Understanding Core Cryptography Concepts: Public Keys, Digital Signatures, and AEAD

Whether you realize it or not, you interact with cryptography every day; any use of the Internet relies on cryptographic techniques such as HTTPS, which is built on formal cryptographic theory. As programmers, understanding these basic concepts is essential.

1. Simple Public‑Key Encryption Model

Public keys are used for encryption, while private keys are used for decryption.

2. Key‑Exchange Model

Key agreement/key exchange is a protocol where two or more parties exchange messages to jointly establish a shared secret key without any party knowing the key in advance.

3. Digital Envelope

A digital envelope is a data structure that contains ciphertext encrypted with a symmetric key and the symmetric key itself encrypted with a public key.

Public‑key encryption protects the symmetric key, while symmetric encryption protects the plaintext.

A new security issue arises: the sender cannot be sure whether the received public key has been tampered with, i.e., whether it truly belongs to the intended recipient.

4. Digital Signature Model

A digital signature is created by applying a private‑key cryptographic operation to the hash of the data; the signature can be verified only with the signer’s public key, ensuring data integrity, signer authenticity, and non‑repudiation.

5. Digital Certificate

A digital certificate (or public‑key certificate) is a data structure signed by a Certificate Authority (CA) that contains the holder’s public key, identity information, issuer details, validity period, and extensions. Certificates can be personal, organizational, or device‑based, and serve signing or encryption purposes.

6. Hash Functions

A hash algorithm maps an arbitrary‑length bit string to a fixed‑length output and satisfies three properties: (1) finding an input that maps to a given output is computationally hard (pre‑image resistance); (2) finding a second input that maps to the same output is hard (second‑pre‑image resistance); (3) finding two distinct inputs that produce the same output is hard (collision resistance). Note: hashing is generally not considered encryption.

7. Message Authentication Code (MAC)

A MAC is computed using a cryptographic algorithm to produce a tag that verifies data integrity. HMAC is the most common MAC construction.

8. Authenticated Encryption with Associated Data (AEAD)

AEAD is an encryption mode that simultaneously provides confidentiality, integrity, and authenticity of data, protecting both the ciphertext and any associated additional data.