crypto — ximg.app

Cryptographic Hash Functions

MD5

128-bitBROKEN

1992. Collision attacks found in 2004. Never use for security — only checksums where collision resistance is irrelevant.

SHA-1

160-bitBROKEN

1995. SHAttered collision (Google, 2017). Deprecated by NIST. Still seen in legacy TLS and git (being migrated to SHA-256).

SHA-256

256-bitSECURE

SHA-2 family. Standard for TLS certificates, HMAC-SHA256, JWT HS256/RS256. 128-bit collision resistance.

SHA-512

512-bitSECURE

SHA-2 family. Faster than SHA-256 on 64-bit CPUs. Used in HMAC-SHA512, JWT HS512. 256-bit collision resistance.

SHA-3/256

256-bitSECURE

Keccak sponge construction (2015). Structurally different from SHA-2 — immune to length-extension attacks. NIST standard.

BLAKE3

256-bitSECURE

2020. Fastest cryptographic hash — parallel, SIMD-optimized. Used in Bao, Cargo, IPFS. Replaces BLAKE2 in new designs.

Rule of thumb: Use SHA-256 for general-purpose integrity checks. Use SHA-3 when you need resistance to length-extension attacks without HMAC. Use BLAKE3 when speed is critical.

Password Hashing (KDFs)

Argon2id

RECOMMENDED

Winner of Password Hashing Competition (2015). Memory-hard + time-hard. Resists GPU and ASIC attacks. Use for new systems.

bcrypt

SAFE72-byte limit

1999. Adaptive cost via work factor. Widely supported. Truncates input at 72 bytes — use prehash for long passwords.

scrypt

SAFE

2009. Memory-hard. Used in Litecoin, OpenSSL. Complex parameter tuning makes it harder to configure correctly than Argon2id.

PBKDF2

LEGACYFIPS 140

PKCS#5. Iterated HMAC. FIPS-approved — required in some government contexts. GPU-parallelizable; prefer Argon2id otherwise.

HMAC — Keyed Hashing

HMAC-SHA256(key, message)

Produces a 256-bit MAC — authenticates both origin and integrity. Used in JWT, AWS Signature v4, OAuth 1.0

HMAC = H( (K ⊕ opad) ‖ H( (K ⊕ ipad) ‖ M ) )

RFC 2104 construction. Immune to length-extension attacks that affect raw SHA-2

HKDF-Extract + HKDF-Expand

RFC 5869. Derives multiple keys from a shared secret — used in TLS 1.3 and Signal protocol

AES — Advanced Encryption Standard

AES-128

128-bit key · 10 rounds · 128-bit block
Fastest. Still 2¹²⁸ brute-force resistance. Fine for most use cases.

AES-192

192-bit key · 12 rounds · 128-bit block
Rarely used. No meaningful practical advantage over AES-128.

AES-256

256-bit key · 14 rounds · 128-bit block
Preferred for high-security / long-term data. NIST-approved for TOP SECRET.

Block Cipher Modes

Mode

Auth

Notes

ECB

✗

Never use — identical plaintext blocks produce identical ciphertext (the "ECB penguin" problem)

CBC

✗

Requires IV; no authentication — vulnerable to padding oracle (POODLE, BEAST) without separate MAC. Legacy TLS.

CTR

✗

Stream cipher from block cipher. No authentication — must pair with HMAC. Nonce must never repeat.

GCM

✓ AEAD

AES-256-GCM: the standard choice. Authenticated encryption — combines CTR + GHASH MAC. Used in TLS 1.3.

CCM

✓ AEAD

AEAD. Slower than GCM; used in embedded / constrained environments (Zigbee, 802.11i).

SIV

✓ AEAD

Nonce-misuse resistant — safe even if nonce repeats (at cost of losing confidentiality, not integrity).

ChaCha20-Poly1305

ChaCha20

256-bit stream cipher by Bernstein (2008). No hardware requirement — competitive with AES-NI in software. Used in TLS 1.3, WireGuard, SSH.

Poly1305

One-time MAC. Paired with ChaCha20 to form an AEAD cipher (RFC 8439). Preferred over AES-GCM on hardware without AES-NI.

DES / 3DES

DES (56-bit) broken by brute force 1998. 3DES deprecated by NIST 2023. Still in legacy banking (ANSI X9). Never use in new systems.

Best practice: Use AES-256-GCM or ChaCha20-Poly1305 for authenticated encryption. Never encrypt without authentication — unauthenticated ciphertext is malleable.

RSA

RSA-2048

Minimum acceptable. ~112-bit security. NIST recommends through 2030. Avoid for new long-term keys.

RSA-3072

~128-bit security. NIST approved through 2040. Larger signatures/certs than RSA-2048.

RSA-4096

~140-bit security. Common for PGP keys and root CAs. Significantly slower than ECC for equivalent security.

PKCS#1 v1.5

Legacy RSA padding. Vulnerable to Bleichenbacher's attack (1998) in encryption mode. Still used in TLS for signature compatibility — avoid for encryption.

OAEP

RSA-OAEP (PKCS#1 v2): secure probabilistic padding for encryption. Requires randomness. Use instead of PKCS#1 v1.5 for new RSA encryption.

PSS

RSA-PSS: provably secure probabilistic signature scheme. Recommended over PKCS#1 v1.5 for signatures. Used in TLS 1.3.

Elliptic Curve Cryptography (ECC)

P-256 (secp256r1)

128-bitNIST

NIST-standardized ECDSA/ECDH curve. Widely supported — TLS, FIDO2, Android. Fast with hardware acceleration.

P-384 (secp384r1)

192-bitNIST

NSA Suite B. Required for Top Secret. Larger certs, slower operations than P-256. Use when compliance demands it.

Curve25519

128-bitRECOMMENDED

Bernstein, 2005. Fast, simple, no patent concerns. X25519 (ECDH) and Ed25519 (signatures). Used in Signal, WireGuard, SSH, TLS 1.3.

Ed25519

128-bitRECOMMENDED

EdDSA on Curve25519. Deterministic signatures — no RNG required at signing time. 64-byte signatures. Default for modern SSH keys.

secp256k1

128-bitCRYPTO

Bitcoin and Ethereum's curve. ECDSA signing. Koblitz curve — not recommended for general use outside blockchain.

DSA

LEGACY

NIST 1991. Requires a random k per signature — reused k leaked Sony PS3 private key. Deprecated by NIST in 2023. Use EdDSA.

Key size comparison: ECC provides equivalent security to RSA with far smaller keys — Ed25519 (256-bit ECC key) matches RSA-3072 security at a fraction of the size and computation cost.

Diffie-Hellman (DH)

Alice

Public params: prime p, generator g

─────────────────────────────

Alice sends: A = g^a mod p →

─────────────────────────────

Bob sends: B = g^b mod p ←

─────────────────────────────

Shared secret: S = B^a mod p = A^b mod p = g^ab mod p

Bob

Eavesdropper sees p, g, A, B — computing a from A is the Discrete Logarithm Problem. Safe at 2048+ bit primes (DH-2048) or with ECDH.

ECDH — Elliptic Curve DH

X25519

ECDH on Curve25519. TLS 1.3 default key exchange. Fast constant-time implementation. 32-byte public keys. Resists timing attacks.

ECDHE

Ephemeral ECDH — a fresh key pair per session. Provides forward secrecy: past sessions stay safe even if long-term key is later compromised.

Static DH

Long-term DH keys — no forward secrecy. If private key is compromised, all past recorded sessions can be decrypted. Avoid in new protocols.

Key Derivation Functions (KDF)

HKDF-Extract(salt, IKM) → PRK

Extracts a pseudorandom key from input keying material (e.g. DH shared secret). RFC 5869.

HKDF-Expand(PRK, info, len) → OKM

Expands PRK into output keying material of arbitrary length — used in TLS 1.3 to derive traffic keys from handshake secret.

PBKDF2(password, salt, iters, len)

Derives a key from a password with iterated HMAC. FIPS 140 compliant. GPU-parallelizable — use Argon2id when possible.

scrypt(N, r, p)

Memory-hard KDF. N = CPU/memory cost, r = block size, p = parallelization. Used to derive WireGuard pre-shared keys.

Post-Quantum Key Exchange

ML-KEM (Kyber)

NIST PQC

NIST FIPS 203 (2024). Module-Lattice KEM. First post-quantum KEM standard. Being added to TLS and SSH implementations.

ML-DSA (Dilithium)

NIST PQC

NIST FIPS 204 (2024). Module-Lattice digital signature. Post-quantum replacement for ECDSA/RSA signatures.

SLH-DSA (SPHINCS+)

NIST PQC

NIST FIPS 205 (2024). Hash-based signatures — minimal security assumptions. Larger signatures than lattice schemes.

TLS 1.3 Handshake

Client

──── ClientHello (supported ciphers, key_share, random) ─────────────────────────────────────────▶
◀─── ServerHello (chosen cipher, key_share) + Certificate + CertificateVerify + Finished ──────
──── Finished ───────────────────────────────────────────────────────────────────────────────▶
══ Application Data (encrypted) ══════════════════════════════════════════════════════════════

Server

1-RTT handshake (vs 2-RTT in TLS 1.2). 0-RTT resumption available. Mandatory ECDHE/DHE — static RSA key exchange removed.

TLS 1.3 Cipher Suites

TLS_AES_256_GCM_SHA384

AES-256-GCM AEAD + HKDF-SHA384. Preferred for high-security deployments.

TLS_AES_128_GCM_SHA256

AES-128-GCM AEAD + HKDF-SHA256. Standard choice for most web traffic.

TLS_CHACHA20_POLY1305_SHA256

ChaCha20-Poly1305 + HKDF-SHA256. Preferred on devices without AES hardware acceleration.

SSH Protocol

Key exchange

curve25519-sha256 (Diffie-Hellman over Curve25519) — default in OpenSSH 6.5+

Host key algorithms

ssh-ed25519 (preferred), ecdsa-sha2-nistp256, rsa-sha2-512, rsa-sha2-256

Symmetric encryption

chacha20-poly1305@openssh.com (default), aes256-gcm@openssh.com, aes128-ctr+HMAC

Authentication

Public key (Ed25519 / RSA / ECDSA), password, GSSAPI, certificates

PGP / OpenPGP

Web of Trust

PGP uses a decentralized trust model. Keys are signed by other users. Strong keys have signatures from many trusted parties. No central CA.

Signing

Hash the message → sign hash with your RSA/DSA/Ed25519 private key. Recipient verifies with your public key from a keyserver.

Encryption

Hybrid: generate random session key → encrypt message with AES-256 → encrypt session key with recipient's public key. Both bundled in output.

JWT — JSON Web Token

Header.Payload.Signature

Three base64url-encoded parts separated by dots. Header declares algorithm, payload carries claims, signature verifies both.

HS256

HMAC-SHA256 — symmetric, shared secret. Both issuer and verifier must hold the same key. Good for internal services.

RS256 / ES256

RSA-SHA256 / ECDSA-SHA256 — asymmetric. Public key can verify without knowing the private key. Good for distributed systems.

alg: "none"

Never accept — disables signature verification entirely. Classic CVE. Always validate alg header server-side.

openssl — Key Generation

openssl genrsa -out key.pem 4096

Generate a 4096-bit RSA private key

openssl genpkey -algorithm ed25519 -out key.pem

Generate an Ed25519 private key

openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out key.pem

Generate a P-256 elliptic curve private key

openssl pkey -in key.pem -pubout -out pub.pem

Extract public key from a private key file

openssl — Certificates

openssl req -new -key key.pem -out csr.pem

Generate a Certificate Signing Request (CSR) from a private key

openssl req -x509 -newkey ed25519 -keyout key.pem -out cert.pem -days 365 -nodes

Self-signed Ed25519 certificate in one command (no passphrase)

openssl x509 -in cert.pem -text -noout

Display certificate details — subject, issuer, validity, SAN, public key

openssl verify -CAfile ca.pem cert.pem

Verify certificate chain against a CA bundle

openssl — Encryption & Hashing

openssl enc -aes-256-gcm -pbkdf2 -in plain.txt -out enc.bin

Encrypt a file with AES-256-GCM using a passphrase-derived key

openssl enc -d -aes-256-gcm -pbkdf2 -in enc.bin -out plain.txt

Decrypt the file

openssl dgst -sha256 file.txt

Compute SHA-256 digest of a file

openssl dgst -sha256 -hmac "secretkey" file.txt

Compute HMAC-SHA256 of a file

openssl s_client -connect host:443 -tls1_3

Inspect TLS handshake and certificate chain for a remote host

openssl s_client -connect host:443 -showcerts 2>/dev/null | openssl x509 -noout -dates

Check certificate expiry for a remote host

ssh-keygen

ssh-keygen -t ed25519 -C "comment"

Generate an Ed25519 key pair (recommended default)

ssh-keygen -t rsa -b 4096

Generate a 4096-bit RSA key pair (for legacy compatibility)

ssh-keygen -lf ~/.ssh/id_ed25519.pub

Show key fingerprint (SHA-256)

ssh-keygen -p -f ~/.ssh/id_ed25519

Change or add a passphrase to an existing key

gpg

gpg --full-generate-key

Generate a new GPG key pair (interactive)

gpg --list-secret-keys --keyid-format LONG

List all secret keys with long key IDs

gpg --encrypt --recipient user@example.com file.txt

Encrypt a file to a recipient's public key

gpg --decrypt file.txt.gpg

Decrypt a GPG-encrypted file

gpg --sign --armor file.txt

Create an ASCII-armored detached signature

gpg --verify file.txt.asc file.txt

Verify a signature against a file

gpg --export --armor keyid

Export a public key in ASCII-armored format

Primitives & Building Blocks

Entropy

Unpredictability in key generation. Measured in bits. A 256-bit random key has 256 bits of entropy. Use OS CSPRNG (/dev/urandom, CryptGenRandom) — never seed from time or PID.

IV / Nonce

Initialization Vector: random value used to ensure ciphertext is unique per encryption. Must never repeat with the same key. In AES-GCM use 96-bit random nonces.

Salt

Random value mixed with a password before hashing. Prevents rainbow table attacks — identical passwords produce different hashes. Store alongside the hash.

AEAD

Authenticated Encryption with Associated Data. Combines confidentiality (cipher) + integrity (MAC) in one operation. Examples: AES-GCM, ChaCha20-Poly1305. The correct default.

MAC

Message Authentication Code — a keyed checksum proving the message was sent by someone with the key and wasn't tampered with. HMAC-SHA256 is the standard construction.

Padding

Block ciphers require input length to be a multiple of block size. PKCS#7 is common for CBC mode. Incorrect padding validation leads to padding oracle attacks.

Forward Secrecy

AKA Perfect Forward Secrecy (PFS). Ephemeral key exchange ensures past session keys can't be derived if a long-term key is compromised. Mandatory in TLS 1.3.

Key Wrapping

Encrypting one key with another key (the KEK — Key Encryption Key). Used in HSMs and key management. AES-KW (RFC 3394) is the standard algorithm.

Timing Attacks

Side-channel attacks that infer secrets from how long operations take. Constant-time comparison (vs. early-exit) is critical for MAC verification and password checking.

PKI — Public Key Infrastructure

X.509 Certificate

Structure: Subject DN, Subject Public Key, Issuer DN, Validity period, Serial number, Extensions (SAN, KeyUsage, BasicConstraints), CA Signature.

Certificate Chain

Root CA → Intermediate CA(s) → End-entity cert. Browsers trust ~150 root CAs. Intermediate CAs are cross-signed to allow root rotation.

CRL / OCSP

Certificate Revocation List (CRL): full list of revoked certs. OCSP: real-time per-cert check. OCSP Stapling: server caches OCSP response — reduces latency.

CT Logs

Certificate Transparency: append-only logs of all issued certs. Browsers require SCTs (Signed Certificate Timestamps) for trust. Detects mis-issuance.

Historical Milestones

1976

Diffie-Hellman Key Exchange

Whitfield Diffie & Martin Hellman publish "New Directions in Cryptography" — public-key crypto invented.

1977

RSA Published

Rivest, Shamir, Adleman publish the RSA algorithm. First practical public-key encryption system.

1991

PGP Released

Phil Zimmermann releases Pretty Good Privacy — first widely-available strong encryption for the public.

1994

SSL 2.0 / RSA Algorithm Released

Netscape introduces SSL for HTTPS. RSA patent expires in 2000, opening public-key crypto for everyone.

2001

AES Standardized

NIST selects Rijndael (Daemen & Rijmen) as AES — FIPS 197. Replaces DES/3DES as the global symmetric cipher standard.

2005

Curve25519

Daniel J. Bernstein publishes Curve25519 — fast, safe, patent-free elliptic curve that becomes the modern default.

2013

Snowden & PRISM

NSA mass surveillance revealed. Industry accelerates TLS deployment, kills RC4, SHA-1 deprecation begins. Signal protocol designed.

2018

TLS 1.3

RFC 8446. Removes static RSA, RC4, DES, SHA-1. Mandates ECDHE/DHE. 1-RTT handshake. All cipher suites are AEAD.

2024

NIST Post-Quantum Standards

FIPS 203/204/205 published — ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (SPHINCS+). Post-quantum migration begins.

cryptography