Wiki.Quizz.vn

User Tools

Site Tools

Trace: sso-mobile sso-web cryptography-fundamentals
security:cryptography-fundamentals

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
security:cryptography-fundamentals [2026/06/12 11:05] phong2018security:cryptography-fundamentals [2026/06/13 03:22] (current) phong2018
Line 1: Line 1:
-====== Cryptography Fundamentals ======+https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing
  
-This document introduces the fundamental concepts of cryptography.+====== Cryptography Full Concepts (Best Practice + System Design View) ======
  
----+This document summarizes cryptography in a practical, backend-engineer-oriented way: 
 +NOT by algorithm only 
 +- BUT by security design + system usage
  
-===== Introduction =====+-----
  
-When systems communicate over a network, there are three main security goals:+====== 1. Core Security Goals ======
  
-* Confidentiality +Cryptography exists to achieve:
-* Integrity +
-* Authenticity+
  
-Cryptography helps achieve these goals.+  * Confidentiality 
 +    - Keep data secret
  
----+  * Integrity 
 +    Detect data modification
  
-====== Security Goals ======+  * Authentication 
 +    - Verify who sent data
  
-===== Confidentiality =====+  * Non-Repudiation 
 +    - Sender cannot deny action
  
-Only authorized parties can read the data.+-----
  
-Example:+====== 2. Cryptographic Building Blocks ======
  
-<code> +These are the 4 fundamental primitives:
-Alice sends a password to Bob.+
  
-Alice ---- Internet ---- Bob +  * Encryption (Hide data) 
-^ +  * Hashing (Detect changes) 
-Attacker </code>+  * Authentication (Prove origin) 
 +  * Key Management (Control trust)
  
-Without protection, the attacker can read the password.+Each system is built by combining these.
  
-Solution:+-----
  
-<code> +====== 3. Encryption (Confidentiality) ======
-Encryption +
-</code>+
  
----+Goal: Hide data from unauthorized access
  
-===== Integrity =====+-----
  
-Data must not be modified during transmission.+===== 3.1 Symmetric Encryption =====
  
-Example:+Same key for encrypt/decrypt
  
-<code> +  * AES (standard) 
-Original: +  * ChaCha20 (modern, fast)
-Transfer $100+
  
-Modified+Properties
-Transfer $10000 </code>+  - Very fast 
 +  - Used for large data 
 +  - Requires secure key sharing
  
-Solution:+-----
  
-<code> +===== 3.2 Asymmetric Encryption =====
-Digital Signatures +
-</code>+
  
----+Public key + Private key
  
-===== Authenticity =====+  * RSA 
 +  * ECC (ECIES)
  
-Verify who actually sent the data.+Properties: 
 +  - Slow 
 +  - Used for small data or key exchange
  
-Example:+-----
  
-<code> +===== 3.3 Best Practice Pattern (IMPORTANT) =====
-Someone claims to be your bank. +
-</code>+
  
-How do you know it is really your bank?+Hybrid Encryption:
  
-Solution: +  1Use Asymmetric crypto to exchange key 
- +  2Use Symmetric crypto to encrypt data
-<code> +
-Digital Signatures +
-Certificates +
-</code> +
- +
---- +
- +
-====== What Is Cryptography? ====== +
- +
-Cryptography is the practice of protecting information+
- +
-Main categories: +
- +
-<code> +
-Cryptography +
-│ +
-├── Encryption +
-│ +
-└── Digital Signatures +
-</code> +
- +
---- +
- +
-====== What Is A Key? ====== +
- +
-A key is a value used by cryptographic algorithms. +
- +
-Think of it like a house key: +
- +
-<code> +
-With key    -> Open the door +
-Without key -> Cannot open the door +
-</code> +
- +
---- +
- +
-====== Encryption ====== +
- +
-Encryption protects: +
- +
-<code> +
-Confidentiality +
-</code> +
- +
-Goal: +
- +
-<code> +
-Prevent unauthorized parties from reading data+
-</code> +
- +
-Process: +
- +
-<code> +
-Plain Text +
-    ↓ +
-Encrypt +
-    ↓ +
-Cipher Text +
-    ↓ +
-Decrypt +
-    ↓ +
-Plain Text +
-</code>+
  
 Example: Example:
 +  TLS (HTTPS)
  
-<code> +-----
-Hello World +
-    ↓ +
-A83D91F22C... +
-</code> +
- +
-Only someone with the correct key can recover the original message. +
- +
---+
- +
-====== Types of Cryptography ====== +
- +
-There are two major cryptographic models: +
- +
-<code> +
-Cryptography +
-│ +
-├── Symmetric Cryptography +
-│ +
-└── Asymmetric Cryptography +
-</code> +
- +
---- +
- +
-====== Encryption vs Digital Signature ====== +
- +
-A common misconception is that encryption and digital signatures work the same way. +
- +
-In reality: +
- +
-^ Capability ^ Symmetric ^ Asymmetric ^ +
-| Encryption | Yes | Yes | +
-| Digital Signature | No | Yes | +
- +
-Explanation: +
- +
-* Encryption can use either Symmetric or Asymmetric cryptography. +
-* Digital Signatures require a Public Key and a Private Key, so they use Asymmetric cryptography. +
- +
---- +
- +
-====== Symmetric Cryptography ====== +
- +
-===== Definition ===== +
- +
-Symmetric cryptography uses: +
- +
-<code> +
-ONE SECRET KEY +
-</code> +
- +
-for both encryption and decryption. +
- +
---- +
- +
-===== Workflow ===== +
- +
-<code> +
-Secret Key +
-    ↓ +
-Encrypt +
-    ↓ +
-Cipher Text +
-    ↓ +
-Decrypt +
-    ↓ +
-Plain Text +
-</code> +
- +
-Example: +
- +
-<code> +
-Encrypt("Hello", secret_key) +
- +
-Decrypt(ciphertext, secret_key) </code> +
- +
---- +
- +
-===== Advantages ===== +
- +
-* Fast +
-* Efficient +
-* Easy to implement +
- +
---- +
- +
-===== Disadvantages ===== +
- +
-The secret key must be shared securely. +
- +
-If the key is stolen: +
- +
-<code> +
-Attacker can decrypt everything. +
-</code> +
- +
---- +
- +
-===== Common Algorithms ===== +
- +
-* AES +
-* ChaCha20 +
-* DES (legacy) +
- +
---- +
- +
-====== Asymmetric Cryptography ====== +
- +
-===== Definition ===== +
- +
-Asymmetric cryptography uses: +
- +
-<code> +
-TWO KEYS +
- +
-Public Key +
-Private Key </code> +
- +
-The keys are mathematically related. +
- +
---- +
- +
-===== Public Key ===== +
- +
-Public key can be shared freely. +
- +
-Examples: +
- +
-* Websites +
-* Certificates +
-* API documentation +
- +
-Anyone may know the public key. +
- +
---- +
- +
-===== Private Key ===== +
- +
-Private key must remain secret. +
- +
-Only the owner should possess it. +
- +
-If leaked: +
- +
-<code> +
-Security is compromised. +
-</code> +
- +
---- +
- +
-====== Asymmetric Encryption ====== +
- +
-===== Purpose ===== +
- +
-Provides: +
- +
-<code> +
-Confidentiality +
-</code> +
- +
---- +
- +
-===== Workflow ===== +
- +
-<code> +
-Public Key  -> Encrypt +
- +
-Private Key -> Decrypt </code> +
- +
---- +
- +
-===== Example ===== +
- +
-Alice owns: +
- +
-<code> +
-Public Key +
-Private Key +
-</code> +
- +
-Bob wants to send a secret message. +
- +
-Bob: +
- +
-<code> +
-Encrypt(message, Alice Public Key) +
-</code> +
- +
-Alice: +
- +
-<code> +
-Decrypt(ciphertext, Alice Private Key) +
-</code> +
- +
----+
  
-===== Result =====+====== 4. Hashing (Integrity) ======
  
-<code> +Goal: Detect if data was changed
-Anyone can encrypt.+
  
-Only Alice can decrypt. </code>+  * SHA-256 
 +  * SHA-512 
 +  * SHA-3
  
----+Properties: 
 +  No key 
 +  One-way function 
 +  - Cannot decrypt
  
-====== Digital Signatures ======+Broken algorithms: 
 +  - MD5 
 +  - SHA-1
  
-Digital signatures provide:+-----
  
-* Integrity +====== 5. Authentication ======
-* Authenticity+
  
----+Goal: Verify message origin
  
-===== Purpose =====+-----
  
-Answer two questions:+===== 5.1 Symmetric Authentication =====
  
-<code> +  * HMAC 
-Who sent this?+  * CMAC
  
-Was this modified? </code>+Properties: 
 +  - Shared secret key 
 +  - Fast 
 +  - No non-repudiation
  
----+Used in: 
 +  JWT HS256 
 +  Internal APIs 
 +  Webhooks (shared secret)
  
-===== Workflow =====+-----
  
-<code> +===== 5.2 Asymmetric Authentication =====
-Private Key -> Sign+
  
-Public Key  -> Verify </code>+Digital Signatures:
  
----+  * RSA-PSS 
 +  * ECDSA 
 +  * Ed25519
  
-===== Example =====+Properties: 
 +  - Private key signs 
 +  - Public key verifies 
 +  - Provides non-repudiation
  
-Server signs a document.+Used in: 
 +  - JWT RS256 / ES256 
 +  - OAuth2 / OpenID Connect 
 +  - SSO systems
  
-<code> +-----
-Document +
-    ↓ +
-Sign with Private Key +
-    ↓ +
-Signed Document +
-</code>+
  
-Verification:+====== 6. Key Exchange ======
  
-<code> +Goal: Securely establish shared secret
-Signed Document +
-    ↓ +
-Verify with Public Key +
-    ↓ +
-Valid / Invalid +
-</code>+
  
----+  * Diffie-Hellman (DH) 
 +  * Elliptic Curve Diffie-Hellman (ECDH)
  
-===== Result =====+Flow: 
 +  - Asymmetric crypto establishes shared key 
 +  - Then symmetric encryption is used
  
-<code> +Used in: 
-Only the owner can sign.+  - TLS handshake 
 +  - Secure channels
  
-Everyone can verify. </code>+-----
  
----+====== 7. PKI (Trust System) ======
  
-====== Encryption vs Digital Signature ======+Public Key Infrastructure:
  
-===== Encryption =====+  * X.509 Certificates 
 +  * Certificate Authority (CA) 
 +  * Certificate Chain
  
-Goal:+Purpose: 
 +  - Prove identity of services 
 +  - Establish trust between systems
  
-<code> +Used in: 
-Hide data +  - HTTPS 
-</code>+  - mTLS 
 +  - SSO systems
  
-Question answered:+-----
  
-<code> +====== 8. Secure Communication Protocols ======
-Can someone read this? +
-</code>+
  
-Examples:+  * TLS (HTTPS) 
 +  * SSH 
 +  * IPsec 
 +  * OpenPGP
  
-<code> +TLS example flow: 
-AES +  1. Key exchange (ECDH) 
-ChaCha20 +  2. Certificate validation (PKI) 
-RSA Encryption +  3. Symmetric encryption (AES-GCM)
-</code>+
  
-Workflows:+-----
  
-Symmetric:+====== 9. Password Security ======
  
-<code> +IMPORTANT RULE: 
-Secret Key -> Encrypt +Never encrypt passwords.
-Secret Key -> Decrypt +
-</code>+
  
-Asymmetric:+Use hashing only:
  
-<code> +  * Argon2 (best) 
-Public Key  -> Encrypt +  * bcrypt (common) 
-Private Key -> Decrypt +  * PBKDF2 (legacy)
-</code>+
  
----+Enhancements: 
 +  * Salt 
 +  * Pepper
  
-===== Digital Signature =====+-----
  
-Goal:+====== 10. Key Management ======
  
-<code> +Key lifecycle:
-Verify authenticity +
-Detect tampering +
-</code>+
  
-Questions answered:+  * Generation 
 +  * Storage 
 +  * Rotation 
 +  * Revocation 
 +  * Expiration
  
-<code> +Best practices: 
-Who sent this?+  - Use KMS (AWS KMS, GCP KMS) 
 +  - Never hardcode secrets 
 +  - Separate keys per environment
  
-Was this modified? </code>+-----
  
-Workflow:+====== 11. JWT (JSON Web Token) ======
  
-<code> +JWT is NOT encryption.
-Private Key -> Sign+
  
-Public Key  -> Verify </code>+It is: 
 +  → Token format + signature mechanism
  
-Examples:+Structure:
  
-<code> +  header.payload.signature
-JWT RS256 +
-JWT ES256 +
-SSH Key Authentication +
-TLS Certificates +
-Git Commit Signing +
-Code Signing +
-</code>+
  
----+-----
  
-====== Real-World Examples ======+===== 11.1 JWT Categories =====
  
-^ Technology ^ Encryption ^ Digital Signature ^ +  * HS256 (Symmetric
-| HTTPS/TLS | AES, ChaCha20 | RSA, ECDSA, Ed25519 | +    - Uses HMAC 
-| SSH | AES, ChaCha20 | RSA, Ed25519 | +    - Shared secret 
-| JWT HS256 | HMAC (shared secret| No | +    - Single system trust
-| JWT RS256 | No | RSA Signature | +
-| JWT ES256 | No | ECDSA Signature | +
-| PGP/GPG | Yes | Yes |+
  
----+  * RS256 / ES256 (Asymmetric) 
 +    Uses Digital Signature 
 +    Private key signs 
 +    Public key verifies
  
-====== Important Note About JWT ======+-----
  
-JWT signatures are often confused with digital signatures.+===== 11.2 JWT Usage Model =====
  
-JWT HS256:+  Authentication layer
  
-<code> +    ├── Symmetric (HMAC) 
-Shared Secret -> Sign +    │     └── HS256 JWT 
-Shared Secret -> Verify +    │ 
-</code>+    └── Asymmetric (Signature) 
 +          └── RS256 ES256 JWT
  
-Uses HMAC and a shared secret.+-----
  
-JWT RS256:+===== 11.3 Best Practice =====
  
-<code> +  * Use HS256: 
-Private Key -> Sign +    Single backend system 
-Public Key  -> Verify +    Simple Laravel API
-</code>+
  
-Uses a true digital signature.+  * Use RS256/ES256: 
 +    - Microservices 
 +    - SSO (Keycloak, Auth0, OAuth2)
  
----+-----
  
-====== Quick Summary ======+====== 12. Cryptography by Design Principle ======
  
-^ Capability ^ Symmetric ^ Asymmetric ^ +Modern system design rules:
-| Encryption | Yes | Yes | +
-| Digital Signature | No | Yes |+
  
-<code> +  * Never design your own cryptography 
-Encryption +  * Always use standard algorithms 
-= +  * Prefer AEAD (AES-GCM, ChaCha20-Poly1305) 
-Hide data +  * Separate encryption / authentication / signing 
-= +  * Use symmetric for performance 
-Confidentiality+  * Use asymmetric for trust boundaries 
 +  * Use PKI for multi-system identity 
 +  * Use TLS everywhere 
 +  * Hash passwords only (never encrypt) 
 +  * Treat keys as production secrets
  
-# Digital Signature+-----
  
-Verify sender +====== 13. Final Mental Model ======
-+
-Detect tampering +
-================+
  
-Authenticity + Integrity+Cryptography in real systems:
  
-# Symmetric+  1. Asymmetric crypto 
 +      → establish trust / exchange key
  
-One Secret Key+  2. Symmetric crypto 
 +      → encrypt data efficiently
  
-# Asymmetric+  3. Hashing 
 +      → detect changes
  
-Public Key + Private Key+  4. Authentication 
 +      → prove identity (HMAC / Signature)
  
-# Encryption+  5. PKI 
 +      → manage trust between systems
  
-Symmetric OR Asymmetric+  6. TLS 
 +      → combine everything into secure communication
  
-# Digital Signature+-----
  
-Asymmetric </code>+====== 14. One-Line Summary ======
  
 +  Symmetric  → speed (data encryption)
 +  Asymmetric → trust (identity + key exchange)
 +  Hashing    → integrity
 +  JWT        → authentication format using above primitives
security/cryptography-fundamentals.1781262343.txt.gz · Last modified: by phong2018