Cryptography Basics — Encryption, Hashing, and PKI for Beginners

What Is Cryptography and Why Does It Matter?

NIST SP 800-175B (Guideline for Using Cryptographic Standards) defines cryptography as the discipline that embodies the principles, means, and methods for transforming data to hide its semantic content, prevent unauthorised use, or prevent undetected modification. FIPS 140-3 establishes the security requirements for cryptographic modules used to protect sensitive information across government and industry systems.

Cryptography basics are the foundation of how we keep data private, verify identity, and prove that information has not been tampered with. Every time you see a padlock icon in your browser, send a message on Signal, or log into your bank, cryptography is working behind the scenes.

If you are switching into cybersecurity from a non-IT background, cryptography can sound intimidating — words like “asymmetric key exchange” and “SHA-256 hash digest” feel like they belong in a university maths course. But the core ideas are surprisingly intuitive once you see them through the right lens.

I remember the moment cryptography clicked for me. I was studying for Security+ and kept getting confused by symmetric versus asymmetric encryption. Then I thought about it like house keys: symmetric encryption is like giving your friend a copy of your house key — you both have the same key. Asymmetric encryption is like a locked mailbox — anyone can drop a letter in through the slot (public key), but only you have the key to open the box and read it (private key). That analogy stuck, and suddenly the whole topic became manageable.

Certification objective: CompTIA Security+ SY0-701 covers cryptographic concepts including symmetric/asymmetric encryption, hashing, digital signatures, PKI, and certificate management across multiple exam domains.

What Do Real-World Cryptographic Failures Look Like?

The OWASP Top 10 (2021) ranks Cryptographic Failures (A02) as the second most critical web application security risk, covering scenarios where sensitive data is exposed due to weak or missing encryption, improper key management, or the use of deprecated algorithms.

Cryptography is not abstract theory. It solves specific security problems that affect every organisation and individual.

Problem	What goes wrong without cryptography	Cryptographic solution
Eavesdropping	Attackers read your data in transit (passwords, emails, financial data)	Encryption scrambles data so only authorised parties can read it
Data tampering	Someone modifies a file, message, or transaction without detection	Hashing creates a unique fingerprint that changes if the data changes
Identity fraud	You cannot verify who sent a message or signed a document	Digital signatures prove authorship and detect tampering
Man-in-the-middle attacks	An attacker intercepts communication between two parties	TLS/SSL certificates verify server identity before exchanging data
Password storage	If a database is breached, all passwords are exposed in plain text	Hashing with salt stores passwords so even the database owner cannot read them
Regulatory compliance	Failing to encrypt sensitive data violates privacy laws	Encryption at rest and in transit meets requirements like the Australian Privacy Act

Every security professional needs to understand these problems and solutions at a conceptual level, even if you never write cryptographic code yourself.

What Are the Key Concepts Behind Cryptography?

NIST SP 800-175B organises cryptographic services into three core functions: confidentiality (encryption), integrity (hashing), and authentication (digital signatures) — directly mapping to the CIA triad that underpins all information security.

Think of cryptography as three tools in a toolbox, each designed for a different job.

Tool 1: Encryption — Turns readable data (plaintext) into unreadable data (ciphertext). Only someone with the correct key can reverse it. This protects confidentiality.

Tool 2: Hashing — Creates a fixed-length “fingerprint” of any data. You cannot reverse a hash back to the original data. This protects integrity.

Tool 3: Digital signatures — Combines hashing and asymmetric encryption to prove who created or approved something. This provides authentication and non-repudiation (the sender cannot deny they sent it).

These three tools map directly to the CIA triad:

Encryption protects Confidentiality
Hashing protects Integrity
Digital signatures provide Authentication (which supports both Confidentiality and Integrity)

Symmetric Encryption — One Key for Both Sides

Symmetric encryption uses the same key to encrypt and decrypt data. It is fast and efficient, which makes it the workhorse of data encryption.

Common symmetric algorithms:

Algorithm	Key size	Status	Use case
AES (Advanced Encryption Standard)	128, 192, or 256 bits	Current standard — use this	File encryption, disk encryption, VPNs, TLS data transfer
3DES (Triple DES)	168 bits effective	Legacy — being phased out	Older systems, payment card processing
DES (Data Encryption Standard)	56 bits	Broken — do not use	Historical reference only
ChaCha20	256 bits	Current — modern alternative	Mobile devices, TLS where AES hardware acceleration is unavailable

The key distribution problem: If both sides need the same key, how do you securely share that key in the first place? Sending the key over the internet defeats the purpose. This is the fundamental limitation of symmetric encryption, and it is exactly what asymmetric encryption solves.

Asymmetric Encryption — Two Keys, Two Roles

Asymmetric encryption uses a key pair: a public key that anyone can have, and a private key that only the owner keeps secret.

Encrypt with the public key and only the private key can decrypt it (confidentiality)
Sign with the private key and anyone with the public key can verify it (authentication)

Common asymmetric algorithms:

Algorithm	Key size (typical)	Use case
RSA	2048-4096 bits	Key exchange, digital signatures, TLS certificates
ECC (Elliptic Curve Cryptography)	256-384 bits	Same uses as RSA but with smaller, faster keys
Diffie-Hellman	2048+ bits	Key exchange — securely agree on a symmetric key

Asymmetric encryption is much slower than symmetric encryption. In practice, systems use asymmetric encryption to securely exchange a symmetric key, then use that symmetric key for the actual data transfer. This is how TLS works.

Hashing — One-Way Fingerprints

A hash function takes any input and produces a fixed-length output (the hash or digest). Hashing is a one-way function — you cannot reverse a hash to get the original data back.

Key properties of a good hash function:

Deterministic — the same input always produces the same hash
Fast to compute — generating a hash is quick
Avalanche effect — a tiny change in input completely changes the output
Collision resistant — it should be practically impossible for two different inputs to produce the same hash
Pre-image resistant — given a hash, you cannot find the original input

Common hash algorithms:

Algorithm	Output size	Status
SHA-256	256 bits (64 hex characters)	Current standard — use this
SHA-3	Variable (224-512 bits)	Current — newer alternative
SHA-1	160 bits	Broken — do not use for security
MD5	128 bits	Broken — do not use for security

Why MD5 and SHA-1 are broken: Researchers demonstrated practical collision attacks against both. This means an attacker can create two different files with the same hash, undermining integrity verification. Use SHA-256 or SHA-3 for any security-related hashing.

Digital Signatures

A digital signature combines hashing and asymmetric encryption:

The sender hashes the message to create a digest
The sender encrypts the digest with their private key — this is the signature
The recipient decrypts the signature with the sender’s public key to recover the hash
The recipient independently hashes the received message
If both hashes match, the message is authentic and unmodified

Digital signatures provide authentication (proves who sent it), integrity (proves it was not changed), and non-repudiation (the sender cannot deny sending it).

Step-by-Step: How TLS Protects Your Web Browsing

When you visit a website with HTTPS, a protocol called TLS (Transport Layer Security) handles the cryptography. Here is a simplified version of what happens:

Step 1 — Client Hello: Your browser contacts the web server and says “I want a secure connection” along with a list of supported cryptographic algorithms.

Step 2 — Server Hello: The server responds with its chosen algorithm and its digital certificate (which contains the server’s public key).

Step 3 — Certificate verification: Your browser checks the certificate against trusted Certificate Authorities (CAs) to verify the server is who it claims to be.

Step 4 — Key exchange: Using the server’s public key (asymmetric encryption), your browser and the server securely agree on a shared session key (symmetric).

Step 5 — Encrypted communication: All subsequent data is encrypted with the shared session key (symmetric encryption) — fast and efficient.

Step 6 — Session ends: When you close the connection, the session key is discarded. A new session gets a new key.

This is why TLS uses both asymmetric and symmetric encryption. Asymmetric handles the secure key exchange. Symmetric handles the fast data transfer.

How Does Cryptography Fit Into a Security Architecture?

RFC 8446 (TLS 1.3) defines the current standard for securing communications over the internet, while NIST SP 800-57 provides comprehensive guidance on cryptographic key management — the most critical operational aspect of any cryptographic architecture.

PKI: The Trust Infrastructure

Public Key Infrastructure (PKI) is the system that makes asymmetric encryption work at internet scale. Without PKI, you would have no way to verify that a website’s public key actually belongs to that website.

PKI components:

Certificate Authority (CA) — a trusted organisation that issues and signs digital certificates (examples: Let’s Encrypt, DigiCert, GlobalSign)
Digital certificate — a file containing a public key, the owner’s identity, and the CA’s digital signature
Certificate chain — a hierarchy from Root CA to Intermediate CA to End-Entity certificate
Certificate Revocation List (CRL) / OCSP — mechanisms to check if a certificate has been revoked

📊 Visual Explanation

How TLS/HTTPS Works (Simplified)

Asymmetric encryption secures the key exchange, symmetric encryption handles the data

Client HelloBrowser initiates

Browser contacts server

Sends supported algorithms

Server CertificateIdentity proof

Server sends certificate

Contains public key + CA signature

VerificationTrust check

Browser checks CA chain

Validates certificate is legitimate

Key ExchangeAsymmetric

Agree on session key

Using server's public key

Encrypted DataSymmetric

Fast symmetric encryption

Session key encrypts all data

Idle

Symmetric vs Asymmetric: When to Use Each

Symmetric vs Asymmetric Encryption

Symmetric Encryption

One shared key — Same key encrypts and decrypts
Very fast — Suitable for large data volumes
Key distribution problem — How do you share the key securely?
Examples: AES, ChaCha20 — Used for bulk data encryption
Use case: data at rest — Disk encryption, file encryption, VPN tunnels

Asymmetric Encryption

Key pair (public + private) — Public encrypts, private decrypts
Much slower — Not practical for large data
Solves key distribution — Public key can be shared openly
Examples: RSA, ECC — Used for key exchange and signatures
Use case: identity and trust — TLS handshakes, digital signatures, certificates

Verdict: In practice, systems use both: asymmetric encryption to securely exchange a symmetric key, then symmetric encryption for the actual data transfer. This is called hybrid encryption.

Use case

TLS/HTTPS, VPNs, SSH, and most modern secure communication protocols use this hybrid approach.

Common Cryptographic Protocols

Protocol	What it protects	Cryptography used
HTTPS/TLS	Web browsing	Hybrid: RSA or ECC key exchange + AES data encryption
SSH	Remote server access	Asymmetric key exchange + symmetric session encryption
IPSec VPN	Network-to-network or remote access tunnels	IKE key exchange + AES/ESP data encryption
S/MIME	Email encryption and signing	RSA certificates + AES encryption
PGP/GPG	File and email encryption	Asymmetric key exchange + symmetric data encryption
BitLocker/LUKS	Full disk encryption	AES (symmetric) with key derived from password or TPM

What Does Cryptography Look Like in Practice?

These commands use OpenSSL, which is pre-installed on most Linux distributions and macOS. Try them in your home lab.

Example 1: Generate a Hash

# Create a SHA-256 hash of a file
echo "Hello, cybersecurity!" > testfile.txt
sha256sum testfile.txt

# Output: a fixed-length hash like
# 7d4e3eec80026719639ed4dba68916eb94c7a49a053e05c8f9578fe4e5a3b7ed  testfile.txt

# Now change one character and hash again
echo "Hello, Cybersecurity!" > testfile.txt
sha256sum testfile.txt

# The hash is completely different — that is the avalanche effect

Example 2: Symmetric Encryption with OpenSSL

# Encrypt a file with AES-256-CBC
openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc -pbkdf2

# You will be prompted for a password (this derives the encryption key)

# Decrypt the file
openssl enc -aes-256-cbc -d -in secret.enc -out decrypted.txt -pbkdf2

# The decrypted file should match the original
diff secret.txt decrypted.txt

Example 3: Generate an RSA Key Pair

# Generate a 2048-bit RSA private key
openssl genrsa -out private_key.pem 2048

# Extract the public key from the private key
openssl rsa -in private_key.pem -pubout -out public_key.pem

# View the public key
cat public_key.pem

# Check a website's TLS certificate
openssl s_client -connect example.com:443 -brief
# This shows the certificate chain and negotiated cipher suite

Example 4: Verify a File’s Integrity with Hashing

# Download a file and its checksum (common for Linux ISOs)
# Then verify the download was not corrupted or tampered with
sha256sum downloaded_file.iso

# Compare the output hash against the published hash on the official website
# If they match, the file is intact

Cryptographic Attacks and Weaknesses

Understanding how cryptography can be attacked helps you make better security decisions.

Attack	How it works	Countermeasure
Brute force	Try every possible key until one works	Use long keys (AES-256, RSA-2048+)
Dictionary attack	Try common passwords to derive encryption keys	Use strong, random passwords and key derivation functions (PBKDF2, Argon2)
Rainbow table	Pre-computed hash lookup table for cracking password hashes	Salt hashes (add random data before hashing)
Birthday attack	Exploits the probability of hash collisions	Use hash algorithms with large output sizes (SHA-256+)
Side-channel attack	Analyse timing, power consumption, or electromagnetic emissions	Constant-time implementations, hardware security modules
Downgrade attack	Force a connection to use a weaker cipher	Disable legacy protocols (SSLv3, TLS 1.0/1.1), enforce minimum cipher strength
Quantum computing (future)	Shor’s algorithm could break RSA and ECC	Post-quantum cryptography standards (NIST is standardising these now)

Password storage best practice: Never store passwords in plain text. Use a slow, salted hashing algorithm designed for passwords — bcrypt, scrypt, or Argon2 — not SHA-256 or MD5. General-purpose hash functions are too fast, making brute-force attacks practical.

What Are the Limitations of Cryptography?

The OWASP Cryptographic Storage Cheat Sheet warns that the most common cause of cryptographic failure is not a broken algorithm but poor key management, weak passwords, and implementation mistakes — a finding echoed by NIST SP 800-57 and industry breach analyses.

Cryptography is powerful but not magic. It fails when implemented or managed incorrectly.

Strength	Common failure mode	Better approach
AES-256 is practically unbreakable	The key is stored in plain text next to the encrypted data	Use proper key management (HSMs, key vaults)
TLS encrypts web traffic	The server uses an expired or self-signed certificate and users click through warnings	Automate certificate renewal (Let’s Encrypt), enforce HSTS
Hashing protects password integrity	Passwords are hashed without salt, enabling rainbow table attacks	Always salt and use bcrypt/Argon2
Digital signatures prove authenticity	The private key is compromised	Protect private keys, use hardware tokens, implement revocation
Encryption at rest protects stored data	The disk is encrypted but the laptop is left unlocked and logged in	Combine encryption with strong access controls and screen lock policies

The weakest link is almost never the algorithm. Modern cryptographic algorithms like AES-256 and SHA-256 are mathematically sound. Failures come from poor key management, weak passwords, implementation bugs, or human error.

What Interview Questions Should You Expect About Cryptography?

CompTIA Security+ SY0-701 tests cryptographic concepts across multiple exam domains, and interviewers consistently rank encryption, hashing, and PKI understanding as essential knowledge for any entry-level cybersecurity role.

Interviewers test cryptography knowledge to see if you understand the concepts well enough to make practical decisions.

Question	What they are testing	Strong answer approach
What is the difference between symmetric and asymmetric encryption?	Foundational understanding	Explain the key difference (one key vs two), speed trade-off, and that TLS uses both
What is hashing and how is it different from encryption?	Whether you understand one-way vs reversible	Hashing is one-way and protects integrity. Encryption is reversible and protects confidentiality
How does HTTPS work?	Practical understanding of TLS	Walk through the handshake: certificate verification, key exchange, symmetric data encryption
Why should you never store passwords in plain text?	Security awareness	Explain hashing with salt, and why bcrypt or Argon2 is better than SHA-256 for passwords
What happens if a private key is compromised?	Risk understanding	The attacker can decrypt data, forge signatures, and impersonate the key owner. Immediate revocation is needed

How Is Cryptography Used in Real Security Operations?

The ASD Information Security Manual (ISM) mandates specific cryptographic controls for Australian Government systems, including approved algorithms, minimum key lengths, and key management practices aligned with NIST SP 800-57 guidelines.

Cryptography requirements appear throughout Australian security guidance and regulations.

ASD Essential Eight: The Essential Eight includes “configure Microsoft Office macro settings” and “application hardening” — both of which intersect with cryptographic verification of code signatures. The broader ASD ISM (Information Security Manual) provides detailed cryptographic requirements for Australian Government systems, including approved algorithms and key management practices.

Australian Privacy Act 1988: While the Act does not mandate specific encryption algorithms, the Office of the Australian Information Commissioner (OAIC) has stated that encryption is a reasonable step organisations should take to protect personal information. Following the Optus and Medibank breaches, there is increasing regulatory expectation around encryption at rest and in transit.

IRAP assessments: Information Security Registered Assessors evaluate cryptographic controls as part of their assessments. Understanding PKI, TLS configuration, and key management is essential for anyone working in or supporting Australian Government security.

Practical advice for Australian job seekers: If you are interviewing for security roles in Australia, be prepared to discuss encryption requirements in the context of the Privacy Act, the ASD ISM, and the Essential Eight. Employers value candidates who can connect cryptographic concepts to Australian regulatory requirements.

Summary and Key Takeaways

Cryptography is the mathematical backbone of digital security — and you do not need a maths degree to understand how it works.

Symmetric encryption (AES) is fast and uses one shared key — ideal for encrypting data at rest and in transit.
Asymmetric encryption (RSA, ECC) uses a key pair and solves the key distribution problem — used for key exchange and digital signatures.
Hashing (SHA-256) creates one-way fingerprints for integrity verification and password storage.
Digital signatures combine hashing and asymmetric encryption to prove authenticity and detect tampering.
PKI is the trust infrastructure that makes certificates, HTTPS, and digital signatures work at scale.
TLS/HTTPS uses both asymmetric (key exchange) and symmetric (data transfer) encryption — this hybrid approach is the foundation of secure web communication.
The algorithm is rarely the weak point. Most cryptographic failures come from poor key management, weak passwords, or implementation mistakes.

Security Concepts for the CIA triad and defense in depth that cryptography supports
Networking Basics for understanding the protocols that use cryptography
Threat Landscape for the attacks that cryptography helps defend against
CompTIA Security+ for how cryptography appears on the certification exam

Frequently Asked Questions

What is the difference between encryption and hashing?

Encryption is reversible — you can decrypt ciphertext back to plaintext with the correct key. Hashing is a one-way function — you cannot reverse a hash to recover the original data. Encryption protects confidentiality while hashing protects integrity.

What is AES and why is it important?

AES (Advanced Encryption Standard) is the current standard symmetric encryption algorithm. It supports 128, 192, and 256-bit key sizes and is used in disk encryption, VPNs, TLS, and virtually every modern system that needs to encrypt data. AES-256 is considered practically unbreakable with current computing power.

Why do we need both symmetric and asymmetric encryption?

Symmetric encryption is fast but has a key distribution problem — how do you securely share the key? Asymmetric encryption solves the key distribution problem but is too slow for large data. In practice, systems use asymmetric encryption to securely exchange a symmetric key, then use the symmetric key for fast data transfer. This is called hybrid encryption.

What is PKI?

Public Key Infrastructure is the system of Certificate Authorities, digital certificates, and trust chains that makes asymmetric encryption work at internet scale. When your browser verifies a website's identity via HTTPS, it is using PKI to check that the site's certificate was issued by a trusted Certificate Authority.

Why are MD5 and SHA-1 considered broken?

Researchers have demonstrated practical collision attacks against both MD5 and SHA-1, meaning an attacker can create two different inputs that produce the same hash output. This undermines integrity verification. Use SHA-256 or SHA-3 for any security-related hashing.

How should passwords be stored?

Passwords should be hashed with a slow, salted algorithm designed specifically for password storage, such as bcrypt, scrypt, or Argon2. Never store passwords in plain text or use fast hash functions like SHA-256 or MD5 for passwords, as they can be brute-forced quickly.

What is a digital signature?

A digital signature is created by hashing a message and encrypting the hash with the sender's private key. The recipient can verify the signature using the sender's public key. Digital signatures provide authentication (who sent it), integrity (it was not changed), and non-repudiation (the sender cannot deny sending it).

What is the TLS handshake?

The TLS handshake is the process by which a browser and web server establish a secure connection. The server presents its certificate, the browser verifies it against trusted Certificate Authorities, they securely agree on a shared session key using asymmetric encryption, and then use that symmetric key to encrypt all subsequent data.

Will quantum computers break all encryption?

Quantum computers could break asymmetric algorithms like RSA and ECC using Shor's algorithm, but symmetric algorithms like AES would only need larger key sizes (AES-256 remains secure). NIST is currently standardising post-quantum cryptographic algorithms to replace vulnerable asymmetric methods before large-scale quantum computers exist.

Do I need to know cryptography for Security+?

Yes. CompTIA Security+ SY0-701 covers cryptographic concepts including symmetric and asymmetric encryption, hashing, digital signatures, PKI, and certificate management. You need to understand how these work conceptually and when to apply each one, but you do not need to implement cryptographic algorithms from scratch.

More resources

NIST Cryptographic Standards

Official NIST publications on AES, SHA, digital signatures, and key management best practices.

Visit OpenSSL Documentation

Official documentation for the OpenSSL toolkit used in the practical examples on this page.

Visit Let's Encrypt

Free, automated Certificate Authority that issues TLS certificates — a practical example of PKI in action.

Visit

Technical concepts verified in March 2026 against NIST cryptographic standards (FIPS 197 for AES, FIPS 180-4 for SHA), OpenSSL documentation, and the OWASP Cryptographic Storage Cheat Sheet. Algorithm status and best practices should be verified against current sources as cryptographic recommendations evolve.