Encryption and Hashing Basics

Encryption and hashing are the foundation of modern digital security. They protect data in transit and at rest, verify integrity, and enable secure communication over insecure networks. This guide covers the core concepts, algorithms, and real-world applications you need to understand.

1. Symmetric Encryption

Symmetric encryption uses a single shared key for both encryption and decryption. Both parties must possess the same secret key, which creates the fundamental challenge: how do you securely share the key in the first place?

How it works:

Plaintext + Key → [Encrypt] → Ciphertext
Ciphertext + Key → [Decrypt] → Plaintext

Advantages:

  • Very fast — suitable for encrypting large amounts of data.
  • Smaller key sizes compared to asymmetric encryption.
  • Well-suited for bulk data encryption (files, databases, network traffic).

Disadvantages:

  • Key distribution problem — both parties need the same key.
  • Does not scale well — n parties need n(n-1)/2 keys.
  • No built-in authentication or non-repudiation.

Common algorithms: AES, ChaCha20, 3DES (legacy), Blowfish (legacy).

2. Asymmetric Encryption

Asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. The public key can be freely distributed; only the private key must be kept secret.

How it works:

Plaintext + Public Key → [Encrypt] → Ciphertext
Ciphertext + Private Key → [Decrypt] → Plaintext

Advantages:

  • Solves the key distribution problem — public keys can be shared openly.
  • Enables digital signatures and non-repudiation.
  • Scales well — each party only needs one key pair.

Disadvantages:

  • Much slower than symmetric encryption (100–1000x).
  • Requires larger key sizes for equivalent security.
  • Vulnerable to quantum computing attacks (for RSA and ECC).

In practice, asymmetric encryption is used to exchange symmetric keys, which then handle bulk data encryption. This hybrid approach is how TLS/SSL works.

3. Common Encryption Algorithms

AES (Advanced Encryption Standard)

  • Type: Symmetric block cipher
  • Key sizes: 128, 192, or 256 bits
  • Block size: 128 bits
  • Modes: CBC, GCM, CTR, ECB (avoid ECB)
  • Used in: TLS, Wi-Fi (WPA2/WPA3), disk encryption (BitLocker, FileVault)

RSA (Rivest-Shamir-Adleman)

  • Type: Asymmetric
  • Key sizes: 2048, 3072, or 4096 bits
  • Based on: Integer factorization problem
  • Used in: TLS key exchange, digital signatures, email encryption (PGP)
  • Minimum recommended: 2048 bits (3072+ for long-term security)

ChaCha20-Poly1305

  • Type: Symmetric stream cipher with authenticated encryption
  • Key size: 256 bits
  • Designed by: Daniel J. Bernstein
  • Used in: TLS 1.3, WireGuard VPN, Google QUIC
  • Advantage: Faster than AES on devices without hardware AES acceleration

ECC (Elliptic Curve Cryptography)

  • Type: Asymmetric
  • Key sizes: 256, 384, or 521 bits
  • Advantage: Same security as RSA with much smaller keys
  • Curve P-256 provides equivalent security to RSA-3072
  • Used in: TLS 1.3, Bitcoin, modern PKI

4. Hashing Functions

A hash function takes an input of any size and produces a fixed-size output (the hash or digest). Hashes are one-way — you cannot reverse the process to recover the original input.

Properties of a good hash function:

  • Deterministic: Same input always produces the same output.
  • Fast to compute: Efficient for any input size.
  • Avalanche effect: A tiny change in input drastically changes the output.
  • Collision resistant: It is computationally infeasible to find two inputs with the same hash.

MD5 (Message Digest 5)

  • Output: 128 bits
  • Status: Broken — collisions can be generated in seconds
  • Use: File checksums only (not for security)

SHA-1 (Secure Hash Algorithm 1)

  • Output: 160 bits
  • Status: Deprecated — collision demonstrated in 2017 (SHAttered)
  • Use: Legacy systems only; migrate to SHA-256

SHA-256

  • Output: 256 bits
  • Status: Secure
  • Used in: TLS, Bitcoin, digital signatures, certificate fingerprints

bcrypt / scrypt / Argon2

  • Purpose: Password hashing (deliberately slow, with salting)
  • bcrypt: Adaptive cost factor, 60-character output
  • Argon2: Winner of Password Hashing Competition (2015), memory-hard
  • Use: Always use one of these for password storage, never raw SHA-256

5. Digital Signatures

A digital signature combines hashing and asymmetric encryption to provide authentication, integrity, and non-repudiation.

Signing process:

1. Hash the message: digest = SHA-256(message)
2. Encrypt the hash with private key: signature = RSA_Encrypt(digest, privateKey)
3. Send: message + signature

Verification process:

1. Decrypt the signature with public key: digest1 = RSA_Decrypt(signature, publicKey)
2. Hash the received message: digest2 = SHA-256(message)
3. Compare: digest1 == digest2 → valid

Common algorithms: RSA-SHA256, ECDSA (P-256), EdDSA (Ed25519). Ed25519 is increasingly preferred for its speed, small signatures, and resistance to side-channel attacks.

Used in: TLS certificates, code signing, email (S/MIME), document signing, SSH, Git commit signing.

6. TLS/SSL

TLS (Transport Layer Security) is the protocol that secures HTTPS, email (STARTTLS), and many other network protocols. SSL (Secure Sockets Layer) is the deprecated predecessor — always use TLS 1.2 or 1.3.

TLS 1.3 handshake (simplified):

Client                              Server
  |--- ClientHello (supported ciphers) -->|
  |<-- ServerHello + Certificate + Done --|
  |--- Key Exchange (ECDHE) + Finished -->|
  |<------------ Finished ---------------|
  |<========= Encrypted Data ============|

Key improvements in TLS 1.3:

  • 1-RTT handshake (vs 2-RTT in TLS 1.2)
  • 0-RTT resumption for returning clients
  • Removed weak ciphers (RSA key exchange, CBC modes, SHA-1)
  • Forward secrecy by default (ephemeral key exchange only)

7. Real-World Use Cases

Use CaseAlgorithm TypeSpecific AlgorithmWhy
Website HTTPSSymmetric + AsymmetricAES-256-GCM + ECDHEFast bulk encryption + secure key exchange
Password storageHashingArgon2id or bcryptSlow, salted, memory-hard
Email encryptionAsymmetricRSA-3072 or ECCOnly sender needs recipient's public key
File integrityHashingSHA-256Fast verification, tamper detection
Code signingDigital signatureECDSA or Ed25519Authenticity + integrity
Disk encryptionSymmetricAES-256-XTSFast random access, strong security
VPN tunnelsSymmetric + DHChaCha20 + X25519Fast on mobile, perfect forward secrecy
BlockchainHashing + SignatureSHA-256 + ECDSAImmutable ledger, transaction signing

8. Algorithm Comparison Table

AlgorithmTypeKey/Output SizeSpeedSecurity LevelStatus
AES-256Symmetric256-bit keyVery fast128-bitSecure
ChaCha20Symmetric256-bit keyVery fast128-bitSecure
3DESSymmetric168-bit keySlow112-bitDeprecated
RSA-3072Asymmetric3072-bit keySlow128-bitSecure
ECC P-256Asymmetric256-bit keyModerate128-bitSecure
Ed25519Signature256-bit keyFast128-bitSecure
MD5Hash128-bit outputVery fastBrokenDo not use
SHA-1Hash160-bit outputFastBrokenDeprecated
SHA-256Hash256-bit outputFast128-bitSecure
Argon2idPassword hashConfigurableSlow (by design)ConfigurableRecommended