This document introduces the fundamental concepts of cryptography and explains Encryption, HMAC, Digital Signatures, Symmetric Cryptography, Asymmetric Cryptography, and JWT.

—

When systems communicate over a network, there are four main security goals:

* Confidentiality * Integrity * Authentication * Authenticity

Cryptography helps achieve these goals.

—

Only authorized parties can read the data.

Example:

Alice sends a password to Bob.

Alice ---- Internet ---- Bob
^
|
Attacker 

Without protection, the attacker can read the password.

Solution:

Encryption

—

Data must not be modified during transmission.

Example:

Original:
Transfer $100

Modified:
Transfer $10000 

Solution:

HMAC
Digital Signatures

—

Verify who actually sent the data.

Example:

Someone claims to be your bank.

How do you know it is really your bank?

Solutions:

HMAC
Digital Signatures
Certificates

—

Authenticity means that data genuinely comes from the claimed sender.

Authenticity is achieved through authentication mechanisms such as:

* HMAC * Digital Signatures * Certificates

—

Cryptography is the practice of protecting information.

Main categories:

Cryptography
│
├── Symmetric Cryptography
│   │
│   ├── Encryption
│   │   └── AES, ChaCha20
│   │
│   └── Authentication
│       └── HMAC
│
└── Asymmetric Cryptography
    │
    ├── Encryption
    │   └── RSA Encryption
    │
    └── Digital Signatures
        └── RSA, ECDSA, EdDSA

—

A key is a value used by cryptographic algorithms.

Think of it like a house key:

With key    -> Open the door

Without key -> Cannot open the door 

—

Encryption protects:

Confidentiality

Goal:

Prevent unauthorized parties from reading data.

Process:

Plain Text
    ↓
Encrypt
    ↓
Cipher Text
    ↓
Decrypt
    ↓
Plain Text

Example:

Hello World
    ↓
A83D91F22C...

Only someone with the correct key can recover the original message.

—

There are two major cryptographic models:

Cryptography
│
├── Symmetric Cryptography
│
└── Asymmetric Cryptography

—

Explanation:

* Encryption can use either Symmetric or Asymmetric cryptography. * Integrity and Authentication can be achieved by HMAC or Digital Signatures. * True Digital Signatures require a Public Key and a Private Key.

—

Symmetric cryptography uses:

ONE SECRET KEY

for both encryption and decryption.

—

Secret Key
    ↓
Encrypt
    ↓
Cipher Text
    ↓
Decrypt
    ↓
Plain Text

Example:

Encrypt("Hello", secret_key)

Decrypt(ciphertext, secret_key) 

—

* Fast * Efficient * Easy to implement

—

The secret key must be shared securely.

If the key is stolen:

Attacker can decrypt everything.

—

* AES * ChaCha20 * DES (legacy)

—

HMAC stands for:

Hash-based Message Authentication Code

HMAC provides:

* Integrity * Authentication

HMAC uses:

ONE SHARED SECRET KEY

—

Message
   +
Secret Key
   ↓
HMAC

Verification:

Message
   +
Secret Key
   ↓
Recalculate HMAC

—

Detect tampering
Verify sender knows the secret

—

* Symmetric * Uses one shared secret * Not a true Digital Signature * Used by JWT HS256

—

Asymmetric cryptography uses:

TWO KEYS

Public Key
Private Key 

The keys are mathematically related.

—

Public key can be shared freely.

Examples:

* Websites * Certificates * API documentation

Anyone may know the public key.

—

Private key must remain secret.

Only the owner should possess it.

If leaked:

Security is compromised.

—

Provides:

Confidentiality

—

Public Key  -> Encrypt

Private Key -> Decrypt 

—

Alice owns:

Public Key
Private Key

Bob wants to send a secret message.

Bob:

Encrypt(message, Alice Public Key)

Alice:

Decrypt(ciphertext, Alice Private Key)

—

Anyone can encrypt.

Only Alice can decrypt. 

—

Digital Signatures provide:

* Integrity * Authentication * Non-repudiation

—

Answer three questions:

Who sent this?

Was this modified?

Can the sender deny sending it? 

—

Private Key -> Sign

Public Key  -> Verify 

—

Server signs a document.

Document
    ↓
Sign with Private Key
    ↓
Signed Document

Verification:

Signed Document
    ↓
Verify with Public Key
    ↓
Valid / Invalid

—

Only the owner can sign.

Everyone can verify. 

—

—

Goal:

Hide data

Question answered:

Can someone read this?

Examples:

AES
ChaCha20
RSA Encryption

Workflows:

Symmetric:

Secret Key -> Encrypt
Secret Key -> Decrypt

Asymmetric:

Public Key  -> Encrypt
Private Key -> Decrypt

—

Goal:

Verify authenticity
Detect tampering

Questions answered:

Who sent this?

Was this modified? 

Workflow:

Private Key -> Sign

Public Key  -> Verify 

Examples:

JWT RS256
JWT ES256
SSH Key Authentication
TLS Certificates
Git Commit Signing
Code Signing

—

JWT stands for:

JSON Web Token

JWT is a token format:

header.payload.signature

JWT itself is not encryption.

JWT is usually used for:

* Authentication * Integrity verification

—

JWT HS256 uses:

HMAC-SHA256

Workflow:

Payload
   +
JWT_SECRET
   ↓
HMAC Signature

Verification:

Payload
   +
JWT_SECRET
   ↓
Verify HMAC

Characteristics:

* Symmetric * Uses one shared secret * Integrity * Authentication * Not a true Digital Signature * Default in many Laravel applications

—

JWT RS256 uses:

RSA Digital Signature

Workflow:

Private Key
    ↓
Sign JWT

Public Key
↓
Verify JWT 

Characteristics:

* Asymmetric * Uses Public/Private Keys * Integrity * Authentication * True Digital Signature * Common in OAuth2 and SSO systems

—

—

This document summarizes cryptography in a practical, backend-engineer-oriented way: - NOT by algorithm only - BUT by security design + system usage

Cryptography exists to achieve:

• Confidentiality
  1. Keep data secret

• Integrity
  1. Detect data modification

• Authentication
  1. Verify who sent data

• Non-Repudiation
  1. Sender cannot deny action

These are the 4 fundamental primitives:

• Encryption (Hide data)
• Hashing (Detect changes)
• Authentication (Prove origin)
• Key Management (Control trust)

Each system is built by combining these.

Goal: Hide data from unauthorized access

Same key for encrypt/decrypt

• AES (standard)
• ChaCha20 (modern, fast)

Properties:

1. Very fast
2. Used for large data
3. Requires secure key sharing

Public key + Private key

• RSA
• ECC (ECIES)

Properties:

1. Slow
2. Used for small data or key exchange

Hybrid Encryption:

1. Use Asymmetric crypto to exchange key
2. Use Symmetric crypto to encrypt data

Example:

TLS (HTTPS)

Goal: Detect if data was changed

• SHA-256
• SHA-512
• SHA-3

Properties:

1. No key
2. One-way function
3. Cannot decrypt

Broken algorithms:

1. MD5
2. SHA-1

Goal: Verify message origin

• HMAC
• CMAC

Properties:

1. Shared secret key
2. Fast
3. No non-repudiation

Used in:

1. JWT HS256
2. Internal APIs
3. Webhooks (shared secret)

Digital Signatures:

• RSA-PSS
• ECDSA
• Ed25519

Properties:

1. Private key signs
2. Public key verifies
3. Provides non-repudiation

Used in:

1. JWT RS256 / ES256
2. OAuth2 / OpenID Connect
3. SSO systems

Goal: Securely establish shared secret

• Diffie-Hellman (DH)
• Elliptic Curve Diffie-Hellman (ECDH)

Flow:

1. Asymmetric crypto establishes shared key
2. Then symmetric encryption is used

Used in:

1. TLS handshake
2. Secure channels

Public Key Infrastructure:

• X.509 Certificates
• Certificate Authority (CA)
• Certificate Chain

Purpose:

1. Prove identity of services
2. Establish trust between systems

Used in:

1. HTTPS
2. mTLS
3. SSO systems

• TLS (HTTPS)
• SSH
• IPsec
• OpenPGP

TLS example flow:

1. Key exchange (ECDH)
2. Certificate validation (PKI)
3. Symmetric encryption (AES-GCM)

IMPORTANT RULE: Never encrypt passwords.

Use hashing only:

• Argon2 (best)
• bcrypt (common)
• PBKDF2 (legacy)

Enhancements:

• Salt
• Pepper

Key lifecycle:

• Generation
• Storage
• Rotation
• Revocation
• Expiration

Best practices:

1. Use KMS (AWS KMS, GCP KMS)
2. Never hardcode secrets
3. Separate keys per environment

JWT is NOT encryption.

It is:

→ Token format + signature mechanism

Structure:

header.payload.signature

• HS256 (Symmetric)
  1. Uses HMAC
  2. Shared secret
  3. Single system trust

• RS256 / ES256 (Asymmetric)
  1. Uses Digital Signature
  2. Private key signs
  3. Public key verifies

Authentication layer

  ├── Symmetric (HMAC)
  │     └── HS256 JWT
  │
  └── Asymmetric (Signature)
        └── RS256 / ES256 JWT

• Use HS256:
  1. Single backend system
  2. Simple Laravel API

• Use RS256/ES256:
  1. Microservices
  2. SSO (Keycloak, Auth0, OAuth2)

Modern system design rules:

• Never design your own cryptography
• Always use standard algorithms
• Prefer AEAD (AES-GCM, ChaCha20-Poly1305)
• Separate encryption / authentication / signing
• Use symmetric for performance
• Use asymmetric for trust boundaries
• Use PKI for multi-system identity
• Use TLS everywhere
• Hash passwords only (never encrypt)
• Treat keys as production secrets

Cryptography in real systems:

1. Asymmetric crypto
    → establish trust / exchange key

2. Symmetric crypto
    → encrypt data efficiently

3. Hashing
    → detect changes

4. Authentication
    → prove identity (HMAC / Signature)

5. PKI
    → manage trust between systems

6. TLS
    → combine everything into secure communication

Symmetric  → speed (data encryption)
Asymmetric → trust (identity + key exchange)
Hashing    → integrity
JWT        → authentication format using above primitives