Cryptography Fundamentals

Explain Introduction.

Explain The Caesar Cipher.

Explain The Vigenère Cipher.

Explain The Enigma Machine.

Cryptography is among the oldest disciplines in the long history of human secrecy and communication.

At its core, cryptography is the science and art of transforming information into an unintelligible form so that only authorized parties can read it.

The word itself comes from the Greek kryptos (hidden) and graphia (writing).

Cryptography is among the oldest disciplines in the long history of human secrecy and communication.

At its core, cryptography is the science and art of transforming information into an unintelligible form so that only authorized parties can read it.

The word itself comes from the Greek kryptos (hidden) and graphia (writing).

The importance of cryptography in computing and information assurance cannot be overstated.

The Caesar cipher, attributed to Julius Caesar, is one of the earliest documented encryption schemes.

It works by shifting each letter of the alphabet by a fixed number of positions.

For example, with a shift of 3, the letter A becomes D, B becomes E, and so on.

The message "ATTACK AT DAWN" would become "DWWDFN DW GDZQ." Despite its historical significance, the Caesar cipher is trivially weak by modern standards.

The Vigenère cipher, introduced in the 16th century, improved on Caesar by using a repeating keyword to determine different shifts for different character positions.

If the keyword is "KEY" and the message is "HELLOWORLD," then the first letter H is shifted by K (10), E is shifted by E (4), L is shifted by Y (24), and so on.

The cipher repeats the keyword cyclically across the message.

For centuries, the Vigenère cipher was considered unbreakable.

The Enigma machine, used by Nazi Germany during World War II, represented a leap in mechanical cryptographic complexity.

It used a series of electromechanical rotors that scrambled electrical signals as a key was pressed, with the rotor positions advancing after each keypress, producing a…

The number of possible configurations was on the order of 10^23.

Despite this complexity, the Enigma was broken through a combination of mathematical insight (notably by Alan Turing and his colleagues at Bletchley Park), procedural weaknesses…

Modern cryptography is defined by four primary security goals: - Confidentiality : Ensuring that information is accessible only to authorized parties.

Encryption is the primary mechanism.

- Integrity : Ensuring that information has not been altered in an unauthorized manner.

Hash functions and MACs (Message Authentication Codes) provide this.

Symmetric encryption uses the same key for both encryption and decryption.

Modern symmetric ciphers operate as block ciphers , processing fixed-size chunks of data (blocks) rather than individual bytes.

The plaintext is divided into blocks (typically 128 bits), each block is encrypted with a series of mathematical transformations, and the resulting ciphertext blocks are assembled…

This layered approach is called a substitution-permutation network (SPN).

The Data Encryption Standard (DES) was adopted as a federal standard in 1977.

It operates on 64-bit blocks with a 56-bit key, using 16 rounds of a Feistel network structure.

By the late 1990s, the short key length had become a critical vulnerability — a special-purpose machine called Deep Crack demonstrated in 1998 that DES could be brute-forced in…

Triple DES (3DES) was introduced as a stopgap, applying DES encryption three times with either two or three independent keys (112-bit or 168-bit effective key length).

The Advanced Encryption Standard (AES) , standardized by NIST in 2001, replaced DES and 3DES as the gold standard for symmetric encryption.

AES supports key lengths of 128, 192, or 256 bits and operates on 128-bit blocks through 10, 12, or 14 rounds respectively.

Its design is based on a substitution-permutation network and has withstood more than two decades of intense cryptanalytic scrutiny.

AES is extraordinarily fast in both hardware and software.

Even a secure block cipher like AES can be used insecurely if the mode of operation is poorly chosen.

A mode of operation defines how a block cipher is applied to messages longer than a single block.

- ECB (Electronic Codebook) : The simplest mode — each block is encrypted independently.

This is dangerously insecure for most purposes because identical plaintext blocks produce identical ciphertext blocks, leaking information about patterns in the data.

The security of any symmetric encryption system ultimately depends on the security of the key, not the algorithm.

Key management — the processes governing key generation, distribution, storage, rotation, and destruction — is often the weakest link in cryptographic deployments.

Keys must be generated using a cryptographically secure random number generator (CSPRNG).

They must be stored securely, ideally in dedicated hardware (HSMs — Hardware Security Modules).

The fundamental limitation of symmetric encryption is the key distribution problem : if Alice wants to send Bob an encrypted message, how does she share the symmetric key with him…

Asymmetric (or public-key ) cryptography, introduced by Diffie and Hellman in 1976 and formalized by Rivest, Shamir, and Adleman in 1977, solves this problem elegantly.

In asymmetric cryptography, each party has a key pair : a public key that can be freely shared with anyone, and a private key that is kept absolutely secret.

Data encrypted with the public key can only be decrypted with the corresponding private key.

RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric encryption algorithm.

Its security rests on the integer factorization problem : multiplying two large prime numbers together is computationally easy, but factoring the product back into its prime…

The key generation process, in simplified form: 1.

Choose two large prime numbers p and q .

Elliptic Curve Cryptography (ECC) provides equivalent security to RSA but with much smaller key sizes.

A 256-bit ECC key provides roughly the same security as a 3072-bit RSA key.

This makes ECC particularly valuable in resource-constrained environments such as mobile devices, embedded systems, and IoT devices.

ECC is based on the mathematical properties of elliptic curves over finite fields and the difficulty of the elliptic curve discrete logarithm problem .

Asymmetric encryption is orders of magnitude slower than symmetric encryption and is generally impractical for encrypting large amounts of data directly.

In practice, systems use hybrid encryption : asymmetric cryptography is used to securely exchange a symmetric session key, and then symmetric encryption (e.g., AES-GCM) handles…

This approach, used in TLS and PGP among others, combines the key distribution advantages of asymmetric cryptography with the speed of symmetric cryptography.

A cryptographic hash function takes an input of arbitrary length and produces a fixed-size output (the digest or hash ).

Unlike encryption, hashing is a one-way operation — given a hash, it should be computationally infeasible to recover the original input.

Hash Functions connects to risk, controls, and evidence.

Preimage resistance : Given a hash h , it should be computationally infeasible to find any input m such that hash( m ) = h .

Second preimage resistance : Given an input m1 , it should be computationally infeasible to find a different input m2 such that hash( m1 ) = hash( m2 ).

Collision resistance : It should be computationally infeasible to find any two distinct inputs m1 and m2 such that hash( m1 ) = hash( m2 ).

MD5 and SHA-1 should never be used for new security-sensitive applications, though they may still appear in legacy systems.

⚠️ Warning : Hashing passwords with a simple hash function (even SHA-256) is insufficient.

Password hashing requires specially designed, computationally expensive algorithms such as bcrypt , Argon2 , or PBKDF2 to resist brute-force and dictionary attacks.

See Chapter 4 for details on password security.

This is why MD5 (128-bit output) is particularly weak — finding a collision requires only about 2^64 computations, which is feasible with modern hardware.

The Birthday Attack connects to risk, controls, and evidence.

The Birthday Attack connects to risk, controls, and evidence.

A digital signature provides authentication, integrity, and non-repudiation for digital documents.

Alice computes the hash of her message: h = hash(message) .

Alice encrypts the hash with her private key: signature = RSA decrypt(private key, h) (conceptually — in practice, this is more precisely described as "signing" using the private…

Alice sends the message and the signature to Bob.

A critical problem with public-key cryptography is: how do you know that a public key actually belongs to who you think it does?

An attacker could substitute their own public key, impersonating another party.

The Public Key Infrastructure (PKI) solves this through digital certificates.

A digital certificate (most commonly an X.509 certificate) binds a public key to an identity (a person, organization, or domain name).

Introduction

The Caesar Cipher

The Vigenère Cipher

The Enigma Machine

Where Introduction applies.

Where The Caesar Cipher applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Cryptography Fundamentals

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.