Public Key Cryptography
- Shared symmetric keys
- A common secret value used by two parties for symmetric encryption.
- One-way function
- A function that is easy to compute but hard to reverse.
- Trapdoor function
- A one-way function that is easy to invert only with special secret knowledge.
- Public-key algorithm
- A cryptographic algorithm that uses paired public and private keys.
- Asymmetric cryptography
- Another term for public key cryptography.
- Public key
- The openly shared key used for encryption or signature verification.
- Private key
- The secret key used for decryption or signing.
- Factoring
- The problem of finding the prime factors of a composite number; basis of RSA.
- Discrete logarithms
- The problem of finding the exponent in modular arithmetic; basis of Diffie–Hellman and ECC.
- RSA
- A public key system based on factoring, used for encryption and digital signatures. Larger key sizes are needed as computing power grows.
- ECC
- Elliptic-curve cryptography, based on discrete logarithms over elliptic curves.
Diffie–Hellman and Hybrid Systems
- Diffie–Hellman Key Exchange
- A protocol that allows two parties to establish a shared secret over an insecure channel.
- Hybrid cryptosystem
- Combines public key methods for key exchange with symmetric ciphers for encrypting data.
- Forward secrecy
- Ensures past session keys remain secure even if long-term keys are later compromised. Usually provided by ephemeral Diffie-Hellman key exchange (ephemeral = D-H public/private keys are generated fresh for each session)
- Long-term key
- A cryptographic key pair intended for extended use (months or years), typically bound to an identity and used for tasks like authentication or signing.
- Ephemeral key
- A short-lived asymmetric key generated for a single protocol run (e.g., in Diffie–Hellman). It is discarded afterward to provide forward secrecy.
- Session key
- A temporary symmetric key derived during a protocol run, used to encrypt and authenticate traffic in one communication session.
Hash Functions and Integrity
- Cryptographic hash function
- Maps input data to a fixed-length digest in a way that is hard to reverse.
- Message digest
- The fixed-size output of a hash function; sometimes we just call it a hash.
- Preimage resistance
- Hard to find an input that hashes to a given output.
- Second preimage resistance
- Hard to find a different input that produces the same hash as a specific given input.
- Collision resistance
- Hard to find two different inputs that produce the same hash.
- Avalanche effect
- A small change in input causes a large, unpredictable change in the hash output.
- Uniformity
- Property outputs are evenly distributed across the entire output space.
- Pigeonhole principle
- Explains why collisions must exist since many inputs map to fewer outputs.
- Birthday paradox
- Shows collisions are easier to find than expected; probability rises quickly with more inputs.
- Recognize SHA-1, SHA-2 (SHA-256, SHA-512), SHA-3
- Major standardized cryptographic hash functions.
Integrity: MACs and Digital Signatures
- Message authentication code (MAC)
- A keyed hash value used to ensure message integrity.
- HMAC
- A MAC constructed from a hash function and a secret key.
- CBC-MAC / CMAC
- MACs built from block cipher modes.
- Digital signature
- A value computed with a private key that proves the origin and integrity of data.
- Signing
- Creating a digital signature with a private key.
- Verification (Validation)
- Checking a digital signature using the corresponding public key.
- Non-repudiation
- Assurance that a signer cannot later deny creating a valid digital signature.
Authentication and Trust
- Digital certificates (X.509)
- Certificates that bind a public key to an identity such as a domain name.
- Certification Authority (CA)
- A trusted entity that issues and signs digital certificates.
- Trust store
- A system-maintained collection of trusted root certificates.
- Certificate chain
- A sequence of certificates from the server’s certificate up to a trusted root CA, used to validate authenticity.
Quantum and Post-Quantum
- Quantum computing threat
- The possibility that future quantum computers could break today’s public key systems.
- Shor’s algorithm
- A quantum algorithm that efficiently solves factoring and discrete logarithm problems.
- Grover’s algorithm
- A quantum algorithm that speeds up brute-force search, reducing effective key sizes.
- Post-quantum cryptography (PQC)
- New classical cryptosystems designed to resist both classical and quantum attacks.
TLS and Secure Communication
- TLS (Transport Layer Security)
- A protocol that provides secure communication over the internet using authentication, encryption, and integrity checks.
- TLS Handshake
- The process by which client and server agree on protocol versions, negotiate cryptographic algorithms, authenticate the server (and optionally client), and establish shared session keys.
- Handshake transcript
- The record of all handshake messages exchanged; used in signature and MAC calculations to prevent tampering.
- ServerHello / ClientHello
- Initial handshake messages where both sides advertise supported versions, cipher suites, and options.
- Cipher suite
- A named set of algorithms specifying key exchange, encryption, and authentication methods used in a TLS session.
- HKDF (HMAC-based Key Derivation Function)
- A standardized function that uses HMAC to derive multiple cryptographic keys from a shared secret, widely used in TLS to expand ephemeral secrets into session keys.
- AEAD (Authenticated Encryption with Associated Data)
- An encryption mode (e.g., AES-GCM, ChaCha20-Poly1305) that ensures both confidentiality and integrity while also authenticating associated unencrypted data like headers.
- Authentication tag
- A short value (MAC) included with each encrypted TLS record to confirm data integrity and authenticity.