This document introduces the fundamental concepts of cryptography and explains Encryption, HMAC, Digital Signatures, Symmetric Cryptography, Asymmetric Cryptography, and JWT.

—

When systems communicate over a network, there are four main security goals:

* Confidentiality * Integrity * Authentication * Authenticity

Cryptography helps achieve these goals.

—

Only authorized parties can read the data.

Example:

Alice sends a password to Bob.

Alice ---- Internet ---- Bob
^
|
Attacker 

Without protection, the attacker can read the password.

Solution:

Encryption

—

Data must not be modified during transmission.

Example:

Original:
Transfer $100

Modified:
Transfer $10000 

Solution:

HMAC
Digital Signatures

—

Verify who actually sent the data.

Example:

Someone claims to be your bank.

How do you know it is really your bank?

Solutions:

HMAC
Digital Signatures
Certificates

—

Authenticity means that data genuinely comes from the claimed sender.

Authenticity is achieved through authentication mechanisms such as:

* HMAC * Digital Signatures * Certificates

—

Cryptography is the practice of protecting information.

Main categories:

Cryptography
│
├── Symmetric Cryptography
│   │
│   ├── Encryption
│   │   └── AES, ChaCha20
│   │
│   └── Authentication
│       └── HMAC
│
└── Asymmetric Cryptography
    │
    ├── Encryption
    │   └── RSA Encryption
    │
    └── Digital Signatures
        └── RSA, ECDSA, EdDSA

—

A key is a value used by cryptographic algorithms.

Think of it like a house key:

With key    -> Open the door

Without key -> Cannot open the door 

—

Encryption protects:

Confidentiality

Goal:

Prevent unauthorized parties from reading data.

Process:

Plain Text
    ↓
Encrypt
    ↓
Cipher Text
    ↓
Decrypt
    ↓
Plain Text

Example:

Hello World
    ↓
A83D91F22C...

Only someone with the correct key can recover the original message.

—

There are two major cryptographic models:

Cryptography
│
├── Symmetric Cryptography
│
└── Asymmetric Cryptography

—

Explanation:

* Encryption can use either Symmetric or Asymmetric cryptography. * Integrity and Authentication can be achieved by HMAC or Digital Signatures. * True Digital Signatures require a Public Key and a Private Key.

—

Symmetric cryptography uses:

ONE SECRET KEY

for both encryption and decryption.

—

Secret Key
    ↓
Encrypt
    ↓
Cipher Text
    ↓
Decrypt
    ↓
Plain Text

Example:

Encrypt("Hello", secret_key)

Decrypt(ciphertext, secret_key) 

—

* Fast * Efficient * Easy to implement

—

The secret key must be shared securely.

If the key is stolen:

Attacker can decrypt everything.

—

* AES * ChaCha20 * DES (legacy)

—

HMAC stands for:

Hash-based Message Authentication Code

HMAC provides:

* Integrity * Authentication

HMAC uses:

ONE SHARED SECRET KEY

—

Message
   +
Secret Key
   ↓
HMAC

Verification:

Message
   +
Secret Key
   ↓
Recalculate HMAC

—

Detect tampering
Verify sender knows the secret

—

* Symmetric * Uses one shared secret * Not a true Digital Signature * Used by JWT HS256

—

Asymmetric cryptography uses:

TWO KEYS

Public Key
Private Key 

The keys are mathematically related.

—

Public key can be shared freely.

Examples:

* Websites * Certificates * API documentation

Anyone may know the public key.

—

Private key must remain secret.

Only the owner should possess it.

If leaked:

Security is compromised.

—

Provides:

Confidentiality

—

Public Key  -> Encrypt

Private Key -> Decrypt 

—

Alice owns:

Public Key
Private Key

Bob wants to send a secret message.

Bob:

Encrypt(message, Alice Public Key)

Alice:

Decrypt(ciphertext, Alice Private Key)

—

Anyone can encrypt.

Only Alice can decrypt. 

—

Digital Signatures provide:

* Integrity * Authentication * Non-repudiation

—

Answer three questions:

Who sent this?

Was this modified?

Can the sender deny sending it? 

—

Private Key -> Sign

Public Key  -> Verify 

—

Server signs a document.

Document
    ↓
Sign with Private Key
    ↓
Signed Document

Verification:

Signed Document
    ↓
Verify with Public Key
    ↓
Valid / Invalid

—

Only the owner can sign.

Everyone can verify. 

—

—

Goal:

Hide data

Question answered:

Can someone read this?

Examples:

AES
ChaCha20
RSA Encryption

Workflows:

Symmetric:

Secret Key -> Encrypt
Secret Key -> Decrypt

Asymmetric:

Public Key  -> Encrypt
Private Key -> Decrypt

—

Goal:

Verify authenticity
Detect tampering

Questions answered:

Who sent this?

Was this modified? 

Workflow:

Private Key -> Sign

Public Key  -> Verify 

Examples:

JWT RS256
JWT ES256
SSH Key Authentication
TLS Certificates
Git Commit Signing
Code Signing

—

JWT stands for:

JSON Web Token

JWT is a token format:

header.payload.signature

JWT itself is not encryption.

JWT is usually used for:

* Authentication * Integrity verification

—

JWT HS256 uses:

HMAC-SHA256

Workflow:

Payload
   +
JWT_SECRET
   ↓
HMAC Signature

Verification:

Payload
   +
JWT_SECRET
   ↓
Verify HMAC

Characteristics:

* Symmetric * Uses one shared secret * Integrity * Authentication * Not a true Digital Signature * Default in many Laravel applications

—

JWT RS256 uses:

RSA Digital Signature

Workflow:

Private Key
    ↓
Sign JWT

Public Key
↓
Verify JWT 

Characteristics:

* Asymmetric * Uses Public/Private Keys * Integrity * Authentication * True Digital Signature * Common in OAuth2 and SSO systems

—

—

Encryption
=
Hide data
=
Confidentiality

# HMAC

Verify sender knows the secret
+
Detect tampering
================

Authentication + Integrity

# Digital Signature

Verify sender
+
Detect tampering
+
Non-repudiation
===============

Authentication + Integrity + Non-repudiation

# Symmetric

One Secret Key

# Asymmetric

Public Key + Private Key

# Encryption

Symmetric OR Asymmetric

# HMAC

Symmetric

# Digital Signature

Asymmetric

# JWT HS256

# HMAC

Symmetric

# JWT RS256

# Digital Signature

Asymmetric