Chapter 5: Cryptography Fundamentals
Cryptography Fundamentals. This is the “secret sauce” chapter—cryptography is what actually makes confidentiality, integrity, and secure communication possible in the digital world. We’re going deep today, like we’re sitting in your favorite Airoli spot with a whiteboard, drawing keys, locks, and examples from everyday Indian life (UPI, WhatsApp, banking apps, Aadhaar-linked stuff, and the new DPDP Act rules kicking in hard by 2026).
In January 2026, cryptography is evolving fast because of quantum threats on the horizon—old asymmetric stuff like RSA/ECC is vulnerable to future quantum computers (“harvest now, decrypt later”), so everyone’s pushing post-quantum cryptography (PQC) like ML-KEM (Kyber) and ML-DSA (Dilithium) for key exchange/signatures. But symmetric (AES) and hashes (SHA-256/3) are still rock-solid (just use bigger keys/sizes). India’s DPDP Act (rules enforced Nov 2025 onward) mandates strong encryption (end-to-end, masking, etc.) for personal data—non-compliance means big fines, so companies are scrambling.
Let’s break it down section by section.
1. Symmetric vs Asymmetric Encryption
Two main families—think of them as different types of locks.
-
Symmetric Encryption (Secret Key / Single Key) Same key encrypts and decrypts—like a shared house key. Fast, efficient for big data. Pros: Super fast (hardware-accelerated on phones/laptops), great for bulk data (files, video calls, UPI transactions). Cons: Key sharing problem—how do you safely give the key to the other person without someone stealing it?
Real example (2026 India): WhatsApp end-to-end encryption uses AES-256 (symmetric) for your messages once the session key is set up. Your chat with family in Maharashtra is encrypted with one shared key—fast and strong. If the key leaks (e.g., via malware), everything’s exposed—so key management is critical.
-
Asymmetric Encryption (Public Key / Two Keys) Two keys: Public key (shared openly, encrypts) + Private key (secret, decrypts). Like a mailbox—anyone can drop letters in (public key encrypts), only you open with private key. Pros: Solves key sharing—no need to secretly exchange keys. Enables digital signatures, secure key exchange. Cons: Much slower (100–1000x), higher CPU use—so used only for small data (keys, signatures), not bulk.
Real example: When you visit paytm.com or your bank app, your browser uses asymmetric (RSA or ECC) to securely exchange a symmetric session key (via TLS handshake). Then switches to fast symmetric AES for the actual transaction.
Quick comparison (2026 view):
| Feature | Symmetric (e.g., AES) | Asymmetric (e.g., RSA/ECC) |
|---|---|---|
| Keys | 1 shared secret | Public + Private pair |
| Speed | Very fast | Slow |
| Use case | Bulk data (files, streams, storage) | Key exchange, signatures, small data |
| Quantum safety | Strong (AES-256 still good) | Vulnerable (RSA/ECC broken by Shor’s algo) → moving to PQC like ML-KEM |
| India example | Encrypting UPI payload end-to-end | Signing digital certificates for HTTPS |
In 2026: Symmetric AES-256 is king for data protection (DPDP requires it). Asymmetric shifting to hybrids (classic + PQC) to fight “harvest now, decrypt later.”
2. Common Algorithms (AES, RSA, ECC, Hashing – SHA-256/3)
- AES (Advanced Encryption Standard) — Symmetric block cipher (128-bit blocks). Keys: AES-128, AES-192, AES-256 (longer = stronger). 2026 status: AES-256 recommended everywhere (quantum-resilient with Grover’s algo only halving effective strength → still 128-bit security). Used in TLS, disk encryption (BitLocker/VeraCrypt), WhatsApp, UPI. Example: Your phone’s storage encrypted with AES-256—thief can’t read files without passphrase.
- RSA (Rivest-Shamir-Adleman) — Asymmetric, based on factoring big primes. Keys: 2048-bit common, 3072+ for future-proof. 2026 reality: Still used but phasing out—vulnerable to quantum. Many orgs hybrid (RSA + ML-KEM). Example: Old bank certs used RSA for signing.
- ECC (Elliptic Curve Cryptography) — Asymmetric, smaller keys, faster than RSA (256-bit ECC ≈ 3072-bit RSA security). Curves: P-256, Ed25519 (fast/safe). 2026: Preferred over RSA for performance, but quantum-vulnerable → hybrids with PQC. Example: Modern TLS handshakes use ECDHE for key exchange (Ephemeral = forward secrecy).
- Hashing (SHA-256 / SHA-3) — One-way function (input → fixed output, can’t reverse). For integrity, passwords (slow hashes like Argon2), digital signatures. SHA-256 (from SHA-2 family): 256-bit output, widely used (Bitcoin, TLS certs). SHA-3: Newer (sponge construction), resistant to length-extension attacks. 2026: SHA-256 still dominant, SHA-3 growing (quantum-resilient with bigger output if needed). Example: Git commit hashes use SHA-256—change one char, hash changes completely.
3. Digital Signatures, Certificates, and PKI
- Digital Signatures — Prove “I created/sent this, unchanged.” Asymmetric: Sign with private key → verify with public key. Process: Hash document → encrypt hash with private → signature. Receiver hashes + decrypts signature with public → match? Authentic & intact. Algorithms: RSA-PSS, ECDSA, EdDSA (2026: moving to ML-DSA PQC). Example: Signing a PDF invoice in India—receiver verifies signer is you.
- Certificates — Digital ID card (binds public key to identity). X.509 format. Contains: Subject (you/domain), Public key, Issuer (CA), Validity, Signature.
- PKI (Public Key Infrastructure) — Ecosystem: CAs (issue certs), Root CAs (trusted anchors), CRL/OCSP (revocation). Example (India 2026): Your bank’s HTTPS cert issued by DigiCert/Let’s Encrypt (trusted roots in browsers). Browser checks chain to root → trusts site.
2026 issues: Short validity (≤398 days), no more dual server+client auth in public CAs (Chrome rule by June 2026—use private CAs for client auth).
4. TLS/SSL, HTTPS, and Certificate Issues
- TLS (Transport Layer Security) — Successor to SSL. Encrypts web traffic (HTTPS = HTTP over TLS). Current: TLS 1.3 (2018+) mandatory—faster, removes weak ciphers, forward secrecy default. TLS 1.2 deprecated in many places; 1.0/1.1 dead. Handshake: ClientHello → ServerHello + cert → key exchange (ECDHE/ML-KEM hybrid soon) → symmetric session (AES-GCM).
- HTTPS — Padlock icon. Protects against eavesdropping. 2026 status: Almost everywhere (India UPI/banking mandatory). Quantum hybrids emerging.
- Certificate Issues (common 2026):
- Expired/Invalid certs → browser warnings.
- Weak ciphers (old TLS).
- Self-signed → untrusted.
- CA compromise → fake certs.
- Long validity (>398 days) rejected. Example: Fake bank site with stolen/expired cert → phishing (DPDP pushes strong certs + encryption).
5. Cryptographic Attacks (Man-in-the-Middle, Birthday Attack)
- Man-in-the-Middle (MITM) — Attacker sits between you & server, relays/modifies traffic. How: ARP spoofing (local), rogue Wi-Fi, fake cert (if no HSTS/Pinning). 2026 example: Evil twin Wi-Fi in Airoli café → intercepts UPI login (unless HTTPS + cert pinning). Mitigate: HSTS, certificate pinning, VPN.
- Birthday Attack — Exploits birthday paradox on hashes (find collisions faster than brute force). For n-bit hash, ~2^(n/2) trials for 50% collision chance (not 2^n). Example: Attacker generates many document variants → finds two with same SHA-1 hash → swaps innocent for malicious (real SHA-1 collisions found 2017). 2026: SHA-1 broken—use SHA-256/3 (collision resistance still strong).
Bonus 2026 note: Quantum threats → Shor breaks RSA/ECC, Grover weakens symmetric (use AES-256). India DPDP enforces encryption—use it wisely!
That’s Chapter 5—cryptography is math magic protecting everything!
