS uses asymmetric crypto to securely exchange a symmetric session key, then uses that fast symmetric key for the actual data transfer. This is called a hybrid cryptosystem.

Hashing

A hash function takes input of any size and produces a fixed-size output (the "digest"). Key properties:

ONE-WAY

Cannot reverse the hash back to the original input

DETERMINISTIC

Same input always produces the same hash

AVALANCHE

Tiny input change = completely different hash

SHA-256("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
SHA-256("Hello") = 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
^ Just changing 'h' to 'H' completely changes the hash (avalanche effect)
Secure algorithms: SHA-256, SHA-3, BLAKE2, bcrypt (passwords), Argon2 (passwords)
Broken/weak: MD5 (collision attacks), SHA-1 (deprecated), DES (too short key)

Uses: Password storage (with salting), file integrity verification, digital signatures, blockchain, certificate fingerprints.

PKI & The TLS Handshake

The Public Key Infrastructure (PKI) is the trust system that makes HTTPS possible. It relies on Certificate Authorities (CAs) — trusted third parties that vouch for the identity of websites.

== TLS 1.3 Handshake (simplified) ==
1. Client Hello → "I support these cipher suites, here's my random number"
2. Server Hello ← "I chose this cipher suite, here's my certificate + public key"
3. Client verifies → Checks cert chain up to trusted root CA
4. Key Exchange ↔ Both derive a shared session key (ECDHE)
5. Encrypted tunnel established ↔ All further data encrypted with AES-256-GCM
Certificate

Digital document binding a public key to an identity (domain name). Signed by a CA.

Root CA

The top of the trust chain. Pre-installed in browsers/OS. DigiCert, Let's Encrypt, etc.

Chain of Trust

Root CA signs Intermediate CA, which signs website cert. Browser validates the entire chain.

Digital Signatures

A digital signature proves who sent a message and that it wasn't altered. It combines hashing with asymmetric encryption:

== Signing Process ==
1. Sender hashes the message → SHA-256(message) = hash
2. Sender encrypts hash with their private keydigital signature
3. Sender sends: message + signature
== Verification Process ==
4. Receiver hashes the received message → SHA-256(message) = hash'
5. Receiver decrypts signature with sender's public keyhash
6. If hash == hash' → Signature valid! Message is authentic and untampered.

Cipher Comparison Table

Algorithm Type Key Size Speed Status Use Case
AES-256 Symmetric 128/192/256 Fast Secure TLS data, disk encryption, VPN
ChaCha20 Symmetric 256 Very Fast Secure Mobile TLS, WireGuard VPN
3DES Symmetric 168 (eff. 112) Slow Deprecated Legacy systems only
DES Symmetric 56 Medium Broken Never use — crackable in hours
RSA-2048 Asymmetric 2048+ Slow Secure Key exchange, signatures, email
ECC (P-256) Asymmetric 256 Moderate Secure TLS handshake, mobile crypto
SHA-256 Hash N/A Fast Secure Integrity, certs, blockchain
MD5 Hash N/A Fast Broken Never use for security
bcrypt Hash (KDF) N/A Slow (on purpose) Secure Password hashing

Common Cryptographic Attacks

BRUTE FORCE

Try every possible key until one works. Defeated by long keys (AES-256 = 2256 combinations) and rate limiting.

RAINBOW TABLE

Pre-computed table of hash → plaintext mappings. Defeated by salting — adding random data before hashing.

MAN-IN-THE-MIDDLE (MitM)

Attacker intercepts key exchange and substitutes their own public key. Defeated by PKI certificate verification.

COLLISION ATTACK

Finding two inputs that produce the same hash. MD5 and SHA-1 are vulnerable. Use SHA-256+ to avoid.

DOWNGRADE ATTACK

Forcing a connection to use an older, weaker protocol (e.g., TLS 1.0). Defeated by enforcing TLS 1.2+ minimum.

BIRTHDAY ATTACK

Exploits the birthday paradox to find hash collisions faster than brute force. Mitigated by using longer hash digests.

Security+ Exam Focus (Domain 1: 12%)

Interactive Crypto Lab

Experiment with encryption and hashing in real-time. Type a message and watch it transform.

Caesar Cipher (Substitution)

The simplest cipher — shift each letter by N positions. Easily broken by frequency analysis, but helps visualize the concept of key-based transformation.

3
DWWDFN DW GDZQ
Alphabet mapping (shift 3):

XOR Encryption (Binary Level)

XOR is the fundamental building block of modern encryption. Each bit is flipped if the key bit is 1. XOR with the same key twice returns the original — this is how symmetric encryption works at the hardware level.

Live Hash Generator

Type anything below and watch the SHA-256 hash update in real-time. Notice how even a tiny change completely alters the output (avalanche effect).

Length: 64 chars
Bits changed vs previous: 0

TLS 1.3 Handshake Simulator

Watch the TLS handshake play out step by step. This happens every time your browser connects to an HTTPS website.

Client
Server

Knowledge Check

All certification names are referenced for educational purposes only. This project is not affiliated with any certification body.