Differences

This shows you the differences between two versions of the page.

--- security:cryptography-fundamentals [2026/06/12 10:42] – created phong2018
+++ security:cryptography-fundamentals [2026/06/13 03:22] (current) – phong2018
@@ Line 1: / Line 1: @@
-====== Cryptography Fundamentals ======
+https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing
-This document explains cryptography from the most general concepts
+====== Cryptography Full Concepts (Best Practice + System Design View) ======
+This document summarizes cryptography in a practical, backend-engineer-oriented way:
+- NOT by algorithm only
+- BUT by security design + system usage
 -----
-===== Introduction =====
+====== 1. Core Security Goals ======
-When systems communicate over a network, there are three major security concerns:
+Cryptography exists to achieve:
   * Confidentiality
+    - Keep data secret
   * Integrity
-  * Authenticity
+    - Detect data modification
+  * Authentication
+    - Verify who sent data
-These concerns are solved using cryptography.
+  * Non-Repudiation
+    - Sender cannot deny action
 -----
-====== Security Goals ======
+====== 2. Cryptographic Building Blocks ======
-===== Confidentiality =====
+These are the 4 fundamental primitives:
-Confidentiality means:
+  * Encryption (Hide data)
+  * Hashing (Detect changes)
+  * Authentication (Prove origin)
+  * Key Management (Control trust)
-<code>
+Each system is built by combining these.
-Only authorized parties can read the data.
-</code>
-Example:
-<code>
-Alice sends a password to Bob.
-</code>
-Without protection:
-<code>
-Alice ---- Internet ---- Bob
-                ^
-             Attacker
-</code>
-The attacker can read the message.
-Solution:
-<code>
-Encryption
-</code>
 -----
-===== Integrity =====
+====== 3. Encryption (Confidentiality) ======
-Integrity means:
+Goal: Hide data from unauthorized access
-<code>
-Data was not modified during transmission.
-</code>
-Example:
-Original:
-<code>
-Transfer $100
-</code>
-Modified by attacker:
-<code>
-Transfer $10000
-</code>
-Solution:
-<code>
-Digital Signatures
-</code>
 -----
-===== Authenticity =====
+===== 3.1 Symmetric Encryption =====
-Authenticity means:
-<code>
-Verify who actually sent the message.
-</code>
-Example:
-<code>
-Someone claims to be your bank.
-</code>
-How do you know it is really your bank?
+Same key for encrypt/decrypt
-Solution:
+  * AES (standard)
+  * ChaCha20 (modern, fast)
-<code>
+Properties:
-Digital Signatures
+  - Very fast
-Certificates
+  - Used for large data
-</code>
+  - Requires secure key sharing
 -----
-====== What Is Cryptography? ======
+===== 3.2 Asymmetric Encryption =====
-Cryptography is the science of protecting information.
+Public key + Private key
-Main categories:
+  * RSA
+  * ECC (ECIES)
-<code>
+Properties:
-Cryptography
+  - Slow
-│
+  - Used for small data or key exchange
-├── Encryption
-│
-└── Digital Signatures
-</code>
 -----
-====== Encryption ======
+===== 3.3 Best Practice Pattern (IMPORTANT) =====
-Encryption protects:
+Hybrid Encryption:
-<code>
+. Use Asymmetric crypto to exchange key
-Confidentiality
+. Use Symmetric crypto to encrypt data
-</code>
-Goal:
-<code>
-Prevent unauthorized people from reading data.
-</code>
-Process:
-<code>
-Plain Text
-    ↓
-Encrypt
-    ↓
-Cipher Text
-    ↓
-Decrypt
-    ↓
-Plain Text
-</code>
 Example:
+  TLS (HTTPS)
-<code>
-Hello World
-</code>
-may become:
-<code>
-A83D91F22C...
-</code>
-Only someone with the correct key can recover the original message.
 -----
-====== What Is A Key? ======
+====== 4. Hashing (Integrity) ======
-A key is a secret value used by cryptographic algorithms.
+Goal: Detect if data was changed
-Example:
+  * SHA-256
+  * SHA-512
+  * SHA-3
-<code>
+Properties:
-Message:
+  - No key
-Hello
+  - One-way function
+  - Cannot decrypt
-Key:
+Broken algorithms:
-abc123
+  - MD5
-</code>
+  - SHA-1
-Analogy:
-<code>
-House Key
-</code>
-Without key:
-<code>
-Cannot open the door.
-</code>
-With key:
-<code>
-Can open the door.
-</code>
 -----
-====== Types of Cryptography ======
+====== 5. Authentication ======
-There are two major cryptographic models.
+Goal: Verify message origin
-<code>
-Cryptography
-│
-├── Symmetric Cryptography
-│
-└── Asymmetric Cryptography
-</code>
 -----
-====== Symmetric Cryptography ======
+===== 5.1 Symmetric Authentication =====
-===== Definition =====
-Symmetric cryptography uses:
+  * HMAC
+  * CMAC
-<code>
+Properties:
-ONE SECRET KEY
+  - Shared secret key
-</code>
+  - Fast
+  - No non-repudiation
-for both encryption and decryption.
+Used in:
+  - JWT HS256
+  - Internal APIs
+  - Webhooks (shared secret)
 -----
-===== Architecture =====
+===== 5.2 Asymmetric Authentication =====
-<code>
+Digital Signatures:
-           Secret Key
-               |
-       ----------------
-       |              |
-    Encrypt       Decrypt
-</code>
------
+  * RSA-PSS
+  * ECDSA
+  * Ed25519
-===== Workflow =====
+Properties:
+  - Private key signs
+  - Public key verifies
+  - Provides non-repudiation
-Alice and Bob share the same secret key.
+Used in:
+  - JWT RS256 / ES256
-<code>
+  - OAuth2 / OpenID Connect
-Secret Key = abc123
+  - SSO systems
-</code>
-Encryption:
-<code>
-Encrypt("Hello", abc123)
-</code>
-Decryption:
-<code>
-Decrypt(ciphertext, abc123)
-</code>
-Same key is used for both operations.
 -----
-===== Real-Life Example =====
+====== 6. Key Exchange ======
-Think about a locked box.
+Goal: Securely establish shared secret
-<code>
+  * Diffie-Hellman (DH)
-Key
+  * Elliptic Curve Diffie-Hellman (ECDH)
- ↓
-Lock Box
- ↓
-Unlock Box
-</code>
-The same key locks and unlocks the box.
------
-===== Advantages =====
+Flow:
+  - Asymmetric crypto establishes shared key
+  - Then symmetric encryption is used
-  * Fast
+Used in:
-  * Efficient
+  - TLS handshake
-  * Easy to implement
+  - Secure channels
 -----
-===== Disadvantages =====
+====== 7. PKI (Trust System) ======
-The key must be shared securely.
+Public Key Infrastructure:
-Problem:
+  * X.509 Certificates
+  * Certificate Authority (CA)
+  * Certificate Chain
-<code>
+Purpose:
-Alice ---- Secret Key ---- Bob
+  - Prove identity of services
-</code>
+  - Establish trust between systems
-If attacker obtains the key:
+Used in:
+  - HTTPS
-<code>
+  - mTLS
-Attacker can decrypt everything.
+  - SSO systems
-</code>
 -----
-===== Common Algorithms =====
+====== 8. Secure Communication Protocols ======
-  * AES
-  * ChaCha20
-  * DES (legacy)
------
-====== Asymmetric Cryptography ======
-===== Definition =====
-Asymmetric cryptography uses:
-<code>
-TWO KEYS
-</code>
-A key pair:
-<code>
+  * TLS (HTTPS)
-Public Key
+  * SSH
-Private Key
+  * IPsec
-</code>
+  * OpenPGP
-These keys are mathematically related.
+TLS example flow:
+. Key exchange (ECDH)
+. Certificate validation (PKI)
+. Symmetric encryption (AES-GCM)
 -----
-===== Public Key =====
+====== 9. Password Security ======
-Public key can be shared freely.
+IMPORTANT RULE:
+Never encrypt passwords.
-Example locations:
+Use hashing only:
-  * Websites
+  * Argon2 (best)
-  * Certificates
+  * bcrypt (common)
-  * API documentation
+  * PBKDF2 (legacy)
-Anyone may know the public key.
+Enhancements:
+  * Salt
+  * Pepper
 -----
-===== Private Key =====
+====== 10. Key Management ======
-Private key must remain secret.
+Key lifecycle:
-Only the owner should possess it.
+  * Generation
+  * Storage
+  * Rotation
+  * Revocation
+  * Expiration
-If leaked:
+Best practices:
+  - Use KMS (AWS KMS, GCP KMS)
-<code>
+  - Never hardcode secrets
-Security is compromised.
+  - Separate keys per environment
-</code>
 -----
-====== Asymmetric Encryption ======
+====== 11. JWT (JSON Web Token) ======
-===== Purpose =====
+JWT is NOT encryption.
-Provides:
-<code>
-Confidentiality
-</code>
------
-===== Workflow =====
+It is:
+  → Token format + signature mechanism
-<code>
+Structure:
-Public Key  → Encrypt
-Private Key → Decrypt
+  header.payload.signature
-</code>
 -----
-===== Example =====
+===== 11.1 JWT Categories =====
-Alice owns:
+  * HS256 (Symmetric)
+    - Uses HMAC
+    - Shared secret
+    - Single system trust
-<code>
+  * RS256 / ES256 (Asymmetric)
-Public Key
+    - Uses Digital Signature
-Private Key
+    - Private key signs
-</code>
+    - Public key verifies
-Bob wants to send a secret message.
-Bob:
-<code>
-Encrypt(message, Alice Public Key)
-</code>
-Alice:
-<code>
-Decrypt(message, Alice Private Key)
-</code>
 -----
-===== Result =====
+===== 11.2 JWT Usage Model =====
-<code>
+  Authentication layer
-Anyone can encrypt.
-Only owner can decrypt.
+    ├── Symmetric (HMAC)
-</code>
+    │     └── HS256 JWT
+    │
+    └── Asymmetric (Signature)
+          └── RS256 / ES256 JWT
 -----
-====== Digital Signatures ======
+===== 11.3 Best Practice =====
-Digital signatures solve:
+  * Use HS256:
+    - Single backend system
+    - Simple Laravel API
-  * Integrity
+  * Use RS256/ES256:
-  * Authenticity
+    - Microservices
+    - SSO (Keycloak, Auth0, OAuth2)
 -----
-===== Workflow =====
+====== 12. Cryptography by Design Principle ======
-<code>
-Private Key → Sign
-Public Key  → Verify
-</code>
------
-===== Example =====
-Server signs a document.
-<code>
-Document
-   ↓
-Sign with Private Key
-   ↓
-Signed Document
-</code>
-Verification:
-<code>
-Signed Document
-   ↓
-Verify with Public Key
-   ↓
-Valid or Invalid
-</code>
------
-===== Result =====
-<code>
-Only owner can sign.
-Everyone can verify.
-</code>
------
-====== Encryption vs Digital Signature ======
-===== Encryption =====
-Goal:
-<code>
-Hide data
-</code>
-Workflow:
-<code>
-Public Key  → Encrypt
-Private Key → Decrypt
-</code>
-Question answered:
+Modern system design rules:
-<code>
+  * Never design your own cryptography
-Can someone read this?
+  * Always use standard algorithms
-</code>
+  * Prefer AEAD (AES-GCM, ChaCha20-Poly1305)
+  * Separate encryption / authentication / signing
+  * Use symmetric for performance
+  * Use asymmetric for trust boundaries
+  * Use PKI for multi-system identity
+  * Use TLS everywhere
+  * Hash passwords only (never encrypt)
+  * Treat keys as production secrets
 -----
-===== Digital Signature =====
+====== 13. Final Mental Model ======
-Goal:
+Cryptography in real systems:
-<code>
+. Asymmetric crypto
-Verify authenticity
+      → establish trust / exchange key
-</code>
-Workflow:
+. Symmetric crypto
+      → encrypt data efficiently
-<code>
+. Hashing
-Private Key → Sign
+      → detect changes
-Public Key  → Verify
+. Authentication
-</code>
+      → prove identity (HMAC / Signature)
-Question answered:
+. PKI
+      → manage trust between systems
-<code>
+. TLS
-Did this really come from the owner?
+      → combine everything into secure communication
-</code>
 -----
+====== 14. One-Line Summary ======
+  Symmetric  → speed (data encryption)
+  Asymmetric → trust (identity + key exchange)
+  Hashing    → integrity
+  JWT        → authentication format using above primitives