A
AiTechWorlds
AiTechWorlds
Hashing (SHA-256, Argon2), symmetric (AES-GCM), asymmetric (RSA, Ed25519), TLS versions, and key management.
| Concept | Reversible? | Key Required? | Use Case |
|---|---|---|---|
| Hashing | No (one-way) | No | Password storage, file integrity, checksums |
| Symmetric Encryption | Yes | Same key to encrypt/decrypt | Data at rest, session data |
| Asymmetric Encryption | Yes | Public key encrypts, private key decrypts | TLS, digital signatures, key exchange |
| Encoding | Yes (not security) | No | Data format (Base64, URL encoding) |
A hash function maps arbitrary input to a fixed-size digest. Properties:
| Algorithm | Output Size | Speed | Security | Use |
|---|---|---|---|---|
| MD5 | 128-bit | Very fast | BROKEN | Never for security |
| SHA-1 | 160-bit | Fast | BROKEN | Never for security |
| SHA-256 | 256-bit | Fast | Strong | File integrity, HMACs |
| SHA-3 | 256/512-bit | Moderate | Very strong | Modern applications |
| SHA-512 | 512-bit | Fast | Very strong | Larger collision resistance |
| BLAKE3 | 256-bit | Fastest | Strong | High-performance hashing |
import hashlib
# File integrity check
def file_hash(path: str) -> str:
h = hashlib.sha256()
with open(path, 'rb') as f:
for chunk in iter(lambda: f.read(8192), b''):
h.update(chunk)
return h.hexdigest()
# HMAC (keyed hash β prevents length extension attacks)
import hmac
mac = hmac.new(key.encode(), message.encode(), hashlib.sha256)
print(mac.hexdigest())Passwords need slow hash functions with salt β not fast general-purpose hashes.
| Algorithm | Adaptive? | Memory-Hard? | Recommended |
|---|---|---|---|
| Argon2id | Yes | Yes | Best choice |
| bcrypt | Yes | No | Widely supported |
| scrypt | Yes | Yes | Good alternative |
| PBKDF2-SHA256 | Yes | No | FIPS-compliant environments |
| SHA-256 (plain) | No | No | NEVER for passwords |
# Argon2id (recommended)
from argon2 import PasswordHasher, Type
ph = PasswordHasher(time_cost=3, memory_cost=65536, parallelism=4, hash_len=32, type=Type.ID)
hashed = ph.hash("my_secure_password")
# $argon2id$v=19$m=65536,t=3,p=4$...
valid = ph.verify(hashed, "my_secure_password") # True
# bcrypt
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
bcrypt.checkpw(password.encode(), hashed) # True/FalseSame key is used to encrypt and decrypt.
| Algorithm | Key Size | Mode | Security | Status |
|---|---|---|---|---|
| AES-256 | 256-bit | GCM or CBC+HMAC | Very strong | Industry standard |
| AES-128 | 128-bit | GCM | Strong | Sufficient for most |
| ChaCha20-Poly1305 | 256-bit | AEAD | Very strong | Mobile/IoT (no AES hardware) |
| 3DES | 112-bit | β | Weak | Legacy only |
| DES | 56-bit | β | BROKEN | Never use |
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os
# Generate key (store securely!)
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
# Encrypt
nonce = os.urandom(12) # 96-bit nonce, must be unique per message
ciphertext = aesgcm.encrypt(nonce, plaintext.encode(), None)
# Decrypt
plaintext = aesgcm.decrypt(nonce, ciphertext, None).decode()
# Raises InvalidTag if data tamperedGCM provides both confidentiality AND integrity (authenticated encryption with associated data β AEAD). Never use CBC without a separate HMAC.
Uses a key pair: public key (share freely) and private key (keep secret).
| Algorithm | Key Size | Use Case | Notes |
|---|---|---|---|
| RSA-OAEP | 2048β4096-bit | Encrypt small data, key exchange | Legacy TLS, email encryption |
| ECDH | 256-bit (P-256) | Key exchange | Modern TLS, forward secrecy |
| ECDSA | 256-bit | Digital signatures | Used in TLS, code signing |
| Ed25519 | 256-bit | Digital signatures | Fastest, SSH, modern apps |
| X25519 | 256-bit | Key exchange (DH variant) | Signal protocol, TLS 1.3 |
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
# Generate key pair
private_key = Ed25519PrivateKey.generate()
public_key = private_key.public_key()
# Sign
signature = private_key.sign(message.encode())
# Verify
try:
public_key.verify(signature, message.encode())
print("Valid signature")
except Exception:
print("Invalid signature")TLS encrypts data in transit using a hybrid approach:
1. Asymmetric crypto to exchange a session key (TLS handshake)
2. Symmetric crypto (AES-GCM) to encrypt the actual data
TLS 1.3 Handshake (simplified):
Client β Server: ClientHello (supported cipher suites, key share)
Server β Client: ServerHello + Certificate + (CertificateVerify)
Both: Derive session keys from key exchange
β Encrypted application dataTLS Versions:
Key management lifecycle:
Generation β Storage β Distribution β Rotation β Revocation β Destruction
β Store keys in dedicated secrets managers (AWS KMS, HashiCorp Vault, Azure Key Vault)
β Rotate keys regularly (annually for AES, per-session for TLS)
β Never hardcode keys in source code
β Separate encryption keys from encrypted data
β Use envelope encryption: data encrypted with DEK, DEK encrypted with KEKDownload Encryption & Hashing: Security Reference
Get this note + 100s more free on Telegram
Get more notes like this daily on Telegram!
Free study notes, cheat sheets & AI tips
Join AiTechWorlds on Telegram and get daily AI tips, prompt engineering templates, coding resources, and exclusive content β 100% free!
No spam. Leave anytime.