Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

Unit III Overview: Introduction to Cryptography

Lesson 9 of 15 in the free Cyber Security notes on Siksha Sarovar, written by Rohit Jangra.

Unit III Overview: Introduction to Cryptography

Cryptography is the science of securing information through mathematical transformations. It is the most fundamental technical tool in cyber security, providing the basis for secure communication, data protection, authentication, and digital trust. The word derives from Greek: kryptos (hidden) + graphia (writing).

Unit III covers cryptographic foundations (this lesson), symmetric cryptography (DES, AES), asymmetric cryptography (RSA, digital signatures), and their application to securing web and email systems.

---

Core Cryptographic Concepts

TermDefinitionExampleKey FactNotation
PlaintextOriginal readable message"Transfer $1000 to account 12345"Input to encryptionP or M
CiphertextEncrypted, unreadable output"X7kP2qR#9mL..."Transmitted over insecure channelC
EncryptionProcess of converting plaintext to ciphertextAES encryption of a fileRequires algorithm + keyE(K, P) = C
DecryptionProcess of converting ciphertext to plaintextAES decryption of a fileReverse of encryptionD(K, C) = P
KeySecret value used in encryption/decryption256-bit random stringSecurity depends entirely on key secrecyK
Algorithm/CipherMathematical function for encryptionAES, RSA, ChaCha20Should be public (Kerckhoffs's principle)
CryptanalysisScience of breaking cryptographic systemsDifferential cryptanalysisStudies algorithm weaknesses

---

Types of Cryptography

Cryptography is broadly classified into three types based on key usage:

TypeKeys UsedSpeedUse CaseKey ChallengeExamples
SymmetricSame key for encrypt + decryptVery FastBulk data encryptionSecure key distributionAES, DES, 3DES, RC4
AsymmetricDifferent keys (public + private)SlowKey exchange, digital signaturesKey pair generationRSA, ECC, DSA
Hash FunctionsNo key (one-way function)Extremely FastIntegrity verification, password storageCollision resistanceSHA-256, SHA-3, MD5 (broken)

Hybrid Cryptography combines symmetric and asymmetric:

  1. Alice and Bob use asymmetric (RSA) to securely exchange a symmetric session key
  2. They then use symmetric (AES) to encrypt bulk data with that session key
  3. This is how HTTPS/TLS works in practice

---

User Authentication Methods

Authentication verifies that a user is who they claim to be. There are four authentication factors:

FactorCategoryExamplesStrengthVulnerabilities
Password / PINSomething you knowText password, security questionLow–MediumPhishing, cracking, reuse
Hardware Token / Smart CardSomething you haveRSA SecurID, YubiKey, CAC cardHighTheft, loss
BiometricsSomething you areFingerprint, facial recognition, irisHighSpoofing (fake fingerprint), cannot be changed if compromised
Location / BehaviorSomewhere you are / Something you doGPS location, typing cadence, keystroke dynamicsMediumVPN bypasses location

Multi-Factor Authentication (MFA) combines two or more factors. The strongest form is FIDO2/WebAuthn with hardware security keys (YubiKey) — completely phishing-resistant.

---

Password Authentication in Depth

Password storage is critical — never store plaintext passwords:

Storage MethodHow It WorksCracking ResistanceModern UseStatus
PlaintextPassword stored as-isNoneNever useInsecure (forbidden)
MD5 hashMD5(password) storedVery Low — GPU can test 10 billion/secLegacy systemsBroken (avoid)
SHA-1 hashSHA1(password) storedLow — GPU test 4 billion/secDeprecated systemsBroken (avoid)
Salted SHA-256SHA256(salt + password)Medium — defeats rainbow tablesSome systemsAcceptable (not recommended)
bcryptAdaptive cost function, built-in saltHigh — designed to be slowMost web appsRecommended
Argon2idMemory-hard, adaptive costVery High — winner of Password Hashing CompetitionModern systemsGold standard

---

Message Authentication

Message Authentication ensures:

  1. The message has not been altered in transit (integrity)
  2. The message came from the claimed sender (authenticity)

Tools for message authentication:

  • MAC (Message Authentication Code): A cryptographic checksum using a shared secret key. Both parties share a secret key; only they can generate and verify the MAC. Algorithm: HMAC-SHA256.
  • Digital Signature: Uses asymmetric cryptography. Sender signs with private key; anyone can verify with public key. Provides authentication + non-repudiation.
  • Hash Functions: MD5, SHA-256 — verify integrity (content has not changed) but not authenticity (anyone can compute a hash).
Exam Tip: Know the three services provided by cryptographic systems: Confidentiality (encryption hides content), Integrity (hashing detects tampering), Authentication/Non-repudiation (digital signatures prove origin). Also know: symmetric = fast + same key; asymmetric = slow + different keys; hash = one-way, no key.

---

Study Deep: Cryptographic Foundations

  1. Kerckhoffs's Principle — security through obscurity fails: Auguste Kerckhoffs stated in 1883 that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge. This means: publish your algorithm, keep only the key secret. This enables public scrutiny and builds trust. Security through obscurity (hiding the algorithm itself) has repeatedly failed historically.
  1. The key length determines security: For symmetric encryption, key length determines brute-force resistance. 56-bit DES can be broken in hours. 128-bit AES would take longer than the age of the universe with current technology. For asymmetric (RSA), 2048-bit is the current minimum; 4096-bit is recommended for long-term security. Key length must increase over time as computing power grows.
  1. Quantum computing threatens current cryptography: Current RSA and ECC asymmetric algorithms can theoretically be broken by quantum computers running Shor's algorithm. NIST completed post-quantum cryptography standardization in 2024, selecting CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures) as the new standards.
  1. Hash collisions break trust: A hash collision is when two different inputs produce the same hash output. MD5 collision attacks were demonstrated in 2004 (Wang and Yu). SHA-1 was publicly broken in 2017 (Google's SHAttered attack). This is why moving to SHA-256 (SHA-2 family) or SHA-3 is critical for integrity checking.
  1. One-Time Pad is theoretically unbreakable: The only cryptographic system proven mathematically unbreakable is the One-Time Pad (OTP) — where a truly random key as long as the message is used once and destroyed. It is used for diplomatic hotlines between nations. Practical limitations: key distribution is impossibly difficult at scale. The "red telephone" between US and USSR used OTP-based encryption.