This document summarizes cryptography in a practical, backend-engineer-oriented way: - NOT by algorithm only - BUT by security design + system usage

Cryptography exists to achieve:

• Confidentiality
  1. Keep data secret

• Integrity
  1. Detect data modification

• Authentication
  1. Verify who sent data

• Non-Repudiation
  1. Sender cannot deny action

These are the 4 fundamental primitives:

• Encryption (Hide data)
• Hashing (Detect changes)
• Authentication (Prove origin)
• Key Management (Control trust)

Each system is built by combining these.

Goal: Hide data from unauthorized access

Same key for encrypt/decrypt

• AES (standard)
• ChaCha20 (modern, fast)

Properties:

1. Very fast
2. Used for large data
3. Requires secure key sharing

Public key + Private key

• RSA
• ECC (ECIES)

Properties:

1. Slow
2. Used for small data or key exchange

Hybrid Encryption:

1. Use Asymmetric crypto to exchange key
2. Use Symmetric crypto to encrypt data

Example:

TLS (HTTPS)

Goal: Detect if data was changed

• SHA-256
• SHA-512
• SHA-3

Properties:

1. No key
2. One-way function
3. Cannot decrypt

Broken algorithms:

1. MD5
2. SHA-1

Goal: Verify message origin

• HMAC
• CMAC

Properties:

1. Shared secret key
2. Fast
3. No non-repudiation

Used in:

1. JWT HS256
2. Internal APIs
3. Webhooks (shared secret)

Digital Signatures:

• RSA-PSS
• ECDSA
• Ed25519

Properties:

1. Private key signs
2. Public key verifies
3. Provides non-repudiation

Used in:

1. JWT RS256 / ES256
2. OAuth2 / OpenID Connect
3. SSO systems

Goal: Securely establish shared secret

• Diffie-Hellman (DH)
• Elliptic Curve Diffie-Hellman (ECDH)

Flow:

1. Asymmetric crypto establishes shared key
2. Then symmetric encryption is used

Used in:

1. TLS handshake
2. Secure channels

Public Key Infrastructure:

• X.509 Certificates
• Certificate Authority (CA)
• Certificate Chain

Purpose:

1. Prove identity of services
2. Establish trust between systems

Used in:

1. HTTPS
2. mTLS
3. SSO systems

• TLS (HTTPS)
• SSH
• IPsec
• OpenPGP

TLS example flow:

1. Key exchange (ECDH)
2. Certificate validation (PKI)
3. Symmetric encryption (AES-GCM)

IMPORTANT RULE: Never encrypt passwords.

Use hashing only:

• Argon2 (best)
• bcrypt (common)
• PBKDF2 (legacy)

Enhancements:

• Salt
• Pepper

Key lifecycle:

• Generation
• Storage
• Rotation
• Revocation
• Expiration

Best practices:

1. Use KMS (AWS KMS, GCP KMS)
2. Never hardcode secrets
3. Separate keys per environment

JWT is NOT encryption.

It is:

→ Token format + signature mechanism

Structure:

header.payload.signature

• HS256 (Symmetric)
  1. Uses HMAC
  2. Shared secret
  3. Single system trust

• RS256 / ES256 (Asymmetric)
  1. Uses Digital Signature
  2. Private key signs
  3. Public key verifies

Authentication layer

  ├── Symmetric (HMAC)
  │     └── HS256 JWT
  │
  └── Asymmetric (Signature)
        └── RS256 / ES256 JWT

• Use HS256:
  1. Single backend system
  2. Simple Laravel API

• Use RS256/ES256:
  1. Microservices
  2. SSO (Keycloak, Auth0, OAuth2)

Modern system design rules:

• Never design your own cryptography
• Always use standard algorithms
• Prefer AEAD (AES-GCM, ChaCha20-Poly1305)
• Separate encryption / authentication / signing
• Use symmetric for performance
• Use asymmetric for trust boundaries
• Use PKI for multi-system identity
• Use TLS everywhere
• Hash passwords only (never encrypt)
• Treat keys as production secrets

Cryptography in real systems:

1. Asymmetric crypto
    → establish trust / exchange key

2. Symmetric crypto
    → encrypt data efficiently

3. Hashing
    → detect changes

4. Authentication
    → prove identity (HMAC / Signature)

5. PKI
    → manage trust between systems

6. TLS
    → combine everything into secure communication

Symmetric  → speed (data encryption)
Asymmetric → trust (identity + key exchange)
Hashing    → integrity
JWT        → authentication format using above primitives