https://drive.google.com/file/d/1TIeK1rpQMfTS7lH_6Rf-Vjq5VeziDcQB/view?usp=sharing

====== Cryptography Full Concepts (Best Practice + System Design View) ======

This document summarizes cryptography in a practical, backend-engineer-oriented way:
- NOT by algorithm only
- BUT by security design + system usage

-----

====== 1. Core Security Goals ======

Cryptography exists to achieve:

  * Confidentiality
    - Keep data secret

  * Integrity
    - Detect data modification

  * Authentication
    - Verify who sent data

  * Non-Repudiation
    - Sender cannot deny action

-----

====== 2. Cryptographic Building Blocks ======

These are the 4 fundamental primitives:

  * Encryption (Hide data)
  * Hashing (Detect changes)
  * Authentication (Prove origin)
  * Key Management (Control trust)

Each system is built by combining these.

-----

====== 3. Encryption (Confidentiality) ======

Goal: Hide data from unauthorized access

-----

===== 3.1 Symmetric Encryption =====

Same key for encrypt/decrypt

  * AES (standard)
  * ChaCha20 (modern, fast)

Properties:
  - Very fast
  - Used for large data
  - Requires secure key sharing

-----

===== 3.2 Asymmetric Encryption =====

Public key + Private key

  * RSA
  * ECC (ECIES)

Properties:
  - Slow
  - Used for small data or key exchange

-----

===== 3.3 Best Practice Pattern (IMPORTANT) =====

Hybrid Encryption:

  1. Use Asymmetric crypto to exchange key
  2. Use Symmetric crypto to encrypt data

Example:
  TLS (HTTPS)

-----

====== 4. Hashing (Integrity) ======

Goal: Detect if data was changed

  * SHA-256
  * SHA-512
  * SHA-3

Properties:
  - No key
  - One-way function
  - Cannot decrypt

Broken algorithms:
  - MD5
  - SHA-1

-----

====== 5. Authentication ======

Goal: Verify message origin

-----

===== 5.1 Symmetric Authentication =====

  * HMAC
  * CMAC

Properties:
  - Shared secret key
  - Fast
  - No non-repudiation

Used in:
  - JWT HS256
  - Internal APIs
  - Webhooks (shared secret)

-----

===== 5.2 Asymmetric Authentication =====

Digital Signatures:

  * RSA-PSS
  * ECDSA
  * Ed25519

Properties:
  - Private key signs
  - Public key verifies
  - Provides non-repudiation

Used in:
  - JWT RS256 / ES256
  - OAuth2 / OpenID Connect
  - SSO systems

-----

====== 6. Key Exchange ======

Goal: Securely establish shared secret

  * Diffie-Hellman (DH)
  * Elliptic Curve Diffie-Hellman (ECDH)

Flow:
  - Asymmetric crypto establishes shared key
  - Then symmetric encryption is used

Used in:
  - TLS handshake
  - Secure channels

-----

====== 7. PKI (Trust System) ======

Public Key Infrastructure:

  * X.509 Certificates
  * Certificate Authority (CA)
  * Certificate Chain

Purpose:
  - Prove identity of services
  - Establish trust between systems

Used in:
  - HTTPS
  - mTLS
  - SSO systems

-----

====== 8. Secure Communication Protocols ======

  * TLS (HTTPS)
  * SSH
  * IPsec
  * OpenPGP

TLS example flow:
  1. Key exchange (ECDH)
  2. Certificate validation (PKI)
  3. Symmetric encryption (AES-GCM)

-----

====== 9. Password Security ======

IMPORTANT RULE:
Never encrypt passwords.

Use hashing only:

  * Argon2 (best)
  * bcrypt (common)
  * PBKDF2 (legacy)

Enhancements:
  * Salt
  * Pepper

-----

====== 10. Key Management ======

Key lifecycle:

  * Generation
  * Storage
  * Rotation
  * Revocation
  * Expiration

Best practices:
  - Use KMS (AWS KMS, GCP KMS)
  - Never hardcode secrets
  - Separate keys per environment

-----

====== 11. JWT (JSON Web Token) ======

JWT is NOT encryption.

It is:
  → Token format + signature mechanism

Structure:

  header.payload.signature

-----

===== 11.1 JWT Categories =====

  * HS256 (Symmetric)
    - Uses HMAC
    - Shared secret
    - Single system trust

  * RS256 / ES256 (Asymmetric)
    - Uses Digital Signature
    - Private key signs
    - Public key verifies

-----

===== 11.2 JWT Usage Model =====

  Authentication layer

    ├── Symmetric (HMAC)
    │     └── HS256 JWT
    │
    └── Asymmetric (Signature)
          └── RS256 / ES256 JWT

-----

===== 11.3 Best Practice =====

  * Use HS256:
    - Single backend system
    - Simple Laravel API

  * Use RS256/ES256:
    - Microservices
    - SSO (Keycloak, Auth0, OAuth2)

-----

====== 12. Cryptography by Design Principle ======

Modern system design rules:

  * Never design your own cryptography
  * Always use standard algorithms
  * Prefer AEAD (AES-GCM, ChaCha20-Poly1305)
  * Separate encryption / authentication / signing
  * Use symmetric for performance
  * Use asymmetric for trust boundaries
  * Use PKI for multi-system identity
  * Use TLS everywhere
  * Hash passwords only (never encrypt)
  * Treat keys as production secrets

-----

====== 13. Final Mental Model ======

Cryptography in real systems:

  1. Asymmetric crypto
      → establish trust / exchange key

  2. Symmetric crypto
      → encrypt data efficiently

  3. Hashing
      → detect changes

  4. Authentication
      → prove identity (HMAC / Signature)

  5. PKI
      → manage trust between systems

  6. TLS
      → combine everything into secure communication

-----

====== 14. One-Line Summary ======

  Symmetric  → speed (data encryption)
  Asymmetric → trust (identity + key exchange)
  Hashing    → integrity
  JWT        → authentication format using above primitives