Differences

This shows you the differences between two versions of the page.

--- security:cryptography-fundamentals [2026/06/12 23:46] – [Quick Summary] phong2018
+++ security:cryptography-fundamentals [2026/06/13 03:22] (current) – phong2018
@@ Line 1: / Line 1: @@
-====== Cryptography Fundamentals ======
+https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing
-This document introduces the fundamental concepts of cryptography and explains Encryption, HMAC, Digital Signatures, Symmetric Cryptography, Asymmetric Cryptography, and JWT.
----
-===== Introduction =====
-When systems communicate over a network, there are four main security goals:
-* Confidentiality
-* Integrity
-* Authentication
-* Authenticity
-Cryptography helps achieve these goals.
----
-====== Security Goals ======
-===== Confidentiality =====
-Only authorized parties can read the data.
-Example:
-<code>
-Alice sends a password to Bob.
-Alice ---- Internet ---- Bob
-^
-|
-Attacker </code>
-Without protection, the attacker can read the password.
-Solution:
-<code>
-Encryption
-</code>
----
-===== Integrity =====
-Data must not be modified during transmission.
-Example:
-<code>
-Original:
-Transfer $100
-Modified:
-Transfer $10000 </code>
-Solution:
-<code>
-HMAC
-Digital Signatures
-</code>
----
-===== Authentication =====
-Verify who actually sent the data.
-Example:
-<code>
-Someone claims to be your bank.
-</code>
-How do you know it is really your bank?
-Solutions:
-<code>
-HMAC
-Digital Signatures
-Certificates
-</code>
----
-===== Authenticity =====
-Authenticity means that data genuinely comes from the claimed sender.
-Authenticity is achieved through authentication mechanisms such as:
-* HMAC
-* Digital Signatures
-* Certificates
----
-====== What Is Cryptography? ======
-Cryptography is the practice of protecting information.
-Main categories:
-<code>
-Cryptography
-│
-├── Symmetric Cryptography
-│   │
-│   ├── Encryption
-│   │   └── AES, ChaCha20
-│   │
-│   └── Authentication
-│       └── HMAC
-│
-└── Asymmetric Cryptography
-    │
-    ├── Encryption
-    │   └── RSA Encryption
-    │
-    └── Digital Signatures
-        └── RSA, ECDSA, EdDSA
-</code>
----
-====== What Is A Key? ======
-A key is a value used by cryptographic algorithms.
-Think of it like a house key:
-<code>
-With key    -> Open the door
-Without key -> Cannot open the door </code>
----
-====== Encryption ======
-Encryption protects:
-<code>
-Confidentiality
-</code>
-Goal:
-<code>
-Prevent unauthorized parties from reading data.
-</code>
-Process:
-<code>
-Plain Text
-    ↓
-Encrypt
-    ↓
-Cipher Text
-    ↓
-Decrypt
-    ↓
-Plain Text
-</code>
-Example:
-<code>
-Hello World
-    ↓
-A83D91F22C...
-</code>
-Only someone with the correct key can recover the original message.
----
-====== Types of Cryptography ======
-There are two major cryptographic models:
-<code>
-Cryptography
-│
-├── Symmetric Cryptography
-│
-└── Asymmetric Cryptography
-</code>
----
-====== Symmetric vs Asymmetric ======
-^ Capability ^ Symmetric ^ Asymmetric ^
-| Encryption | Yes | Yes |
-| Integrity Check | Yes | Yes |
-| Authentication | Yes | Yes |
-| Digital Signature | No | Yes |
-Explanation:
-* Encryption can use either Symmetric or Asymmetric cryptography.
-* Integrity and Authentication can be achieved by HMAC or Digital Signatures.
-* True Digital Signatures require a Public Key and a Private Key.
----
-====== Symmetric Cryptography ======
-===== Definition =====
-Symmetric cryptography uses:
-<code>
-ONE SECRET KEY
-</code>
-for both encryption and decryption.
----
-===== Workflow =====
-<code>
-Secret Key
-    ↓
-Encrypt
-    ↓
-Cipher Text
-    ↓
-Decrypt
-    ↓
-Plain Text
-</code>
-Example:
-<code>
-Encrypt("Hello", secret_key)
-Decrypt(ciphertext, secret_key) </code>
----
-===== Advantages =====
-* Fast
-* Efficient
-* Easy to implement
----
-===== Disadvantages =====
-The secret key must be shared securely.
-If the key is stolen:
-<code>
-Attacker can decrypt everything.
-</code>
----
-===== Common Algorithms =====
-* AES
-* ChaCha20
-* DES (legacy)
----
-====== HMAC ======
-===== Definition =====
-HMAC stands for:
-<code>
-Hash-based Message Authentication Code
-</code>
-HMAC provides:
-* Integrity
-* Authentication
-HMAC uses:
-<code>
-ONE SHARED SECRET KEY
-</code>
----
-===== Workflow =====
-<code>
-Message
-   +
-Secret Key
-   ↓
-HMAC
-</code>
-Verification:
-<code>
-Message
-   +
-Secret Key
-   ↓
-Recalculate HMAC
-</code>
----
-===== Result =====
-<code>
-Detect tampering
-Verify sender knows the secret
-</code>
----
-===== Characteristics =====
-* Symmetric
-* Uses one shared secret
-* Not a true Digital Signature
-* Used by JWT HS256
----
-====== Asymmetric Cryptography ======
-===== Definition =====
-Asymmetric cryptography uses:
-<code>
-TWO KEYS
-Public Key
-Private Key </code>
-The keys are mathematically related.
----
-===== Public Key =====
-Public key can be shared freely.
-Examples:
-* Websites
-* Certificates
-* API documentation
-Anyone may know the public key.
----
-===== Private Key =====
-Private key must remain secret.
-Only the owner should possess it.
-If leaked:
-<code>
-Security is compromised.
-</code>
----
-====== Asymmetric Encryption ======
-===== Purpose =====
-Provides:
-<code>
-Confidentiality
-</code>
----
-===== Workflow =====
-<code>
-Public Key  -> Encrypt
-Private Key -> Decrypt </code>
----
-===== Example =====
-Alice owns:
-<code>
-Public Key
-Private Key
-</code>
-Bob wants to send a secret message.
-Bob:
-<code>
-Encrypt(message, Alice Public Key)
-</code>
-Alice:
-<code>
-Decrypt(ciphertext, Alice Private Key)
-</code>
----
-===== Result =====
-<code>
-Anyone can encrypt.
-Only Alice can decrypt. </code>
----
-====== Digital Signatures ======
-Digital Signatures provide:
-* Integrity
-* Authentication
-* Non-repudiation
----
-===== Purpose =====
-Answer three questions:
-<code>
-Who sent this?
-Was this modified?
-Can the sender deny sending it? </code>
----
-===== Workflow =====
-<code>
-Private Key -> Sign
-Public Key  -> Verify </code>
----
-===== Example =====
-Server signs a document.
-<code>
-Document
-    ↓
-Sign with Private Key
-    ↓
-Signed Document
-</code>
-Verification:
-<code>
-Signed Document
-    ↓
-Verify with Public Key
-    ↓
-Valid / Invalid
-</code>
----
-===== Result =====
-<code>
-Only the owner can sign.
-Everyone can verify. </code>
----
-====== HMAC vs Digital Signature ======
-^ Feature ^ HMAC ^ Digital Signature ^
-| Key Type | Shared Secret | Public/Private Key |
-| Symmetric | Yes | No |
-| Asymmetric | No | Yes |
-| Integrity | Yes | Yes |
-| Authentication | Yes | Yes |
-| Non-repudiation | No | Yes |
-| Speed | Faster | Slower |
----
-====== Encryption vs Digital Signature ======
-===== Encryption =====
-Goal:
-<code>
-Hide data
-</code>
-Question answered:
-<code>
-Can someone read this?
-</code>
-Examples:
-<code>
-AES
-ChaCha20
-RSA Encryption
-</code>
-Workflows:
-Symmetric:
-<code>
-Secret Key -> Encrypt
-Secret Key -> Decrypt
-</code>
-Asymmetric:
-<code>
-Public Key  -> Encrypt
-Private Key -> Decrypt
-</code>
----
-===== Digital Signature =====
-Goal:
-<code>
-Verify authenticity
-Detect tampering
-</code>
-Questions answered:
-<code>
-Who sent this?
-Was this modified? </code>
-Workflow:
-<code>
-Private Key -> Sign
-Public Key  -> Verify </code>
-Examples:
-<code>
-JWT RS256
-JWT ES256
-SSH Key Authentication
-TLS Certificates
-Git Commit Signing
-Code Signing
-</code>
----
-====== JWT ======
-JWT stands for:
-<code>
-JSON Web Token
-</code>
-JWT is a token format:
-<code>
-header.payload.signature
-</code>
-JWT itself is not encryption.
-JWT is usually used for:
-* Authentication
-* Integrity verification
----
-====== JWT HS256 ======
-JWT HS256 uses:
-<code>
-HMAC-SHA256
-</code>
-Workflow:
-<code>
-Payload
-   +
-JWT_SECRET
-   ↓
-HMAC Signature
-</code>
-Verification:
-<code>
-Payload
-   +
-JWT_SECRET
-   ↓
-Verify HMAC
-</code>
-Characteristics:
-* Symmetric
-* Uses one shared secret
-* Integrity
-* Authentication
-* Not a true Digital Signature
-* Default in many Laravel applications
----
-====== JWT RS256 ======
-JWT RS256 uses:
-<code>
-RSA Digital Signature
-</code>
-Workflow:
-<code>
-Private Key
-    ↓
-Sign JWT
-Public Key
-↓
-Verify JWT </code>
-Characteristics:
-* Asymmetric
-* Uses Public/Private Keys
-* Integrity
-* Authentication
-* True Digital Signature
-* Common in OAuth2 and SSO systems
----
-====== Real-World Examples ======
-^ Technology ^ Encryption ^ Authentication / Signature ^
-| HTTPS/TLS | AES, ChaCha20 | RSA, ECDSA, Ed25519 |
-| SSH | AES, ChaCha20 | RSA, Ed25519 |
-| JWT HS256 | No | HMAC |
-| JWT RS256 | No | RSA Signature |
-| JWT ES256 | No | ECDSA Signature |
-| PGP/GPG | Yes | Yes |
----
 ====== Cryptography Full Concepts (Best Practice + System Design View) ======