Introduction: What is Cryptography and Why It Matters
Cryptography is the science of securing information by transforming it into formats that are unreadable to unauthorized parties. It enables confidentiality, integrity, authentication, and non-repudiation in our digital communications and data storage. In today’s interconnected world, cryptography forms the backbone of digital security, protecting everything from personal messages to financial transactions, national security communications, and critical infrastructure.
Core Cryptographic Principles
Fundamental Security Properties
| Property | Definition | Cryptographic Implementation |
|---|---|---|
| Confidentiality | Keeping information secret from unauthorized parties | Encryption algorithms |
| Integrity | Ensuring information hasn’t been altered | Hash functions, MACs, digital signatures |
| Authentication | Verifying the identity of parties | Digital signatures, MACs, authentication protocols |
| Non-repudiation | Preventing denial of sending/creating data | Digital signatures with PKI |
| Availability | Ensuring information is accessible when needed | Often addressed via system design rather than cryptography |
Key Cryptographic Concepts
- Plaintext: The original, readable message
- Ciphertext: The encrypted, unreadable message
- Encryption: Process of converting plaintext to ciphertext
- Decryption: Process of converting ciphertext back to plaintext
- Key: A piece of information that determines the output of cryptographic algorithms
- Entropy: Measure of randomness or unpredictability in a system
- Cryptanalysis: The study of breaking cryptographic systems
Cryptographic Algorithms and Methods
Symmetric Key Cryptography
Uses the same key for both encryption and decryption
| Algorithm | Key Length | Block Size | Description | Security Status |
|---|---|---|---|---|
| AES (Advanced Encryption Standard) | 128, 192, or 256 bits | 128 bits | Current standard for symmetric encryption | Secure with proper implementation |
| ChaCha20 | 256 bits | Stream cipher | Modern, high-speed stream cipher | Secure, good for mobile/low-power |
| 3DES (Triple DES) | 168 bits effective | 64 bits | Triple application of DES algorithm | Being phased out, vulnerable to sweet32 attack |
| Blowfish | 32-448 bits | 64 bits | Designed as DES replacement | Secure but outdated |
| Twofish | Up to 256 bits | 128 bits | AES finalist | Secure but less widely used |
Modes of Operation for Block Ciphers:
- ECB (Electronic Codebook): Simple but insecure for most applications
- CBC (Cipher Block Chaining): Each block XORed with previous ciphertext
- CTR (Counter): Converts block cipher to stream cipher
- GCM (Galois/Counter Mode): Provides both confidentiality and authentication
- XTS: Specialized for disk encryption
Asymmetric (Public Key) Cryptography
Uses separate keys for encryption and decryption
| Algorithm | Key Length Recommendation | Primary Use Cases | Security Basis |
|---|---|---|---|
| RSA | 2048+ bits | Encryption, digital signatures | Integer factorization problem |
| ECC (Elliptic Curve Cryptography) | 256+ bits | Digital signatures, key exchange | Elliptic curve discrete logarithm problem |
| DSA (Digital Signature Algorithm) | 2048+ bits | Digital signatures only | Discrete logarithm problem |
| Diffie-Hellman | 2048+ bits | Key exchange | Discrete logarithm problem |
| ECDH (Elliptic Curve Diffie-Hellman) | 256+ bits | Key exchange | Elliptic curve discrete logarithm problem |
| Ed25519 | 256 bits | Digital signatures | Edwards curve, variant of ECC |
| X25519 | 256 bits | Key exchange | Montgomery curve, variant of ECC |
Hash Functions
One-way functions that map data of arbitrary size to fixed-size values
| Algorithm | Output Size | Description | Security Status |
|---|---|---|---|
| SHA-256 | 256 bits | Part of SHA-2 family | Currently secure |
| SHA-3 | Variable (224-512 bits) | Newest SHA standard, based on Keccak | Currently secure |
| BLAKE2 | Variable (8-512 bits) | High-speed secure hash | Currently secure |
| MD5 | 128 bits | Older algorithm | Broken, collision attacks demonstrated |
| SHA-1 | 160 bits | Older SHA algorithm | Broken, collision attacks demonstrated |
Message Authentication Codes (MACs)
Provide both authentication and integrity
- HMAC: Hash-based MAC, combines a cryptographic hash with a secret key
- CMAC: Cipher-based MAC, based on block cipher
- Poly1305: High-speed MAC often used with ChaCha20
Key Derivation Functions (KDFs)
Derive cryptographic keys from master keys or passwords
| Algorithm | Description | Primary Use Cases |
|---|---|---|
| PBKDF2 | Password-Based KDF | Deriving keys from passwords, legacy systems |
| Bcrypt | Blowfish-based password hashing | Password storage |
| Scrypt | Memory-hard KDF | Password storage, resistant to hardware attacks |
| Argon2 | Memory-hard KDF | Password storage, winner of PHC competition |
| HKDF | HMAC-based KDF | Deriving keys from high-entropy inputs |
Step-by-Step Cryptographic Processes
Secure Communication Setup (TLS Handshake)
- Client Hello: Client sends supported cipher suites and random number
- Server Hello: Server selects cipher suite and sends certificate and random number
- Key Exchange: Using asymmetric cryptography (e.g., RSA or ECDHE)
- Verification: Client verifies server’s certificate against trusted CAs
- Session Key Derivation: Both parties derive the same symmetric session key
- Secure Communication: Data encrypted with symmetric algorithm using session key
Digital Signature Process
- Hash Calculation: Create hash of the message to be signed
- Signature Creation: Encrypt hash with signer’s private key
- Signature Attachment: Attach signature to message
- Verification: Recipient decrypts signature with signer’s public key and compares to independently calculated hash
Public Key Infrastructure (PKI) Process
- Key Pair Generation: Entity creates public and private key pair
- Certificate Signing Request: Entity submits public key and identity information to CA
- Verification: CA verifies entity’s identity
- Certificate Issuance: CA issues signed certificate binding identity to public key
- Certificate Distribution: Entity distributes certificate with public key
- Certificate Verification: Relying parties verify certificate against trusted CAs
Cryptographic Protocols and Applications
Secure Communication Protocols
| Protocol | Primary Use | Key Cryptographic Elements |
|---|---|---|
| TLS/SSL | Secure web browsing (HTTPS) | Certificates, key exchange, symmetric encryption |
| SSH | Secure remote access | Key pairs, key exchange, symmetric encryption |
| Signal Protocol | Secure messaging | Double Ratchet, X3DH key agreement, forward secrecy |
| IPsec | Network layer security | Key exchange, encryption, authentication |
| WireGuard | Modern VPN protocol | Elliptic curve cryptography, minimal handshaking |
Authentication Methods
- Password-based: Combined with KDFs for secure storage
- Certificate-based: Using PKI and digital signatures
- Multi-factor: Combining multiple authentication methods
- Zero-knowledge proofs: Proving knowledge without revealing it
Blockchain and Cryptocurrency
- Digital signatures: Authenticate transactions
- Hash functions: Create transaction links and proof-of-work
- Merkle trees: Efficiently verify transaction inclusion
- Zero-knowledge proofs: Enable privacy features in some cryptocurrencies
Comparison of Cryptographic Approaches
Symmetric vs. Asymmetric Encryption
| Aspect | Symmetric Encryption | Asymmetric Encryption |
|---|---|---|
| Key Usage | Same key for encryption and decryption | Different keys for encryption and decryption |
| Speed | Fast, efficient for large data | Slower, computationally intensive |
| Key Distribution | Requires secure channel for key sharing | Public keys can be shared openly |
| Key Size | Typically smaller (128-256 bits) | Larger (2048+ bits for RSA, 256+ for ECC) |
| Scalability | n(n-1)/2 keys for n parties | 2n keys for n parties |
| Common Use | Bulk data encryption | Key exchange, digital signatures |
| Examples | AES, ChaCha20 | RSA, ECC |
Hash Function Comparison
| Aspect | Cryptographic Hash Functions | Password Hashing Functions |
|---|---|---|
| Purpose | Data integrity, general-purpose hashing | Securely storing passwords |
| Speed | Fast computation | Intentionally slow (time-intensive) |
| Memory Usage | Minimal | Often memory-intensive (for password hashing) |
| Salt Usage | Not typically salted | Always use unique salts |
| Output Size | Fixed by algorithm | Often configurable |
| Examples | SHA-256, BLAKE2 | Bcrypt, Argon2 |
Common Cryptographic Challenges and Solutions
Challenge: Secure Key Management
Solutions:
- Use hardware security modules (HSMs) for critical keys
- Implement principle of least privilege for key access
- Establish key rotation policies
- Use key derivation functions rather than storing multiple keys
- Separate storage of key components (key splitting)
Challenge: Random Number Generation
Solutions:
- Use cryptographically secure random number generators (CSPRNGs)
- Combine multiple entropy sources
- Use hardware random number generators when available
- Regularly test randomness quality
- Avoid using standard random functions from programming languages
Challenge: Side-Channel Attacks
Solutions:
- Implement constant-time operations for cryptographic functions
- Add random delays or noise to operations
- Use hardware with side-channel protections
- Avoid branching based on secret data
- Monitor for unusual access patterns or timing anomalies
Challenge: Implementation Vulnerabilities
Solutions:
- Use vetted cryptographic libraries instead of custom implementations
- Keep cryptographic software updated
- Conduct regular security audits and penetration testing
- Implement defense in depth
- Follow coding standards specific to cryptographic implementations
Best Practices and Practical Tips
General Cryptographic Best Practices
- Don’t roll your own crypto: Use established, peer-reviewed algorithms and libraries
- Keep it simple: Complexity increases the risk of implementation errors
- Defense in depth: Never rely on a single cryptographic control
- Future-proof: Design systems to allow algorithm and key size updates
- Assume compromise: Design with the assumption that some parts will be compromised
- Kerckhoffs’s principle: Security should depend on the key, not the secrecy of the algorithm
Algorithm Selection Guidelines
- Choose algorithms based on:
- Security requirements and threat model
- Performance constraints
- Regulatory requirements
- Industry standards
- Implementation availability
- Future-proofing (quantum resistance if needed)
Implementation Checklist
- [ ] Use up-to-date, well-maintained cryptographic libraries
- [ ] Implement proper key management procedures
- [ ] Use appropriate key sizes for the protection period needed
- [ ] Add entropy collection for random number generation
- [ ] Implement secure error handling that doesn’t leak information
- [ ] Validate all cryptographic inputs
- [ ] Consider side-channel attack mitigations
- [ ] Implement logging and monitoring for cryptographic operations
Emerging Trends in Cryptography
Post-Quantum Cryptography
- Lattice-based: CRYSTALS-Kyber, NTRU
- Hash-based: SPHINCS+
- Code-based: Classic McEliece
- Multivariate: Rainbow (broken), GeMSS
- Isogeny-based: SIKE (broken)
Homomorphic Encryption
- Allows computation on encrypted data without decrypting it
- Types: Fully, Somewhat, and Partially Homomorphic Encryption
- Applications: privacy-preserving computation, secure cloud computing
Secure Multi-party Computation (MPC)
- Enables multiple parties to jointly compute a function over inputs while keeping those inputs private
- Applications: privacy-preserving analytics, threshold cryptography
Zero-Knowledge Proofs
- Proves knowledge of a value without revealing the value itself
- Types: Interactive, Non-interactive (zk-SNARKs, zk-STARKs)
- Applications: privacy-focused cryptocurrencies, authentication, anonymous credentials
Resources for Further Learning
Books
- “Cryptography Engineering” by Ferguson, Schneier, and Kohno
- “Real-World Cryptography” by David Wong
- “Serious Cryptography” by Jean-Philippe Aumasson
- “The Code Book” by Simon Singh (historical perspective)
- “Applied Cryptography” by Bruce Schneier (classic reference)
Online Courses
- Cryptography I & II by Dan Boneh (Stanford) on Coursera
- Introduction to Cryptography by Christof Paar on YouTube
- Practical Cryptography for Developers (free online book)
Standards and Guidelines
- NIST Cryptographic Standards and Guidelines
- IETF RFCs for cryptographic protocols
- BSI Cryptographic Mechanisms Recommendations
- ENISA Algorithms, Key Sizes and Parameters Report
Tools and Libraries
- OpenSSL: Comprehensive crypto library and toolkit
- Libsodium: Easy-to-use, high-level cryptographic library
- Bouncy Castle: Java and C# implementations
- Crypto++: C++ class library of cryptographic schemes
- PyCA/cryptography: Python cryptography library
- CrypTool: Educational tool for cryptography and cryptanalysis
Websites and Communities
- Cryptography Stack Exchange
- /r/cryptography subreddit
- The International Association for Cryptologic Research (IACR)
- Bruce Schneier’s blog “Schneier on Security”
Disclaimer
This cheatsheet provides general information about cryptography concepts and techniques. When implementing cryptographic systems, always consult current standards, guidelines, and expert advice. Cryptography is a rapidly evolving field, and what is secure today may not be secure tomorrow. Always follow the latest security best practices and keep cryptographic systems updated.
Last Updated: May 2025