Encryption at Rest

A cryptographic hash function that converts data into a fixed-size string (e.g., SHA-256). Use cases:

• Verify file integrity (e.g., checksums for downloads).

• Securely store passwords by hashing them instead of storing plaintext.

Generate cryptographic keys from passwords or other data using pseudo random functions. These pseudo random functions include random salts together with recreating hash values of both the data and the salt over several iteration making it computational heavy to creak the initial data. Use cases:

• PBKDF2: Create strong encrypten keys for encryption algorithm.

• Scrypt: Securely store passwords with high computational/memory requirements.

Combines a hash function with a secret key to ensure message integrity and authenticity. Since the secrete key is only known by the client and the server -> Man in the middle attacks are impossible. Use cases:

• Verify API request authenticity (e.g., HMAC in JSON Web Tokens).

Uses a single secret key for encryption and decryption (e.g., AES) into cipher text and back into plain text. Common Algorithms are AES

Use cases:

• Encrypt files/data at rest (e.g., disk encryption).

Uses a public-private key pair (e.g., RSA). The encryption uses the public key to encrypt data before sending. The public key is not a secrete. The decryption can only happen by someone that has the private key which is a secrete.

Use cases:

• Secure email communication (encrypt with recipient’s public key).

• TLS handshakes for HTTPS.

The Hash value of a plain text message is encrypted with a private key to generate the digital signature. The plain text of the message alonge with the digital signature is send to a receiver. The reciver creates the hash value from the plain text message and compares it to the decrypted digital signature (using the public key) to prove integrety and authenticity.

Use cases:

• Sign software updates to verify the publisher.

Salts are random data added to passwords before hashing. Benefits include:

• Prevents rainbow table attacks: Unique salts ensure identical passwords produce different hashes.

• Mitigates brute-force attacks: Attackers must crack each salted hash individually.

Identical passwords will still have different hashes because the salt is different. So even if the kacker knows the salt he/she would still have to create each of the possible passwords together with the salt to get to the hash.

• Block Ciphers (e.g., AES):

  • Encrypt fixed-size blocks (e.g., 128 bits).

  • Require padding for incomplete blocks.

• Stream Ciphers (e.g., ChaCha20):

  • Encrypt data bytewise or even bit-by-bit continuously.

  • No padding needed.

Padding fills incomplete blocks to match the cipher’s block size (e.g., PKCS#7 adds bytes equal to the missing length). Example: A 10-byte block needing 6 more bytes adds 06 six times.

• ECB:

  • Encrypts each block independently.

  • Risk: Reveals patterns (e.g., identical plaintext blocks → identical ciphertext).

• CBC:

  • XORs each block of data with the previous block of ciphertext to produce the next block of cipher text.

  • Uses an Initialization Vector (IV) as the first block for randomness.

  • Secure: Hides patterns in plaintext.

• CTR:

  • uses streaming mode so no padding is needed (e.g AES)

  • stream ciphers always produce cipher text with the same legth as the input

A digital certificate is a doument used to prove the ownership of a public key. It includes:

1. Owner’s identification (e.g., domain name).

2. Public key of the owner.

3. Certificate Authority (CA) name (e.g., Let’s Encrypt).

4. CA’s digital signature to validate authenticity.

5. Expiration date (e.g., valid until 2025).

Example: HTTPS certificates validate website ownership and enable secure connections.