Cryptography

AES-256-GCM:
  Block cipher, 256-bit key
  GCM mode: authenticated encryption (confidentiality + integrity)
  Industry standard for data at rest and in transit
  Hardware acceleration via AES-NI instruction set

ChaCha20-Poly1305:
  Stream cipher + MAC
  Constant-time on all hardware (no timing side channels)
  Preferred where AES-NI unavailable (mobile, embedded)
  Used in WireGuard, TLS 1.3

AES-CBC:
  Block cipher mode, requires IV + separate MAC
  Vulnerable to padding oracle attacks if MAC not applied first
  Legacy — prefer GCM for new deployments

Encryption + integrity in one operation
Prevents ciphertext tampering (no silent bit flips)

AES-GCM:           most widely deployed AEAD
ChaCha20-Poly1305:  alternative AEAD
Both provide:
  Confidentiality: content hidden
  Integrity: tampering detected
  Authentication: sender verified

RSA:
  2048-bit minimum, 4096 for long-term
  Key generation is slow
  Encryption: c = m^e mod n
  Decryption: m = c^d mod n
  Security: factoring large numbers is hard

Ed25519:
  Elliptic curve signature scheme
  256-bit key, fast, small signatures
  Recommended for SSH keys and code signing
  Deterministic — no RNG needed for signing

ECDSA (P-256):
  NIST elliptic curve signatures
  Widely supported in TLS
  REQUIRES good RNG for signing (bad RNG → key leak)

X25519:
  Elliptic curve Diffie-Hellman key exchange
  Used in TLS 1.3, WireGuard, age

Two parties derive shared secret over insecure channel:

  1. Alice and Bob agree on public parameters (g, p)
  2. Alice picks secret a, sends g^a mod p
  3. Bob picks secret b, sends g^b mod p
  4. Alice computes (g^b)^a mod p = g^(ab) mod p
  5. Bob computes (g^a)^b mod p = g^(ab) mod p
  6. Shared secret: g^(ab) mod p

Eavesdropper sees g^a and g^b but cannot compute g^(ab)
(discrete logarithm problem)

SHA-256:    256-bit, ubiquitous (TLS, git, Bitcoin)
SHA-3:      256/512-bit, different design (backup if SHA-2 breaks)
BLAKE3:     very fast (4× SHA-256), tree-based parallelism
MD5/SHA-1:  BROKEN for collision resistance — never for security

HMAC:       keyed hash (HMAC-SHA256)
            Proves integrity AND authenticity
            Used in JWT, API signatures, message authentication

Derive strong key from password. Slow by design.

Argon2id:    current recommendation, memory-hard
             Resists GPU/ASIC attacks
bcrypt:      still acceptable, widely deployed
scrypt:      memory-hard, but Argon2id preferred
PBKDF2:     minimum 600K iterations (OWASP 2024)
             Less memory-hard than Argon2
HKDF:        for high-entropy input (not passwords)
             Extract-then-expand, used in TLS 1.3

Root CA (self-signed, trusted by OS/browser)
    ↓ signs
Intermediate CA
    ↓ signs
Leaf Certificate (your server/client)

X.509 certificate contains:
  Subject:     who the cert is for (CN, SANs)
  Issuer:      who signed it (CA)
  Public key:  the key being certified
  Validity:    not before / not after dates
  Signature:   CA's signature over the above

1-RTT handshake (improved from 1.2's 2-RTT)
Mandatory PFS (perfect forward secrecy)
Removed weak ciphers: RC4, CBC, RSA key exchange
Only AEAD cipher suites allowed

Cipher suites:
  TLS_AES_256_GCM_SHA384
  TLS_CHACHA20_POLY1305_SHA256
  TLS_AES_128_GCM_SHA256

Data encrypted with DEK (data encryption key)
DEK encrypted with KEK (key encryption key)

Benefits:
  Rotate KEK without re-encrypting all data
  Only small DEK needs re-encryption
  Used by AWS KMS, Vault Transit, Azure Key Vault