Wiki.Quizz.vn

User Tools

Site Tools

Trace: sso-mobile sso-web cryptography-fundamentals
security:cryptography-fundamentals

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
security:cryptography-fundamentals [2026/06/12 11:04] phong2018security:cryptography-fundamentals [2026/06/13 03:22] (current) phong2018
Line 1: Line 1:
-====== Cryptography Fundamentals ======+https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing
  
-This document introduces the fundamental concepts of cryptography.+====== Cryptography Full Concepts (Best Practice + System Design View) ======
  
----+This document summarizes cryptography in a practical, backend-engineer-oriented way: 
 +NOT by algorithm only 
 +- BUT by security design + system usage
  
-===== Why Do We Need Cryptography? =====+-----
  
-When systems communicate over a network, there are three main security goals:+====== 1. Core Security Goals ======
  
-* Confidentiality +Cryptography exists to achieve:
-* Integrity +
-* Authenticity+
  
-Cryptography helps achieve these goals.+  * Confidentiality 
 +    - Keep data secret
  
----+  * Integrity 
 +    Detect data modification
  
-====== Security Goals ======+  * Authentication 
 +    - Verify who sent data
  
-===== Confidentiality =====+  * Non-Repudiation 
 +    - Sender cannot deny action
  
-Only authorized parties can read the data.+-----
  
-Example:+====== 2. Cryptographic Building Blocks ======
  
-<code> +These are the 4 fundamental primitives:
-Alice sends a password to Bob.+
  
-Alice ---- Internet ---- Bob +  * Encryption (Hide data) 
-^ +  * Hashing (Detect changes) 
-Attacker </code>+  * Authentication (Prove origin) 
 +  * Key Management (Control trust)
  
-Without protection, the attacker can read the password.+Each system is built by combining these.
  
-Solution:+-----
  
-<code> +====== 3. Encryption (Confidentiality) ======
-Encryption +
-</code>+
  
----+Goal: Hide data from unauthorized access
  
-===== Integrity =====+-----
  
-Data must not be modified during transmission.+===== 3.1 Symmetric Encryption =====
  
-Example:+Same key for encrypt/decrypt
  
-<code> +  * AES (standard) 
-Original: +  * ChaCha20 (modern, fast)
-Transfer $100+
  
-Modified+Properties
-Transfer $10000 </code>+  - Very fast 
 +  - Used for large data 
 +  - Requires secure key sharing
  
-Solution:+-----
  
-<code> +===== 3.2 Asymmetric Encryption =====
-Digital Signatures +
-</code>+
  
----+Public key + Private key
  
-===== Authenticity =====+  * RSA 
 +  * ECC (ECIES)
  
-Verify who actually sent the data.+Properties: 
 +  - Slow 
 +  - Used for small data or key exchange
  
-Example:+-----
  
-<code> +===== 3.3 Best Practice Pattern (IMPORTANT) =====
-Someone claims to be your bank. +
-</code>+
  
-How do you know it is really your bank?+Hybrid Encryption:
  
-Solution: +  1Use Asymmetric crypto to exchange key 
- +  2Use Symmetric crypto to encrypt data
-<code> +
-Digital Signatures +
-Certificates +
-</code> +
- +
---- +
- +
-====== What Is Cryptography? ====== +
- +
-Cryptography is the practice of protecting information+
- +
-Main categories: +
- +
-<code> +
-Cryptography +
-│ +
-├── Encryption +
-│ +
-└── Digital Signatures +
-</code> +
- +
---- +
- +
-====== What Is A Key? ====== +
- +
-A key is a secret value used by cryptographic algorithms. +
- +
-Think of it like a house key: +
- +
-<code> +
-With key    -> Open the door +
-Without key -> Cannot open the door +
-</code> +
- +
---- +
- +
-====== Encryption ====== +
- +
-Encryption protects: +
- +
-<code> +
-Confidentiality +
-</code> +
- +
-Goal: +
- +
-<code> +
-Prevent unauthorized parties from reading data+
-</code> +
- +
-Process: +
- +
-<code> +
-Plain Text +
-    ↓ +
-Encrypt +
-    ↓ +
-Cipher Text +
-    ↓ +
-Decrypt +
-    ↓ +
-Plain Text +
-</code>+
  
 Example: Example:
 +  TLS (HTTPS)
  
-<code> +-----
-Hello World +
-    ↓ +
-A83D91F22C... +
-</code>+
  
-Only someone with the correct key can recover the original message.+====== 4Hashing (Integrity) ======
  
----+Goal: Detect if data was changed
  
-====== Types of Encryption ======+  * SHA-256 
 +  * SHA-512 
 +  * SHA-3
  
-Encryption can be implemented using:+Properties: 
 +  - No key 
 +  - One-way function 
 +  - Cannot decrypt
  
-* Symmetric Cryptography +Broken algorithms: 
-* Asymmetric Cryptography+  - MD5 
 +  - SHA-1
  
----+-----
  
-===== Symmetric Cryptography =====+====== 5. Authentication ======
  
-Uses:+GoalVerify message origin
  
-<code> +-----
-ONE SECRET KEY +
-</code>+
  
-for both encryption and decryption.+===== 5.1 Symmetric Authentication =====
  
-Workflow:+  * HMAC 
 +  * CMAC
  
-<code> +Properties: 
-Secret Key +  - Shared secret key 
-    ↓ +  - Fast 
-Encrypt +  - No non-repudiation
-    ↓ +
-Cipher Text +
-    ↓ +
-Decrypt +
-    ↓ +
-Plain Text +
-</code>+
  
-Example:+Used in: 
 +  - JWT HS256 
 +  - Internal APIs 
 +  - Webhooks (shared secret)
  
-<code> +-----
-Encrypt("Hello", secret_key)+
  
-Decrypt(ciphertext, secret_key) </code>+===== 5.2 Asymmetric Authentication =====
  
-Advantages:+Digital Signatures:
  
-Fast +  RSA-PSS 
-Efficient +  ECDSA 
-Easy to implement+  Ed25519
  
-Disadvantages:+Properties: 
 +  - Private key signs 
 +  - Public key verifies 
 +  - Provides non-repudiation
  
-* Secret key must be shared securely +Used in: 
-* If the key leaks, all data can be decrypted+  - JWT RS256 / ES256 
 +  - OAuth2 / OpenID Connect 
 +  - SSO systems
  
-Common algorithms:+-----
  
-* AES +====== 6. Key Exchange ======
-* ChaCha20 +
-* DES (legacy)+
  
----+Goal: Securely establish shared secret
  
-===== Asymmetric Cryptography =====+  * Diffie-Hellman (DH) 
 +  * Elliptic Curve Diffie-Hellman (ECDH)
  
-Uses:+Flow: 
 +  - Asymmetric crypto establishes shared key 
 +  - Then symmetric encryption is used
  
-<code> +Used in: 
-TWO KEYS+  - TLS handshake 
 +  - Secure channels
  
-Public Key +-----
-Private Key </code>+
  
-The keys are mathematically related.+====== 7PKI (Trust System) ======
  
-Public Key:+Public Key Infrastructure:
  
-Can be shared publicly +  X.509 Certificates 
- +  * Certificate Authority (CA) 
-Private Key: +  Certificate Chain
- +
-Must remain secret +
- +
---- +
- +
-====== Asymmetric Encryption ======+
  
 Purpose: Purpose:
 +  - Prove identity of services
 +  - Establish trust between systems
  
-<code> +Used in: 
-Confidentiality +  - HTTPS 
-</code>+  - mTLS 
 +  - SSO systems
  
-Workflow: +-----
- +
-<code> +
-Public Key  -> Encrypt +
- +
-Private Key -> Decrypt </code> +
- +
-Example: +
- +
-Alice owns: +
- +
-<code> +
-Public Key +
-Private Key +
-</code> +
- +
-Bob wants to send a secret message: +
- +
-<code> +
-Encrypt(message, Alice Public Key) +
-</code> +
- +
-Alice decrypts: +
- +
-<code> +
-Decrypt(ciphertext, Alice Private Key) +
-</code> +
- +
-Result: +
- +
-<code> +
-Anyone can encrypt. +
- +
-Only Alice can decrypt. </code> +
- +
---- +
- +
-====== Digital Signatures ====== +
- +
-Digital signatures provide: +
- +
-* Integrity +
-* Authenticity +
- +
-Workflow: +
- +
-<code> +
-Private Key -> Sign +
- +
-Public Key  -> Verify </code> +
- +
-Example:+
  
-<code> +====== 8. Secure Communication Protocols ======
-Document +
-    ↓ +
-Sign with Private Key +
-    ↓ +
-Signed Document +
-</code>+
  
-Verification:+  * TLS (HTTPS) 
 +  * SSH 
 +  * IPsec 
 +  * OpenPGP
  
-<code> +TLS example flow: 
-Signed Document +  1. Key exchange (ECDH) 
-    ↓ +  2. Certificate validation (PKI) 
-Verify with Public Key +  3. Symmetric encryption (AES-GCM)
-    ↓ +
-Valid / Invalid +
-</code>+
  
-Result:+-----
  
-<code> +====== 9Password Security ======
-Only the owner can sign.+
  
-Everyone can verify</code>+IMPORTANT RULE: 
 +Never encrypt passwords.
  
----+Use hashing only:
  
-====== Encryption vs Digital Signature ======+  * Argon2 (best) 
 +  * bcrypt (common) 
 +  * PBKDF2 (legacy)
  
-===== Encryption =====+Enhancements: 
 +  * Salt 
 +  * Pepper
  
-Goal:+-----
  
-<code> +====== 10. Key Management ======
-Hide data +
-</code>+
  
-Question answered:+Key lifecycle:
  
-<code> +  * Generation 
-Can someone read this? +  * Storage 
-</code>+  * Rotation 
 +  * Revocation 
 +  * Expiration
  
-Can use:+Best practices: 
 +  - Use KMS (AWS KMS, GCP KMS) 
 +  - Never hardcode secrets 
 +  - Separate keys per environment
  
-<code> +-----
-Symmetric Cryptography +
-Asymmetric Cryptography +
-</code>+
  
-Workflow:+====== 11. JWT (JSON Web Token) ======
  
-<code> +JWT is NOT encryption.
-Public Key  -> Encrypt +
-Private Key -> Decrypt +
-</code>+
  
-or+It is: 
 +  → Token format + signature mechanism
  
-<code> +Structure:
-Secret Key -> Encrypt +
-Secret Key -> Decrypt +
-</code>+
  
----+  header.payload.signature
  
-===== Digital Signature =====+-----
  
-Goal:+===== 11.1 JWT Categories =====
  
-<code> +  * HS256 (Symmetric) 
-Verify authenticity +    - Uses HMAC 
-Detect tampering +    - Shared secret 
-</code>+    - Single system trust
  
-Questions answered:+  * RS256 / ES256 (Asymmetric) 
 +    - Uses Digital Signature 
 +    - Private key signs 
 +    - Public key verifies
  
-<code> +-----
-Who sent this?+
  
-Was this modified? </code>+===== 11.2 JWT Usage Model =====
  
-Uses:+  Authentication layer
  
-<code> +    ├── Symmetric (HMAC) 
-Asymmetric Cryptography +    │     └── HS256 JWT 
-</code>+    │ 
 +    └── Asymmetric (Signature) 
 +          └── RS256 ES256 JWT
  
-Workflow:+-----
  
-<code> +===== 11.3 Best Practice =====
-Private Key -> Sign +
-Public Key  -> Verify +
-</code>+
  
----+  * Use HS256: 
 +    Single backend system 
 +    Simple Laravel API
  
-====== Real-World Examples ======+  * Use RS256/ES256: 
 +    Microservices 
 +    - SSO (Keycloak, Auth0, OAuth2)
  
-^ Technology ^ Encryption ^ Digital Signature ^ +-----
-| HTTPS/TLS | AES, ChaCha20 | RSA, ECDSA, Ed25519 | +
-| SSH | AES, ChaCha20 | RSA, Ed25519 | +
-| JWT HS256 | HMAC (shared secret) | No | +
-| JWT RS256 | No | RSA Signature | +
-| JWT ES256 | No | ECDSA Signature | +
-| PGP/GPG | Yes | Yes |+
  
----+====== 12. Cryptography by Design Principle ======
  
-====== Easy Way To Remember ======+Modern system design rules:
  
-<code> +  * Never design your own cryptography 
-Encryption +  * Always use standard algorithms 
-= +  * Prefer AEAD (AES-GCM, ChaCha20-Poly1305) 
-Hide data +  * Separate encryption / authentication / signing 
-= +  * Use symmetric for performance 
-Confidentiality+  * Use asymmetric for trust boundaries 
 +  * Use PKI for multi-system identity 
 +  * Use TLS everywhere 
 +  * Hash passwords only (never encrypt) 
 +  * Treat keys as production secrets
  
-# Digital Signature+-----
  
-Verify sender +====== 13. Final Mental Model ======
-+
-Detect tampering +
-================+
  
-Authenticity + Integrity+Cryptography in real systems:
  
-# Symmetric+  1. Asymmetric crypto 
 +      → establish trust / exchange key
  
-1 Secret Key+  2. Symmetric crypto 
 +      → encrypt data efficiently
  
-# Asymmetric+  3. Hashing 
 +      → detect changes
  
-Public Key + Private Key+  4. Authentication 
 +      → prove identity (HMAC / Signature)
  
-# Encryption+  5. PKI 
 +      → manage trust between systems
  
-Symmetric OR Asymmetric+  6. TLS 
 +      → combine everything into secure communication
  
-# Digital Signature+-----
  
-Asymmetric </code>+====== 14. One-Line Summary ======
  
 +  Symmetric  → speed (data encryption)
 +  Asymmetric → trust (identity + key exchange)
 +  Hashing    → integrity
 +  JWT        → authentication format using above primitives
security/cryptography-fundamentals.1781262245.txt.gz · Last modified: by phong2018