Cryptography and PKI Fundamentals

Cryptography and PKI Fundamentals
HELLO → 7x#K9$mN… CRYPTOGRAPHY SYMMETRIC — Same key (AES) ASYMMETRIC — Key pair (RSA) Hashing: one-way fingerprint (SHA-256) TLS: encrypts data in transit (HTTPS) PKI: infrastructure for digital certificates Digital signatures: prove authenticity AES-256 + RSA-2048 = current gold standard

Understand symmetric and asymmetric encryption, hashing, digital signatures, TLS, and Public Key Infrastructure — the building blocks of secure communication.

Cryptography and PKI Fundamentals

Cryptography is the science of securing information through mathematical techniques. It underpins every secure connection, encrypted file, and digital signature you rely on daily.

Symmetric vs Asymmetric Encryption

SYMMETRIC ENCRYPTION Same key encrypts AND decrypts Plaintext 🔑 KEY (shared) Ciphertext 🔑 KEY (same) Plaintext Examples: AES-256, ChaCha20 | Fast | Key sharing is the challenge ASYMMETRIC ENCRYPTION Public key encrypts — Private key decrypts (or vice versa for signatures) 🔓 Public Key — share freely 🔒 Private Key — NEVER share + Examples: RSA-2048, ECDSA | Slower | No key sharing needed

How TLS (HTTPS) Works

When you visit https:// a site, your browser and the server perform a TLS handshake that uses both asymmetric and symmetric encryption:
  1. Server sends its certificate containing its public key
  2. Browser verifies the certificate is signed by a trusted Certificate Authority (CA)
  3. Browser and server use asymmetric crypto to agree on a session key
  4. All further communication uses fast symmetric encryption with that session key
✓ Key Point
The padlock in your browser confirms two things: (1) the connection is encrypted, and (2) the certificate was issued to the domain you’re visiting by a trusted CA. It does not mean the website is legitimate — phishing sites get valid HTTPS certificates too. Always verify the domain name, not just the padlock.

Hashing vs Encryption

Property Encryption Hashing
Reversible? Yes (with the key) No — one-way only
Used for Protecting data in transit/at rest Storing passwords, file integrity
Example AES-256 encrypting a file SHA-256 hash of a file
Key required? Yes No
Same input = same output? Yes (with same key) Yes (deterministic)
⛔ Important
Passwords must be hashed, not encrypted. If passwords are encrypted, anyone who obtains the encryption key can decrypt them all. Passwords should be hashed with a strong, slow algorithm (bcrypt, Argon2, scrypt) with a unique salt per password. MD5 and SHA-1 are cryptographically broken and must never be used for passwords.

Certificate Lifecycle

Certificates expire and must be renewed. An expired certificate causes:
  • Browser warnings that drive users away
  • Complete loss of HTTPS protection
  • Potential service outage
⚠ Warning
Certificate expiry has caused major outages at organisations worldwide — including banks and government services. Organisations should maintain a certificate inventory with automated expiry alerts at 60, 30, and 7 days. Never let a certificate expire silently.
Is your data actually encrypted where it counts?
Encryption only protects you when it’s set up correctly — and an expired certificate or unencrypted laptop can undo it all. Mobile Techs IT Service helps Gold Coast businesses get the fundamentals right: SSL/TLS certificates managed and renewed on time, full-disk encryption on every device, encrypted backups, and secure VPNs for data in transit. Home users welcome too — on-site or remote, anywhere in Australia.