Encryption: Symmetric, Asymmetric, TLS, and Hashing

Symmetric vs asymmetric encryption

Symmetric uses one key for both encrypt and decrypt. Asymmetric uses a public/private key pair.

# Symmetric encryption (AES, ChaCha20):
# Same key to encrypt and decrypt
# Fast — suitable for bulk data encryption
# Key distribution problem: how do you securely share the key?

# AES-256 example concept:
key = generate_random_256_bit_key()
ciphertext = AES.encrypt(plaintext, key)
plaintext = AES.decrypt(ciphertext, key)

# Asymmetric encryption (RSA, ECC):
# Public key: encrypt data, verify signatures
# Private key: decrypt data, create signatures
# Slow — used for key exchange, not bulk data

# RSA example:
public_key, private_key = generate_rsa_keypair(2048)
ciphertext = RSA.encrypt(plaintext, public_key)
plaintext = RSA.decrypt(ciphertext, private_key)

# Real systems use both:
# Asymmetric to exchange a symmetric key securely (TLS handshake)
# Symmetric for the actual data (fast)

TLS/SSL handshake

TLS secures data in transit. The handshake establishes a secure channel before data is sent.

# TLS 1.3 handshake (simplified):
# 1. Client Hello
#    - TLS version, cipher suites, random value, SNI (server name)

# 2. Server Hello
#    - Chosen cipher suite, random value, certificate

# 3. Server Certificate
#    - Contains server's public key, signed by CA

# 4. Client verifies certificate:
#    - Is the CA trusted? (checked against browser's trust store)
#    - Is the certificate for this domain?
#    - Is it expired?

# 5. Key exchange
#    - Client generates pre-master secret
#    - Encrypts it with server's public key
#    - Both sides derive session keys

# 6. Application data exchanged with symmetric encryption (AES-256-GCM)

# Certificates:
# DV (Domain Validated): domain ownership verified
# OV (Organisation Validated): organisation identity verified
# EV (Extended Validation): strict identity verification, green bar

Digital signatures

Digital signatures prove authenticity and integrity — the message came from who it claims and wasn't modified.

# Signing (sender uses PRIVATE key):
message = "Transfer $1000 to account 12345"
hash = SHA256(message)
signature = RSA_encrypt(hash, private_key)

# Verifying (recipient uses PUBLIC key):
received_hash = RSA_decrypt(signature, public_key)
expected_hash = SHA256(message)
valid = received_hash == expected_hash

# This proves:
# 1. Authenticity: only the private key holder could sign
# 2. Integrity: any modification changes the hash

# Used in:
# - Code signing (software packages)
# - JWT signatures
# - TLS certificates
# - Email (S/MIME)

Hashing

Hashing is a one-way function that produces a fixed-size output. It's used for integrity checking, not encryption.

# Properties of a good hash function:
# - Deterministic: same input always gives same output
# - One-way: can't derive input from output
# - Avalanche effect: small input change = completely different output
# - Collision resistant: different inputs rarely give same output

# Common hash algorithms:
# MD5:    128-bit, BROKEN (collisions found) — don't use
# SHA-1:  160-bit, BROKEN — don't use
# SHA-256: 256-bit, secure — use for general integrity
# SHA-3:  256-512-bit, secure, different design
# bcrypt/scrypt/Argon2: password hashing (intentionally slow)

# Use cases:
import hashlib
file_hash = hashlib.sha256(file_bytes).hexdigest()  # file integrity
git_commit = hashlib.sha1(content).hexdigest()       # git objects
# NEVER for passwords — use bcrypt instead

Exam tip

The most common encryption exam question: "Why does TLS use asymmetric to establish connection, then switch to symmetric?" — asymmetric is slow but solves key distribution; symmetric is fast but needs a shared key. TLS uses asymmetric to securely exchange a symmetric key.