Lesson Notes
Encryption Essentials
Module 5: Defensive Strategies. Symmetric (AES-256, CBC/GCM, OpenSSL enc). Asymmetric (RSA, genrsa). Hashing (SHA-256, salting). HTTPS/TLS, PGP. Hands-on: VeraCrypt USB, crack weak keys ethically.
Module 5: Encryption Essentials — Comprehensive Theory Guide
Encryption is the backbone of confidentiality: it transforms readable data (plaintext) into ciphertext that only someone with the correct key can reverse. This lesson covers the three pillars of applied cryptography: symmetric encryption (one key for encrypt and decrypt, e.g. AES), asymmetric encryption (public/private key pairs, e.g. RSA), and cryptographic hashing (one-way fingerprinting, e.g. SHA-256). You will see how these appear in real systems—HTTPS/TLS, PGP, password storage—and practice with OpenSSL (file encryption, key generation) and VeraCrypt (encrypted volumes) in your lab. Strong keys and correct use of algorithms are essential; weak keys or outdated algorithms can be broken and undermine security.
Symmetric Encryption: One Key, Encrypt and Decrypt
Symmetric encryption uses a single shared secret key for both encryption and decryption. The same key must be known to both sender and receiver and must be kept secret. AES (Advanced Encryption Standard) is the standard block cipher: 128-bit blocks, key sizes 128, 192, or 256 bits. AES-256 is widely used for high security. The cipher mode defines how blocks are processed and whether integrity is also provided. CBC (Cipher Block Chaining) encrypts blocks in sequence, each depending on the previous; it requires an IV (initialization vector) that must be unique and preferably random for each encryption. GCM (Galois/Counter Mode) is an AEAD mode: it provides both encryption and authentication (so the recipient can detect tampering). Prefer GCM when available. With OpenSSL: openssl enc -aes-256-cbc -in secret.txt -out secret.enc (and -d to decrypt). The key is derived from the passphrase you enter; use a strong passphrase and protect the encrypted file and key material.
Asymmetric Encryption: Public and Private Keys
Asymmetric encryption uses a key pair: a public key (can be shared) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key; this enables confidentiality without a shared secret (anyone can encrypt to you using your public key). RSA is the common algorithm; key sizes are typically 2048 or 4096 bits. Use openssl genrsa to generate a key pair; you can encrypt a short message with the public key and decrypt with the private key. Asymmetric crypto is relatively slow, so it is used for key exchange (e.g. in TLS: agree a symmetric session key using RSA or ECDHE) and for digital signatures (sign with private key, verify with public key). TLS uses asymmetric crypto to establish and authenticate the session, then symmetric encryption for the bulk application data.
Hashing: One-Way Fingerprints and Password Storage
A cryptographic hash function (e.g. SHA-256) takes arbitrary input and produces a fixed-size output (e.g. 256 bits). It is one-way: given the hash, you cannot feasibly recover the input; and it is collision-resistant: you cannot feasibly find two inputs with the same hash. Uses: integrity (hash of a file or message), and password storage. For passwords: never store plaintext. Store only a hash of the password. To resist rainbow tables (precomputed hashes for common passwords), use a salt: a random value unique per password, stored with the hash, and combined with the password before hashing. To resist brute force, use a slow function: bcrypt, scrypt, or Argon2 are designed to be computationally expensive. SHA-256 alone is fast—attackers can try billions of guesses per second; use a proper password hashing scheme. In a lab you can test weak keys or short hashes to see how quickly they fall, reinforcing why key strength and salting matter.
Real-World Use: TLS, PGP, and VeraCrypt
TLS (HTTPS): the client and server use asymmetric crypto (e.g. ECDHE) to agree a symmetric session key; then all application data is encrypted with that key (e.g. AES-GCM). PGP/GPG: asymmetric keys for email or file encryption and signing. VeraCrypt: creates encrypted volumes (file container or partition); you use a passphrase (and optionally a keyfile) to derive the volume key; without it, the data is unreadable. Practice with OpenSSL for symmetric and asymmetric operations and with VeraCrypt for disk encryption in your lab. Next: advanced crypto—full-disk encryption (LUKS, BitLocker), PKI, and HTTPS on Apache.
Key Takeaway for Lesson 19
Symmetric encryption (AES) uses one key for encrypt/decrypt; asymmetric (RSA) uses key pairs for confidentiality and signatures. Hashing (SHA-256) is one-way; for passwords use salt and slow functions (bcrypt, Argon2). Use strong keys and modern algorithms; practice with OpenSSL and VeraCrypt. Next: disk encryption and PKI (LUKS, BitLocker, HTTPS on Apache).