Skip to main content

Documentation Index

Fetch the complete documentation index at: https://roadtocybersec.com/llms.txt

Use this file to discover all available pages before exploring further.

Cryptography

Cryptography is the mathematical foundation that makes digital security possible. Every time you visit a website over HTTPS, send an encrypted message, or log in with a password, cryptography is working behind the scenes.

Symmetric Encryption

In symmetric encryption, the same key is used for both encrypting and decrypting data.
AlgorithmKey SizeStatusUse Case
AES-256256 bitsIndustry standardFile/disk encryption, VPNs, TLS
ChaCha20-Poly1305256 bitsModern alternativeMobile/IoT (faster in software)
3DES168 bitsDeprecatedLegacy systems only
DES56 bitsBrokenNever use

The Key Distribution Problem

Symmetric encryption is fast, but has a fundamental challenge: how do you securely share the key? If you send it over the same channel as the data, an attacker who intercepts the channel gets both. This is why asymmetric encryption was invented.

Asymmetric Encryption (Public Key Cryptography)

Uses a mathematically linked pair of keys: a Public Key (shared openly) and a Private Key (kept secret). Data encrypted with the public key can only be decrypted with the private key.
AlgorithmBased OnKey SizeStatus
RSAInteger factorization2048-4096 bitsWidely used, being phased out
ECDSA/ECDHElliptic Curve math256-384 bitsPreferred (same security, smaller keys)
Ed25519Edwards-curve256 bitsModern, fast; used in SSH, Signal, WireGuard

The Hybrid Approach

In practice, modern systems use both: asymmetric encryption to securely exchange a symmetric session key, then symmetric encryption (AES/ChaCha20) for the actual data. Best of both worlds.

The TLS 1.3 Handshake

TLS powers HTTPS. The TLS 1.3 handshake completes in a single round trip:
1

Client Hello

Browser sends supported cipher suites, TLS version, random number, and its Diffie-Hellman key share.
2

Server Hello

Server selects cipher suite, sends its key share and digital certificate (signed by a Certificate Authority).
3

Key Derivation

Both sides independently compute the same shared secret via Diffie-Hellman, without transmitting it.
4

Encrypted Communication

All subsequent data encrypted with derived symmetric keys (AES-256-GCM or ChaCha20-Poly1305).
TLS 1.3 removed insecure cipher suites (RSA key exchange, CBC mode, SHA-1) and introduced 0-RTT resumption for repeat connections. If your server still supports TLS 1.0/1.1, it is vulnerable to known attacks.

Diffie-Hellman Key Exchange

Allows two parties to establish a shared secret over an insecure channel without transmitting the secret itself. Simplified analogy: Alice and Bob each pick a private color, agree on a shared base color, each mix their private color with the base and exchange results. Each mixes the received color with their private color, arriving at the same final color. An eavesdropper cannot reverse-engineer the private colors from the intermediate mixtures. In practice, this uses modular exponentiation (classic DH) or elliptic curve point multiplication (ECDH).

Hashing

A one-way function that produces a fixed-size output from any input.

Properties of Secure Hash Functions

  1. Deterministic: Same input → same hash
  2. One-way: Cannot reverse hash to recover input
  3. Avalanche effect: Tiny input change → completely different hash
  4. Collision resistant: Infeasible to find two inputs producing the same hash

Algorithm Comparison

AlgorithmOutputStatusUse Case
MD5128 bitsBrokenNever use for security
SHA-1160 bitsBrokenNever use for security
SHA-256256 bitsSecureFile integrity, blockchain, signatures
bcrypt184 bitsSecurePassword storage
Argon2VariableBest for passwordsWinner of Password Hashing Competition (2015)

Password Hashing

Passwords must be hashed with a slow, salted algorithm:
  • Salt: Random value added before hashing, which ensures identical passwords produce different hashes.
  • Work factor: Deliberately slow (~100ms per hash), making brute-force impractical.
password = "hunter2"
salt = random_bytes(16)
hash = argon2id(password, salt, time_cost=3, memory_cost=65536)
stored = salt + hash
If a database stores passwords as unsalted MD5 or SHA-256, the system is critically vulnerable. Attackers can crack most passwords in minutes using rainbow tables or GPU brute force.

Digital Signatures

Combine hashing + asymmetric encryption for authentication and integrity.
1

Sign

Sender hashes the document (SHA-256), encrypts the hash with their Private Key. The encrypted hash = digital signature.
2

Verify

Recipient decrypts the signature with the sender’s Public Key, independently hashes the document. If both hashes match → authentic and unaltered.

Certificate Chains

Digital certificates are signed by Certificate Authorities (CAs). Your browser trusts a website because it traces a chain of trust back to a Root CA pre-installed in the OS/browser. 
Root CA (self-signed, in your OS)
  └── Intermediate CA (signed by Root)
       └── Website Certificate (signed by Intermediate)

Post-Quantum Cryptography

Quantum computers will eventually break RSA and Elliptic Curve cryptography using Shor’s algorithm. Data captured today could be decrypted later (“harvest now, decrypt later”).

NIST Post-Quantum Standards (2024)

AlgorithmTypePurpose
ML-KEM (Kyber)Lattice-basedKey exchange
ML-DSA (Dilithium)Lattice-basedDigital signatures
SLH-DSA (SPHINCS+)Hash-basedSignatures (stateless)
The quantum threat is not imminent (breaking RSA-2048 requires ~4,000+ stable qubits; current quantum computers have ~1,000), but migration takes years. Organizations with sensitive data should plan now.

Key Takeaways

  1. Symmetric = fast, asymmetric = solves key distribution: Modern systems use both.
  2. TLS 1.3 is the baseline: Disable TLS 1.0/1.1.
  3. Never MD5 or SHA-1 for security: SHA-256 for integrity, Argon2 for passwords.
  4. Salt + slow hashing for passwords: Never store plaintext.
  5. Watch quantum developments: Post-quantum standards exist; plan migration.