Cryptography Basics: Encryption, Hashing, and Digital Signatures
Cryptography is the foundation of modern information security. It protects data in transit, authenticates users and systems, verifies integrity, and enables secure digital transactions. From TLS handshakes to blockchain signatures, cryptographic primitives underpin virtually every secure system. This guide covers the essential concepts every developer and security practitioner must understand: symmetric and asymmetric encryption, cryptographic hash functions, digital signatures, and key management best practices rooted in NIST SP 800-175B and current standards.
Symmetric Encryption
Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and efficient but requires secure key distribution between parties.
AES — The Standard
The Advanced Encryption Standard (AES), established by NIST in 2001 (FIPS 197), remains the gold standard for symmetric encryption. AES operates on 128-bit blocks with key sizes of 128, 192, or 256 bits. AES-256 provides 256-bit security, though quantum attacks (via Grover’s algorithm) reduce this to 128-bit effective security — still considered safe against known quantum threats. AES supports multiple modes of operation:
- GCM (Galois/Counter Mode): Authenticated encryption providing both confidentiality and integrity. GCM is the preferred mode for TLS 1.3 and most modern protocols. It uses a nonce (12 bytes recommended) and produces an authentication tag.
- CBC (Cipher Block Chaining): Each ciphertext block depends on all previous blocks. CBC requires padding and is vulnerable to padding oracle attacks if improperly implemented. The POODLE attack (2014) exploited CBC weaknesses in SSL 3.0.
- CTR (Counter): Turns AES into a stream cipher by encrypting incrementing counter values. CTR enables parallel encryption but provides no integrity protection — it must be combined with a MAC.
ChaCha20 — Modern Alternative
ChaCha20, designed by Daniel J. Bernstein, is a stream cipher that has gained adoption as an AES alternative, particularly on mobile devices where AES hardware acceleration may not be available. ChaCha20-Poly1305 is the recommended AEAD construction, used in TLS 1.3 (RFC 8439), WireGuard, and SSH. Google’s measurements show ChaCha20 outperforming AES-128-GCM on ARM-based mobile processors by up to 3x.
Key Derivation
Passwords should never be used directly as encryption keys. Key derivation functions (KDFs) transform passwords into cryptographic keys: PBKDF2 (NIST SP 800-132), bcrypt, scrypt, and Argon2 (winner of the 2015 Password Hashing Competition). Argon2id is the recommended choice, providing resistance against GPU cracking, side-channel attacks, and trade-off attacks.
Asymmetric Encryption
Asymmetric (public key) cryptography uses mathematically related key pairs: a public key for encryption and a private key for decryption. It solves the key distribution problem but is computationally expensive.
RSA
RSA, named for Rivest-Shamir-Adleman (1977), derives security from the difficulty of factoring large semiprime numbers. NIST SP 800-56B requires RSA key sizes of at least 2048 bits; 3072 bits provides 128-bit security equivalence. RSA-2048 is widely deployed but increasingly under pressure: the 2023 factoring of RSA-240 (795 bits) demonstrates continued progress in factoring algorithms.
RSA is primarily used for key exchange and digital signatures. However, its performance disadvantage compared to elliptic curve alternatives has led to declining adoption in new protocols. TLS 1.3 deprioritizes RSA key exchange, favoring ECDHE.
Elliptic Curve Cryptography
ECC provides equivalent security to RSA with significantly smaller keys: a 256-bit ECC key offers security comparable to 3072-bit RSA. NIST curves (P-256, P-384, P-521) are widely standardized but have faced scrutiny over potential NSA influence in their generation parameters. Curve25519 (X25519 for key exchange, Ed25519 for signatures) was designed with transparent generation and resistance to side-channel attacks, and is now the recommended default. Over 95% of HTTPS connections supporting TLS 1.3 use X25519 key exchange according to the 2025 SSL Pulse survey.
Elliptic Curve Diffie-Hellman
ECDHE enables perfect forward secrecy (PFS) — even if a server’s long-term private key is compromised, past session keys remain secure. In TLS 1.3, the handshake uses ephemeral ECDHE keys generated per session, with signatures for authentication and the derived shared secret for symmetric encryption.
Cryptographic Hash Functions
Hash functions map arbitrary-length input to a fixed-size output (digest) with three critical properties: preimage resistance (given h, infeasible to find m where h = hash(m)), second-preimage resistance, and collision resistance.
SHA-2 and SHA-3
SHA-256 and SHA-512 (FIPS 180-4) are the workhorses of modern hashing. Bitcoin uses double-SHA-256; TLS certificates use SHA-256 for signature verification. SHA-3 (FIPS 202), based on the Keccak sponge construction, was released in 2015 as a backup for SHA-2. While structurally different from SHA-2, no practical break of SHA-256 has been demonstrated as of 2025.
MD5 and SHA-1 — Deprecated
MD5 (1991) and SHA-1 (1995) are both broken for collision resistance. The 2017 SHAttered attack demonstrated a practical SHA-1 collision. Microsoft’s SHA-1 deprecation in Windows updates and the CA/Browser Forum’s 2017 ban on SHA-1 certificates mean every modern TLS certificate must now use SHA-256 or better.
Password Hashing
Passwords require slow, salted hash functions to resist brute force. SHA-256 alone is too fast (billions of attempts per second with GPUs). Argon2id, scrypt, and bcrypt add computational work factors and per-password salts stored alongside the hash. NIST SP 800-63B recommends memory-hard functions for password storage.
Digital Signatures
Digital signatures provide authentication, non-repudiation, and integrity. The signer uses their private key; anyone with the corresponding public key can verify.
ECDSA and EdDSA
ECDSA (FIPS 186-5) is widely deployed but requires secure random nonces — repeated or predictable nonces leak the private key. The 2020 PlayStation 3 private key compromise used a static random value in Sony’s ECDSA implementation. EdDSA (Ed25519, Ed448) eliminates this class of bugs entirely by deriving nonces deterministically from the message and private key. Ed25519 is the recommended signature algorithm for new protocols.
Certificate Authorities and PKI
X.509 public key infrastructure (PKI) binds identities to public keys through certificate authorities (CAs). The WebPKI ecosystem includes hundreds of CAs, but trust is fragile: CA compromises (DigiNotar 2011, Comodo 2011) demonstrated the systemic risk. Certificate Transparency (RFC 9162) provides public auditing of certificate issuance, detecting mis-issued certificates.
Key Management
Cryptographic security depends entirely on key secrecy. NIST SP 800-57 provides a comprehensive framework for key management lifecycle: generation, distribution, storage, rotation, and destruction.
Hardware Security Modules (HSMs)
HSMs provide tamper-resistant key storage. Cloud KMS services (AWS KMS, Azure Key Vault, GCP Cloud KMS) use FIPS 140-2/3 validated HSMs. For self-managed environments, YubiHSM and Nitrokey provide affordable HSM options. Key rotation intervals should follow NIST guidance: 1-2 years for asymmetric signing keys, 2-3 years for asymmetric encryption keys.
Quantum Threats
Shor’s algorithm, running on a sufficiently large quantum computer, breaks RSA and ECC entirely. NIST’s Post-Quantum Cryptography Standardization process selected CRYSTALS-Kyber (key establishment) and CRYSTALS-Dilithium (signatures) as primary standards in 2024, with FALCON and SPHINCS+ as backups. Organizations should maintain cryptographic agility — the ability to replace algorithms as standards evolve — through modular cryptographic libraries (BoringSSL, OpenSSL 3.x, liboqs).
Post-Quantum Cryptography
Quantum computing threatens the cryptographic primitives that secure the internet. Shor’s algorithm efficiently factors large integers and computes discrete logarithms, breaking RSA, DSA, ECDSA, and ECDH entirely. Grover’s algorithm reduces the security of symmetric ciphers (AES, ChaCha20) by half - AES-256 provides 128-bit post-quantum security, which remains adequate.
NIST Post-Quantum Standardization
NIST’s multi-year Post-Quantum Cryptography (PQC) standardization project concluded in 2024 with four selected algorithms. For key encapsulation: CRYSTALS-Kyber (FIPS 203) provides IND-CCA2 secure key establishment with small key sizes and fast performance. For digital signatures: CRYSTALS-Dilithium (FIPS 204) is the primary choice; FALCON (FIPS 205) provides smaller signatures at higher computational cost; SPHINCS+ (FIPS 205) uses stateless hash-based signatures as a conservative backup.
Hybrid Deployment
PQC algorithms have undergone less cryptanalytic scrutiny than RSA and ECC. The recommended deployment strategy is hybrid mode: combine traditional (X25519 or RSA-3072) with PQC (Kyber-768) in the same key exchange. TLS 1.3 supports hybrid key exchange via composite keys - Google Chrome’s 2024 experiment with X25519+Kyber768 for 100% of TLS connections demonstrated negligible latency impact (under 1ms median). Organizations should begin PQC readiness assessments now: inventory cryptographic assets, identify systems with long-lived keys or certificates, and ensure cryptographic agility in software libraries.
FAQ
What is the difference between symmetric and asymmetric encryption? Symmetric uses one shared key for both encryption and decryption (fast, but key distribution is hard). Asymmetric uses a public-private key pair (slower, but no shared secret needed).
Why is SHA-1 deprecated? Researchers demonstrated a practical collision attack in 2017 (SHAttered). All major browsers and CAs stopped accepting SHA-1 certificates by 2017.
What is perfect forward secrecy? A property of key exchange protocols (like ECDHE) where session keys cannot be recovered even if the long-term private key is compromised. TLS 1.3 mandates PFS.
How does TLS 1.3 improve on TLS 1.2? Reduced handshake to 1-RTT (or 0-RTT for resumed sessions), removed insecure cipher suites, mandated PFS, and simplified the protocol by removing RSA key exchange.
Can quantum computers break AES-256? Grover’s algorithm reduces AES-256’s effective security to 128 bits against quantum attacks — still considered secure. RSA and ECC are broken entirely by Shor’s algorithm.
For a broader introduction to security principles, read our Security Guide. See OAuth 2.0 and JWT Guide for practical authentication implementation. Learn about Threat Modeling to identify cryptographic design flaws early.