Encryption and Hashing Basics
Encryption and hashing are the foundation of modern digital security. They protect data in transit and at rest, verify integrity, and enable secure communication over insecure networks. This guide covers the core concepts, algorithms, and real-world applications you need to understand.
Table of Contents
1. Symmetric Encryption
Symmetric encryption uses a single shared key for both encryption and decryption. Both parties must possess the same secret key, which creates the fundamental challenge: how do you securely share the key in the first place?
How it works:
Plaintext + Key → [Encrypt] → Ciphertext
Ciphertext + Key → [Decrypt] → Plaintext
Advantages:
- Very fast — suitable for encrypting large amounts of data.
- Smaller key sizes compared to asymmetric encryption.
- Well-suited for bulk data encryption (files, databases, network traffic).
Disadvantages:
- Key distribution problem — both parties need the same key.
- Does not scale well — n parties need n(n-1)/2 keys.
- No built-in authentication or non-repudiation.
Common algorithms: AES, ChaCha20, 3DES (legacy), Blowfish (legacy).
2. Asymmetric Encryption
Asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. The public key can be freely distributed; only the private key must be kept secret.
How it works:
Plaintext + Public Key → [Encrypt] → Ciphertext
Ciphertext + Private Key → [Decrypt] → Plaintext
Advantages:
- Solves the key distribution problem — public keys can be shared openly.
- Enables digital signatures and non-repudiation.
- Scales well — each party only needs one key pair.
Disadvantages:
- Much slower than symmetric encryption (100–1000x).
- Requires larger key sizes for equivalent security.
- Vulnerable to quantum computing attacks (for RSA and ECC).
In practice, asymmetric encryption is used to exchange symmetric keys, which then handle bulk data encryption. This hybrid approach is how TLS/SSL works.
3. Common Encryption Algorithms
AES (Advanced Encryption Standard)
- Type: Symmetric block cipher
- Key sizes: 128, 192, or 256 bits
- Block size: 128 bits
- Modes: CBC, GCM, CTR, ECB (avoid ECB)
- Used in: TLS, Wi-Fi (WPA2/WPA3), disk encryption (BitLocker, FileVault)
RSA (Rivest-Shamir-Adleman)
- Type: Asymmetric
- Key sizes: 2048, 3072, or 4096 bits
- Based on: Integer factorization problem
- Used in: TLS key exchange, digital signatures, email encryption (PGP)
- Minimum recommended: 2048 bits (3072+ for long-term security)
ChaCha20-Poly1305
- Type: Symmetric stream cipher with authenticated encryption
- Key size: 256 bits
- Designed by: Daniel J. Bernstein
- Used in: TLS 1.3, WireGuard VPN, Google QUIC
- Advantage: Faster than AES on devices without hardware AES acceleration
ECC (Elliptic Curve Cryptography)
- Type: Asymmetric
- Key sizes: 256, 384, or 521 bits
- Advantage: Same security as RSA with much smaller keys
- Curve P-256 provides equivalent security to RSA-3072
- Used in: TLS 1.3, Bitcoin, modern PKI
4. Hashing Functions
A hash function takes an input of any size and produces a fixed-size output (the hash or digest). Hashes are one-way — you cannot reverse the process to recover the original input.
Properties of a good hash function:
- Deterministic: Same input always produces the same output.
- Fast to compute: Efficient for any input size.
- Avalanche effect: A tiny change in input drastically changes the output.
- Collision resistant: It is computationally infeasible to find two inputs with the same hash.
MD5 (Message Digest 5)
- Output: 128 bits
- Status: Broken — collisions can be generated in seconds
- Use: File checksums only (not for security)
SHA-1 (Secure Hash Algorithm 1)
- Output: 160 bits
- Status: Deprecated — collision demonstrated in 2017 (SHAttered)
- Use: Legacy systems only; migrate to SHA-256
SHA-256
- Output: 256 bits
- Status: Secure
- Used in: TLS, Bitcoin, digital signatures, certificate fingerprints
bcrypt / scrypt / Argon2
- Purpose: Password hashing (deliberately slow, with salting)
- bcrypt: Adaptive cost factor, 60-character output
- Argon2: Winner of Password Hashing Competition (2015), memory-hard
- Use: Always use one of these for password storage, never raw SHA-256
5. Digital Signatures
A digital signature combines hashing and asymmetric encryption to provide authentication, integrity, and non-repudiation.
Signing process:
1. Hash the message: digest = SHA-256(message)
2. Encrypt the hash with private key: signature = RSA_Encrypt(digest, privateKey)
3. Send: message + signature
Verification process:
1. Decrypt the signature with public key: digest1 = RSA_Decrypt(signature, publicKey)
2. Hash the received message: digest2 = SHA-256(message)
3. Compare: digest1 == digest2 → valid
Common algorithms: RSA-SHA256, ECDSA (P-256), EdDSA (Ed25519). Ed25519 is increasingly preferred for its speed, small signatures, and resistance to side-channel attacks.
Used in: TLS certificates, code signing, email (S/MIME), document signing, SSH, Git commit signing.
6. TLS/SSL
TLS (Transport Layer Security) is the protocol that secures HTTPS, email (STARTTLS), and many other network protocols. SSL (Secure Sockets Layer) is the deprecated predecessor — always use TLS 1.2 or 1.3.
TLS 1.3 handshake (simplified):
Client Server
|--- ClientHello (supported ciphers) -->|
|<-- ServerHello + Certificate + Done --|
|--- Key Exchange (ECDHE) + Finished -->|
|<------------ Finished ---------------|
|<========= Encrypted Data ============|
Key improvements in TLS 1.3:
- 1-RTT handshake (vs 2-RTT in TLS 1.2)
- 0-RTT resumption for returning clients
- Removed weak ciphers (RSA key exchange, CBC modes, SHA-1)
- Forward secrecy by default (ephemeral key exchange only)
7. Real-World Use Cases
| Use Case | Algorithm Type | Specific Algorithm | Why |
|---|---|---|---|
| Website HTTPS | Symmetric + Asymmetric | AES-256-GCM + ECDHE | Fast bulk encryption + secure key exchange |
| Password storage | Hashing | Argon2id or bcrypt | Slow, salted, memory-hard |
| Email encryption | Asymmetric | RSA-3072 or ECC | Only sender needs recipient's public key |
| File integrity | Hashing | SHA-256 | Fast verification, tamper detection |
| Code signing | Digital signature | ECDSA or Ed25519 | Authenticity + integrity |
| Disk encryption | Symmetric | AES-256-XTS | Fast random access, strong security |
| VPN tunnels | Symmetric + DH | ChaCha20 + X25519 | Fast on mobile, perfect forward secrecy |
| Blockchain | Hashing + Signature | SHA-256 + ECDSA | Immutable ledger, transaction signing |
8. Algorithm Comparison Table
| Algorithm | Type | Key/Output Size | Speed | Security Level | Status |
|---|---|---|---|---|---|
| AES-256 | Symmetric | 256-bit key | Very fast | 128-bit | Secure |
| ChaCha20 | Symmetric | 256-bit key | Very fast | 128-bit | Secure |
| 3DES | Symmetric | 168-bit key | Slow | 112-bit | Deprecated |
| RSA-3072 | Asymmetric | 3072-bit key | Slow | 128-bit | Secure |
| ECC P-256 | Asymmetric | 256-bit key | Moderate | 128-bit | Secure |
| Ed25519 | Signature | 256-bit key | Fast | 128-bit | Secure |
| MD5 | Hash | 128-bit output | Very fast | Broken | Do not use |
| SHA-1 | Hash | 160-bit output | Fast | Broken | Deprecated |
| SHA-256 | Hash | 256-bit output | Fast | 128-bit | Secure |
| Argon2id | Password hash | Configurable | Slow (by design) | Configurable | Recommended |