Differences

This shows you the differences between two versions of the page.

--- security:cryptography-fundamentals [2026/06/12 13:04] – phong2018
+++ security:cryptography-fundamentals [2026/06/13 03:22] (current) – phong2018
@@ Line 1: / Line 1: @@
-====== Cryptography Fundamentals ======
+https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing
-This document introduces the fundamental concepts of cryptography and explains Encryption, HMAC, Digital Signatures, Symmetric Cryptography, Asymmetric Cryptography, and JWT.
+====== Cryptography Full Concepts (Best Practice + System Design View) ======
----
+This document summarizes cryptography in a practical, backend-engineer-oriented way:
+- NOT by algorithm only
+- BUT by security design + system usage
-===== Introduction =====
+-----
-When systems communicate over a network, there are four main security goals:
+====== 1. Core Security Goals ======
-* Confidentiality
+Cryptography exists to achieve:
-* Integrity
-* Authentication
-* Authenticity
-Cryptography helps achieve these goals.
+  * Confidentiality
+    - Keep data secret
----
+  * Integrity
+    - Detect data modification
-====== Security Goals ======
+  * Authentication
+    - Verify who sent data
-===== Confidentiality =====
+  * Non-Repudiation
+    - Sender cannot deny action
-Only authorized parties can read the data.
+-----
-Example:
+====== 2. Cryptographic Building Blocks ======
-<code>
+These are the 4 fundamental primitives:
-Alice sends a password to Bob.
-Alice ---- Internet ---- Bob
+  * Encryption (Hide data)
-^
+  * Hashing (Detect changes)
-|
+  * Authentication (Prove origin)
-Attacker </code>
+  * Key Management (Control trust)
-Without protection, the attacker can read the password.
+Each system is built by combining these.
-Solution:
+-----
-<code>
+====== 3. Encryption (Confidentiality) ======
-Encryption
-</code>
----
+Goal: Hide data from unauthorized access
-===== Integrity =====
+-----
-Data must not be modified during transmission.
+===== 3.1 Symmetric Encryption =====
-Example:
+Same key for encrypt/decrypt
-<code>
+  * AES (standard)
-Original:
+  * ChaCha20 (modern, fast)
-Transfer $100
-Modified:
+Properties:
-Transfer $10000 </code>
+  - Very fast
+  - Used for large data
+  - Requires secure key sharing
-Solution:
+-----
-<code>
+===== 3.2 Asymmetric Encryption =====
-HMAC
-Digital Signatures
-</code>
----
+Public key + Private key
-===== Authentication =====
+  * RSA
+  * ECC (ECIES)
-Verify who actually sent the data.
+Properties:
+  - Slow
+  - Used for small data or key exchange
-Example:
+-----
-<code>
+===== 3.3 Best Practice Pattern (IMPORTANT) =====
-Someone claims to be your bank.
-</code>
-How do you know it is really your bank?
+Hybrid Encryption:
-Solutions:
+. Use Asymmetric crypto to exchange key
+. Use Symmetric crypto to encrypt data
-<code>
-HMAC
-Digital Signatures
-Certificates
-</code>
----
-===== Authenticity =====
-Authenticity means that data genuinely comes from the claimed sender.
-Authenticity is achieved through authentication mechanisms such as:
-* HMAC
-* Digital Signatures
-* Certificates
----
-====== What Is Cryptography? ======
-Cryptography is the practice of protecting information.
-Main categories:
-<code>
-Cryptography
-│
-├── Symmetric Cryptography
-│   │
-│   ├── Encryption
-│   │   └── AES, ChaCha20
-│   │
-│   └── Authentication
-│       └── HMAC
-│
-└── Asymmetric Cryptography
-    │
-    ├── Encryption
-    │   └── RSA Encryption
-    │
-    └── Digital Signatures
-        └── RSA, ECDSA, EdDSA
-</code>
----
-====== What Is A Key? ======
-A key is a value used by cryptographic algorithms.
-Think of it like a house key:
-<code>
-With key    -> Open the door
-Without key -> Cannot open the door </code>
----
-====== Encryption ======
-Encryption protects:
-<code>
-Confidentiality
-</code>
-Goal:
-<code>
-Prevent unauthorized parties from reading data.
-</code>
-Process:
-<code>
-Plain Text
-    ↓
-Encrypt
-    ↓
-Cipher Text
-    ↓
-Decrypt
-    ↓
-Plain Text
-</code>
 Example:
+  TLS (HTTPS)
-<code>
+-----
-Hello World
-    ↓
-A83D91F22C...
-</code>
-Only someone with the correct key can recover the original message.
+====== 4. Hashing (Integrity) ======
----
+Goal: Detect if data was changed
-====== Types of Cryptography ======
+  * SHA-256
+  * SHA-512
+  * SHA-3
-There are two major cryptographic models:
+Properties:
+  - No key
+  - One-way function
+  - Cannot decrypt
-<code>
+Broken algorithms:
-Cryptography
+  - MD5
-│
+  - SHA-1
-├── Symmetric Cryptography
-│
-└── Asymmetric Cryptography
-</code>
----
+-----
-====== Symmetric vs Asymmetric ======
+====== 5. Authentication ======
-^ Capability ^ Symmetric ^ Asymmetric ^
+Goal: Verify message origin
-| Encryption | Yes | Yes |
-| Integrity Check | Yes | Yes |
-| Authentication | Yes | Yes |
-| Digital Signature | No | Yes |
-Explanation:
+-----
-* Encryption can use either Symmetric or Asymmetric cryptography.
+===== 5.1 Symmetric Authentication =====
-* Integrity and Authentication can be achieved by HMAC or Digital Signatures.
-* True Digital Signatures require a Public Key and a Private Key.
----
+  * HMAC
+  * CMAC
-====== Symmetric Cryptography ======
+Properties:
+  - Shared secret key
+  - Fast
+  - No non-repudiation
-===== Definition =====
+Used in:
+  - JWT HS256
+  - Internal APIs
+  - Webhooks (shared secret)
-Symmetric cryptography uses:
+-----
-<code>
+===== 5.2 Asymmetric Authentication =====
-ONE SECRET KEY
-</code>
-for both encryption and decryption.
+Digital Signatures:
----
+  * RSA-PSS
+  * ECDSA
+  * Ed25519
-===== Workflow =====
+Properties:
+  - Private key signs
+  - Public key verifies
+  - Provides non-repudiation
-<code>
+Used in:
-Secret Key
+  - JWT RS256 / ES256
-    ↓
+  - OAuth2 / OpenID Connect
-Encrypt
+  - SSO systems
-    ↓
-Cipher Text
-    ↓
-Decrypt
-    ↓
-Plain Text
-</code>
-Example:
+-----
-<code>
+====== 6. Key Exchange ======
-Encrypt("Hello", secret_key)
-Decrypt(ciphertext, secret_key) </code>
+Goal: Securely establish shared secret
----
+  * Diffie-Hellman (DH)
+  * Elliptic Curve Diffie-Hellman (ECDH)
-===== Advantages =====
+Flow:
+  - Asymmetric crypto establishes shared key
+  - Then symmetric encryption is used
-* Fast
+Used in:
-* Efficient
+  - TLS handshake
-* Easy to implement
+  - Secure channels
----
+-----
-===== Disadvantages =====
+====== 7. PKI (Trust System) ======
-The secret key must be shared securely.
+Public Key Infrastructure:
-If the key is stolen:
+  * X.509 Certificates
+  * Certificate Authority (CA)
+  * Certificate Chain
-<code>
+Purpose:
-Attacker can decrypt everything.
+  - Prove identity of services
-</code>
+  - Establish trust between systems
----
+Used in:
+  - HTTPS
+  - mTLS
+  - SSO systems
-===== Common Algorithms =====
+-----
-* AES
+====== 8. Secure Communication Protocols ======
-* ChaCha20
-* DES (legacy)
----
+  * TLS (HTTPS)
+  * SSH
+  * IPsec
+  * OpenPGP
-====== HMAC ======
+TLS example flow:
+. Key exchange (ECDH)
+. Certificate validation (PKI)
+. Symmetric encryption (AES-GCM)
-===== Definition =====
+-----
-HMAC stands for:
+====== 9. Password Security ======
-<code>
+IMPORTANT RULE:
-Hash-based Message Authentication Code
+Never encrypt passwords.
-</code>
-HMAC provides:
+Use hashing only:
-* Integrity
+  * Argon2 (best)
-* Authentication
+  * bcrypt (common)
+  * PBKDF2 (legacy)
-HMAC uses:
+Enhancements:
+  * Salt
+  * Pepper
-<code>
+-----
-ONE SHARED SECRET KEY
-</code>
----
+====== 10. Key Management ======
-===== Workflow =====
+Key lifecycle:
-<code>
+  * Generation
-Message
+  * Storage
-   +
+  * Rotation
-Secret Key
+  * Revocation
-   ↓
+  * Expiration
-HMAC
-</code>
-Verification:
+Best practices:
+  - Use KMS (AWS KMS, GCP KMS)
+  - Never hardcode secrets
+  - Separate keys per environment
-<code>
+-----
-Message
-   +
-Secret Key
-   ↓
-Recalculate HMAC
-</code>
----
+====== 11. JWT (JSON Web Token) ======
-===== Result =====
+JWT is NOT encryption.
-<code>
+It is:
-Detect tampering
+  → Token format + signature mechanism
-Verify sender knows the secret
-</code>
----
+Structure:
-===== Characteristics =====
+  header.payload.signature
-* Symmetric
+-----
-* Uses one shared secret
-* Not a true Digital Signature
-* Used by JWT HS256
----
+===== 11.1 JWT Categories =====
-====== Asymmetric Cryptography ======
+  * HS256 (Symmetric)
+    - Uses HMAC
+    - Shared secret
+    - Single system trust
-===== Definition =====
+  * RS256 / ES256 (Asymmetric)
+    - Uses Digital Signature
+    - Private key signs
+    - Public key verifies
-Asymmetric cryptography uses:
+-----
-<code>
+===== 11.2 JWT Usage Model =====
-TWO KEYS
-Public Key
+  Authentication layer
-Private Key </code>
-The keys are mathematically related.
+    ├── Symmetric (HMAC)
+    │     └── HS256 JWT
----
+    │
+    └── Asymmetric (Signature)
-===== Public Key =====
+          └── RS256 / ES256 JWT
-Public key can be shared freely.
-Examples:
-* Websites
-* Certificates
-* API documentation
-Anyone may know the public key.
----
-===== Private Key =====
-Private key must remain secret.
-Only the owner should possess it.
-If leaked:
-<code>
-Security is compromised.
-</code>
----
-====== Asymmetric Encryption ======
-===== Purpose =====
-Provides:
-<code>
-Confidentiality
-</code>
----
-===== Workflow =====
-<code>
-Public Key  -> Encrypt
-Private Key -> Decrypt </code>
----
-===== Example =====
-Alice owns:
-<code>
-Public Key
-Private Key
-</code>
-Bob wants to send a secret message.
-Bob:
-<code>
-Encrypt(message, Alice Public Key)
-</code>
-Alice:
-<code>
-Decrypt(ciphertext, Alice Private Key)
-</code>
----
-===== Result =====
-<code>
-Anyone can encrypt.
-Only Alice can decrypt. </code>
----
-====== Digital Signatures ======
-Digital Signatures provide:
-* Integrity
-* Authentication
-* Non-repudiation
----
-===== Purpose =====
-Answer three questions:
-<code>
-Who sent this?
-Was this modified?
-Can the sender deny sending it? </code>
----
-===== Workflow =====
-<code>
-Private Key -> Sign
-Public Key  -> Verify </code>
----
-===== Example =====
-Server signs a document.
-<code>
-Document
-    ↓
-Sign with Private Key
-    ↓
-Signed Document
-</code>
-Verification:
-<code>
-Signed Document
-    ↓
-Verify with Public Key
-    ↓
-Valid / Invalid
-</code>
----
-===== Result =====
-<code>
-Only the owner can sign.
-Everyone can verify. </code>
----
-====== HMAC vs Digital Signature ======
-^ Feature ^ HMAC ^ Digital Signature ^
-| Key Type | Shared Secret | Public/Private Key |
-| Symmetric | Yes | No |
-| Asymmetric | No | Yes |
-| Integrity | Yes | Yes |
-| Authentication | Yes | Yes |
-| Non-repudiation | No | Yes |
-| Speed | Faster | Slower |
----
-====== Encryption vs Digital Signature ======
-===== Encryption =====
-Goal:
-<code>
-Hide data
-</code>
-Question answered:
-<code>
-Can someone read this?
-</code>
-Examples:
-<code>
-AES
-ChaCha20
-RSA Encryption
-</code>
-Workflows:
-Symmetric:
-<code>
-Secret Key -> Encrypt
-Secret Key -> Decrypt
-</code>
-Asymmetric:
-<code>
-Public Key  -> Encrypt
-Private Key -> Decrypt
-</code>
----
-===== Digital Signature =====
-Goal:
-<code>
-Verify authenticity
-Detect tampering
-</code>
-Questions answered:
-<code>
-Who sent this?
-Was this modified? </code>
-Workflow:
-<code>
-Private Key -> Sign
-Public Key  -> Verify </code>
-Examples:
-<code>
-JWT RS256
-JWT ES256
-SSH Key Authentication
-TLS Certificates
-Git Commit Signing
-Code Signing
-</code>
----
-====== JWT ======
-JWT stands for:
-<code>
-JSON Web Token
-</code>
-JWT is a token format:
-<code>
-header.payload.signature
-</code>
-JWT itself is not encryption.
-JWT is usually used for:
-* Authentication
-* Integrity verification
----
-====== JWT HS256 ======
-JWT HS256 uses:
-<code>
-HMAC-SHA256
-</code>
-Workflow:
-<code>
-Payload
-   +
-JWT_SECRET
-   ↓
-HMAC Signature
-</code>
-Verification:
-<code>
-Payload
-   +
-JWT_SECRET
-   ↓
-Verify HMAC
-</code>
-Characteristics:
-* Symmetric
-* Uses one shared secret
-* Integrity
-* Authentication
-* Not a true Digital Signature
-* Default in many Laravel applications
----
-====== JWT RS256 ======
-JWT RS256 uses:
-<code>
-RSA Digital Signature
-</code>
-Workflow:
-<code>
-Private Key
-    ↓
-Sign JWT
-Public Key
-↓
-Verify JWT </code>
-Characteristics:
-* Asymmetric
-* Uses Public/Private Keys
-* Integrity
-* Authentication
-* True Digital Signature
-* Common in OAuth2 and SSO systems
----
-====== Real-World Examples ======
-^ Technology ^ Encryption ^ Authentication / Signature ^
-| HTTPS/TLS | AES, ChaCha20 | RSA, ECDSA, Ed25519 |
-| SSH | AES, ChaCha20 | RSA, Ed25519 |
-| JWT HS256 | No | HMAC |
-| JWT RS256 | No | RSA Signature |
-| JWT ES256 | No | ECDSA Signature |
-| PGP/GPG | Yes | Yes |
----
-====== Quick Summary ======
-^ Capability ^ Symmetric ^ Asymmetric ^
-| Encryption | Yes | Yes |
-| Integrity Check | Yes | Yes |
-| Authentication | Yes | Yes |
-| Digital Signature | No | Yes |
-<code>
-Encryption
-=
-Hide data
-=
-Confidentiality
-# HMAC
-Verify sender knows the secret
-+
-Detect tampering
-================
-Authentication + Integrity
-# Digital Signature
+-----
-Verify sender
+===== 11.3 Best Practice =====
-+
-Detect tampering
-+
-Non-repudiation
-===============
-Authentication + Integrity + Non-repudiation
+  * Use HS256:
+    - Single backend system
+    - Simple Laravel API
-# Symmetric
+  * Use RS256/ES256:
+    - Microservices
+    - SSO (Keycloak, Auth0, OAuth2)
-One Secret Key
+-----
-# Asymmetric
+====== 12. Cryptography by Design Principle ======
-Public Key + Private Key
+Modern system design rules:
-# Encryption
+  * Never design your own cryptography
+  * Always use standard algorithms
+  * Prefer AEAD (AES-GCM, ChaCha20-Poly1305)
+  * Separate encryption / authentication / signing
+  * Use symmetric for performance
+  * Use asymmetric for trust boundaries
+  * Use PKI for multi-system identity
+  * Use TLS everywhere
+  * Hash passwords only (never encrypt)
+  * Treat keys as production secrets
-Symmetric OR Asymmetric
+-----
-# HMAC
+====== 13. Final Mental Model ======
-Symmetric
+Cryptography in real systems:
-# Digital Signature
+. Asymmetric crypto
+      → establish trust / exchange key
-Asymmetric
+. Symmetric crypto
+      → encrypt data efficiently
-# JWT HS256
+. Hashing
+      → detect changes
-# HMAC
+. Authentication
+      → prove identity (HMAC / Signature)
-Symmetric
+. PKI
+      → manage trust between systems
-# JWT RS256
+. TLS
+      → combine everything into secure communication
-# Digital Signature
+-----
-Asymmetric </code>
+====== 14. One-Line Summary ======
+  Symmetric  → speed (data encryption)
+  Asymmetric → trust (identity + key exchange)
+  Hashing    → integrity
+  JWT        → authentication format using above primitives