Cryptography: AES, RSA & Hashing Guide (2026)
This is a PerfectNotes study guide β also known as PN Notes or Perfect Notes. PerfectNotes provides free computer science student notes, MCQs, and interview preparation guides at perfectnotes.org.
Key Takeaways
- Definition β Cryptography is the mathematical science of securing data β ensuring Confidentiality, Integrity, Authentication, and Non-repudiation.
- Three Pillars β Symmetric (AES-256 β one shared key, fast), Asymmetric (RSA/ECC β key pairs), Hashing (SHA-256 β one-way fingerprint).
- Hybrid Encryption = HTTPS β RSA securely exchanges an AES session key; AES encrypts all data. Over 98% of all web traffic is now encrypted via HTTPS. (Google, 2026)
- Salting kills Rainbow Tables β A random salt ensures two identical passwords produce completely different database hashes.
- The Quantum Threat β Shor's Algorithm can break RSA-2048 in hours. NIST standardised ML-KEM (Kyber) and ML-DSA in 2024. Q-Day predicted by 2030.
- The Flame Malware (2012) β Exploited an MD5 hash collision to forge a Microsoft code-signing certificate, forcing the entire industry to abandon MD5 and SHA-1 overnight.
Cryptography is the mathematical foundation of all cybersecurity β without it, data travels as readable plaintext across the internet
Three types: Symmetric (AES β fast, one shared key), Asymmetric (RSA β key pairs, slower), Hashing (SHA-256 β one-way fingerprint, irreversible)
Hybrid Encryption = HTTPS: RSA securely exchanges a session key, then AES encrypts all data β 98% of web traffic uses this pattern
Salting defeats Rainbow Tables: a unique random salt per user ensures identical passwords produce completely different stored hashes
Post-Quantum threat: Shor's Algorithm will break RSA; NIST standardized ML-KEM/Kyber (2024); Flame malware (2012) proved weak hashing is catastrophic
Introduction to Cryptography
In the digital age, cryptography is the mathematical foundation of all cybersecurity. Without it, your credit card numbers, private messages, and banking credentials would travel across the internet as plain, readable text β interceptable by anyone with a Wi-Fi adapter and free software tools like Wireshark. Every time you see the padlock icon in your browser, cryptography is silently protecting you.
Derived from the Greek words kryptos (hidden) and graphein (to write), cryptography is the art and science of secret writing. It transforms readable data into unreadable scrambled output β called ciphertextβ so that only authorized parties possessing the correct digital "key" can restore and read it. A field historically reserved for wartime military communication (the Enigma machine, the Caesar Cipher), it is now embedded in every smartphone, banking transaction, and cloud backup on earth.
How Cryptography Works
At its core, encryption follows a strict, mathematical lifecycle to secure data in transit or at rest. The same mathematical process runs inside every HTTPS connection, every WhatsApp message, and every encrypted hard drive:
- β Step 1 β The Plaintext: You start with readable data. For example, an email reading "Transfer $10,000 to Account 8472."
- β Step 2 β The Cipher & The Key: The plaintext is fed into a cryptographic algorithm (the Cipher β e.g., AES) along with a randomized, secret string of bits (the Key β e.g., a 256-bit random sequence).
- β Step 3 β Encryption: The algorithm mathematically scrambles the plaintext using the key's variables: Ciphertext = E_key(Plaintext). Even one bit change in the key produces completely different ciphertext (the Avalanche Effect).
- β Step 4 β The Ciphertext: The output is a highly scrambled, unreadable block of data (e.g., "x8F9z!q2KmR#"). This ciphertext travels safely across the public internet β even if intercepted, it is mathematically useless without the key.
- β Step 5 β Decryption: The authorized receiver uses the correct corresponding key to mathematically reverse the transformation, restoring the ciphertext to the original plaintext: Plaintext = D_key(Ciphertext).
Types of Cryptography
Modern cryptography is divided into three major technical pillars, each solving a completely different security problem. A real-world secure system β like HTTPS β uses all three simultaneously. Understanding the role of each is essential for the CISSP, CEH, and CompTIA Security+ certifications.
1. Symmetric Key Cryptography (The Fast Lock)
Symmetric cryptography uses a single shared secret key for both encryption and decryption. Alice and Bob must both possess the identical key. Alice encrypts the file; Bob uses the same key to decrypt it.
- β The Standard: AES (Advanced Encryption Standard) β AES-256 is the global benchmark used by the U.S. military, banks, and cloud providers to encrypt hard drives, VPN tunnels, and databases.
- β Speed: Extremely fast. Modern CPUs include dedicated AES hardware instructions (AES-NI) enabling encryption at 10+ Gbps β far faster than any network connection.
- β The Catch β Key Distribution Problem: You must find a secure way to give the key to the receiver before you can communicate. If the key is intercepted during transmission, all security is compromised.
2. Asymmetric Key Cryptography (The Dual Lock)
Also called Public-Key Cryptography, asymmetric encryption uses a mathematically linked key pair: a Public Key (freely shared with the world) and a Private Key (kept secretly by the owner, never shared with anyone).
- β The Lock Analogy: The Public Key locks the data. Only the Private Key unlocks it. If Alice wants to send Bob a secret, she encrypts it with Bob's Public Key. Now only Bob's Private Key β which only Bob possesses β can decrypt it.
- β The Standards: RSA (Rivest-Shamir-Adleman) based on prime factoring difficulty, and ECC (Elliptic Curve Cryptography) which achieves the same security with much shorter keys (256-bit ECC β 3072-bit RSA).
- β Solves Key Distribution: Because the Public Key is openly published, anyone can initiate a secure channel without pre-sharing a secret β the fundamental breakthrough that enabled the modern internet.
3. Hash Functions (The Digital Fingerprint)
Hashing is fundamentally different from encryption. It is a one-way mathematical function β it does not hide data, it creates a unique fixed-size fingerprint (hash) of the data to prove Integrity. You cannot reverse a hash to recover the original input.
- β The Standard: SHA-256 (Secure Hash Algorithm 256-bit) β produces a 64-character hexadecimal digest. Used in HTTPS certificate signing, software download verification, and Bitcoin blockchain linking.
- β The Avalanche Effect: Change a single character in a 1 GB file, and the SHA-256 hash changes completely β a completely different 64-character output with no resemblance to the original hash.
- β Collision Resistance: A good hash function makes it computationally infeasible to engineer two different inputs that produce the same hash output. (MD5 and SHA-1 failed this test β they were broken.)
Symmetric vs. Asymmetric Encryption: Key Differences
Choosing between symmetric and asymmetric encryption is not a matter of preference β each has a specific role in a secure system, and they are almost always used together.
| Feature | Symmetric (e.g., AES-256) | Asymmetric (e.g., RSA-4096) |
|---|---|---|
| Keys Used | One shared secret key | Two linked keys (Public + Private pair) |
| Speed | Very fast β hardware-accelerated (AES-NI) | Slow β complex prime factoring math |
| Key Distribution | Difficult β key must be shared secretly in advance | Easy β Public Key is openly published |
| Primary Usage | Bulk data encryption: hard drives, VPN tunnels, databases | Key exchange, HTTPS handshakes, digital signatures |
| Key Size | Short: 128 / 192 / 256 bits | Long: 2048 / 4096 bits (RSA); 256 / 384 bits (ECC) |
| Quantum Vulnerability | Partially β key size must double (AES-256 stays safe) | Critically vulnerable β Shor's Algorithm breaks RSA/ECC |
Advanced Engineering Concepts
Enterprise cryptography requires combining the basic pillars into real-world secure channels, while simultaneously addressing the next generation of threats from quantum computing.
Hybrid Encryption (How HTTPS Actually Works)
Because RSA is too slow for streaming large files, and AES cannot safely exchange keys over the public internet, engineers combine them using Hybrid Encryption β the mechanism that powers every single HTTPS connection on earth:
Phase 1 β TLS Handshake (Asymmetric RSA/ECDH) ~milliseconds
Your browser and the server use slow Asymmetric cryptography (RSA or ECDH) to securely negotiate and exchange a temporary Session Key. This key is generated fresh for every connection and discarded after the session ends.
Phase 2 β Data Transfer (Symmetric AES-256) gigabits per second
Once both sides possess the symmetric Session Key, all actual data is encrypted at lightning speed using AES-256-GCM β thousands of times faster than RSA could manage.
Perfect Forward Secrecy (PFS) TLS 1.3 requirement
TLS 1.3 uses ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for key exchange β generating a unique, temporary session key for every connection. Even if an attacker steals the server's private key in the future, they cannot retroactively decrypt old sessions.
Cryptographic Salting & Secure Password Hashing
Storing passwords as plain text is a catastrophic failure. Even storing unsalted SHA-256 hashes is insecure β hackers use Rainbow Tables (massive pre-computed databases of millions of common password hashes) to instantly crack unsalted hashes. This is why modern authentication systems require salting and advanced key derivation functions.
To defeat this, engineers use Salting combined with purpose-built password hashing algorithms:
Secure Password Storage Formula:
// Step 1: Generate a unique 128-bit random salt per user
Salt = CSPRNG(128 bits)
// Step 2: Hash the combination (NOT just the password)
Hash = Argon2id( Password || Salt, memory=64MB, iterations=3 )
// Step 3: Store BOTH in the database
Database: { salt: "a3f8...", hash: "9b2c..." }
// Result: Two users with "password123" get completely different database hashes
// Rainbow Tables are useless β every hash is uniqueIndustry standard (2026): Argon2id (NIST recommended, winner of the Password Hashing Competition) or bcrypt (battle-tested, hardware-attack resistant). Never use raw SHA-256 or MD5 for password storage β they are designed for speed, not security.
Post-Quantum Cryptography (PQC)
Modern Asymmetric cryptography (RSA, ECC) relies on the mathematical difficulty of factoring massive prime numbers β a problem that takes classical computers billions of years. A sufficiently powerful quantum computer running Shor's Algorithm can factor these primes in hours, breaking all RSA and ECC encryption. Learn more about the Post-Quantum Cryptography migration strategies NIST is mandating across all enterprises.
In August 2024, NIST officially standardized three post-quantum algorithms: ML-KEM (FIPS 203, formerly Kyber β for key encapsulation), ML-DSA (FIPS 204, formerly Dilithium β for digital signatures), and SLH-DSA (FIPS 205, formerly SPHINCS+ β hash-based signatures). These are based on lattice mathematics and hash-based problems that quantum computers cannot efficiently solve.
Real-World Case Study: The Flame Malware MD5 Collision (2012)
The 2012 Flame cyber-espionage malware is the definitive case study in why cryptographic hashing standards must be continuously audited and upgraded β a single weak algorithm cost the entire industry its trust in software update integrity.
| Aspect | Details |
|---|---|
| The Incident | In 2012, the Flame espionage malware β a 20MB modular toolkit targeting Middle Eastern energy infrastructure β was discovered by Kaspersky Lab. It had been operating covertly for at least 2 years across Iran, Lebanon, Syria, Sudan, and Saudi Arabia, silently exfiltrating documents, screenshots, and audio recordings from government and oil industry systems. |
| Attack Vector | Microsoft continued using the deprecated MD5 hashing algorithm to sign Windows Update certificates (broken since 2004). Attackers executed a Chosen-Prefix MD5 Collision Attack β forging malware code that produced the exact same MD5 hash as a legitimate Microsoft certificate, making the malware appear as a trusted, signed Windows Update to every Windows machine worldwide. |
| The Impact | Because the hashes matched perfectly, every Windows machine treated the malware as a trusted, signed Microsoft Windows Update β bypassing antivirus software, enterprise firewalls, and all integrity checks. The malware spread via Windows Update infrastructure and local network Bluetooth/Wi-Fi scanning, successfully compromising air-gapped networks in 5 nations. |
| Financial Cost | Microsoft issued an emergency out-of-band patch within 4 days β the fastest in company history. Iran's oil ministry estimated data theft losses in the hundreds of millions of dollars. The industry-wide emergency migration from MD5/SHA-1 to SHA-256 cost enterprises globally an estimated $1+ billion in certificate re-issuance and PKI infrastructure upgrades. |
| Key Lesson | Flame forced the entire global tech industry to immediately deprecate MD5 and SHA-1 in certificate signing, migrating to the collision-resistant SHA-256. The lesson is absolute: when a hash algorithm shows theoretical weaknesses β even years before a production exploit β deprecate it immediately. Waiting costs nations and enterprises billions. |
Key Cryptography Statistics & Industry Data (2026)
These statistics reveal the scale of cryptography's role in modern digital infrastructure β and the urgency of the quantum transition.
- HTTPS Adoption β Over 98% of all web page loads are now encrypted via HTTPS. (Source: Google Transparency Report, 2026)
- Q-Day Timeline β The majority of cryptographic experts predict "Q-Day" β quantum computers breaking RSA-2048 β by 2030. (Source: NIST PQC Project Assessment, 2025)
- Password Cracking Speed β A modern GPU cluster can calculate over 100 billion MD5 hashes per second, making any unsalted MD5 password database trivially crackable in minutes. (Source: Hashcat benchmarks, 2026)
- PQC Market Size β The Post-Quantum Cryptography market is projected to grow from $285 million in 2023 to $6.98 billion by 2030. (Source: MarketsandMarkets, 2025)
- TLS 1.3 Adoption β 78% of HTTPS connections now use TLS 1.3 with mandatory Perfect Forward Secrecy, up from 43% in 2021. (Source: SSL Pulse, 2026)
Where Cryptography Is Applied
HTTPS & TLS (Web Security)
Every secure web connection uses hybrid encryption: Asymmetric RSA/ECDH to exchange an AES Session Key during the TLS handshake, then symmetric AES-256-GCM to encrypt all transmitted data.
Digital Signatures (Code & Document Signing)
Software publishers sign executables with their Private Key. Your OS verifies the signature using the publisher's Public Key β rejecting any software whose code was modified after signing (prevents Flame-style attacks).
Password Storage (Argon2id / bcrypt)
User passwords are never stored in plaintext or as reversible encrypted data. Databases store one-way hashes generated by Argon2id or bcrypt with a unique random salt per user.
Blockchain & Cryptocurrency
Bitcoin uses SHA-256 to cryptographically link transaction blocks together, while Elliptic Curve Digital Signatures (ECDSA) authorize every transaction β making the public ledger tamper-proof without a central authority.
Full Disk Encryption (BitLocker / FileVault)
Symmetric AES-256-XTS encrypts every byte on a hard drive. If the device is physically stolen, the data is mathematically inaccessible without the decryption key stored in the TPM chip.
End-to-End Encrypted Messaging (Signal / WhatsApp)
Uses the Signal Protocol β combining the Double Ratchet Algorithm and Curve25519 Diffie-Hellman β to generate unique encryption keys for every single message, so even a compromised server cannot decrypt past conversations.
Advantages of Cryptography
- Provides mathematical confidentiality β AES-256 would take billions of years to brute-force with current supercomputers, making interception practically useless
- Trust verification at scale β digital signatures allow anyone to mathematically verify software authenticity without trusting a central authority
- Tamper detection β SHA-256 hash verification instantly detects any modification to downloaded files, software updates, or transmitted messages
- Non-repudiation β digital signatures provide court-admissible proof that a specific private key holder signed a specific document at a specific time
- Enables the modern internet β without public-key cryptography, e-commerce, online banking, and private communication at global scale would be mathematically impossible
- Regulatory compliance β AES-256 and TLS 1.3 are required by PCI DSS (card data), HIPAA (health data), and GDPR (personal data protection) frameworks
Limitations & Challenges of Cryptography
- Key management complexity β generating, storing, rotating, and revoking cryptographic keys at enterprise scale (thousands of systems) is a massive operational challenge
- Lost keys mean lost data β if the decryption key to an AES-256 encrypted drive is lost with no backup, the data is gone forever; there is no mathematical backdoor
- Performance overhead β heavy SSL offloading and key negotiation during TLS handshakes consume CPU resources; high-traffic servers require dedicated crypto hardware accelerators
- Quantum vulnerability β RSA and ECC will be broken by quantum computers, requiring expensive, urgent migration of all legacy systems to post-quantum algorithms before Q-Day
Quick Reference Cheat Sheet
Bookmark this table β every cryptographic algorithm you need to know for 2026, rated for security status.
| Algorithm | Type | Primary Purpose | 2026 Security Status |
|---|---|---|---|
| AES-256 | Symmetric | Bulk data encryption β hard drives, VPN tunnels, databases | π’ Highly Secure (quantum-safe with 256-bit keys) |
| RSA-4096 | Asymmetric | Key exchange, digital signatures, HTTPS handshakes | π‘ Secure now β transitioning to PQC by 2030 |
| SHA-256 | Hash Function | Data integrity verification, blockchain, code signing | π’ Highly Secure (industry standard) |
| Argon2id / bcrypt | Key Derivation | Secure password hashing with salting and memory hardness | π’ Highly Secure (NIST recommended for passwords) |
| ECC / ECDH | Asymmetric | Compact key exchange, TLS 1.3, mobile devices | π‘ Secure now β quantum-vulnerable, transitioning |
| ML-KEM (Kyber) | Post-Quantum | Quantum-resistant key encapsulation β NIST FIPS 203 | π’ New Standard (replaces RSA key exchange) |
| MD5 / DES / SHA-1 | Legacy | Old systems only β should never be deployed in new code | π΄ Cryptographically Broken / Obsolete |
Frequently Asked Questions (FAQ)
Q.What is the difference between Encryption and Hashing?
Q.Which is better: AES or RSA?
Q.What is "Salt" in cryptography?
Q.Is cryptography 100% secure?
Q.What are Digital Signatures?
Q.What is End-to-End Encryption (E2EE)?
Q.What happens when Quantum Computers break RSA?
Related Topics
Test Your Knowledge
Ready to prove your skills? Take our rigorous multiple-choice quiz designed to test your understanding of this topic and prepare you for interviews.