What are cryptography basics?

At a practical level, cryptography basics cover the tools and guarantees used to protect digital information. Developers usually work with four goals:

• Confidentiality: only authorized parties can read data.
• Integrity: unauthorized changes can be detected.
• Authentication: you can verify who sent or owns something.
• Non-repudiation: a signer cannot easily deny a valid signature.

These guarantees show up everywhere: HTTPS, API tokens, password databases, signed software packages, encrypted backups, and secure messaging.

Core building blocks in cryptography basics

1. Hash functions

A cryptographic hash takes input of any size and produces a fixed-size output. Good hash functions are deterministic, one-way in practice, and sensitive to input changes.

Use cases:

• Verifying file integrity
• Storing passwords indirectly with password hashing algorithms
• Generating content fingerprints
• Supporting digital signatures

Important note: SHA-256 is a general-purpose cryptographic hash, but password storage should use dedicated password hashing algorithms such as bcrypt, scrypt, or Argon2.

echo -n "hello" | sha256sum

2. Symmetric encryption

Symmetric encryption uses the same secret key for encryption and decryption. It is efficient and ideal for protecting large volumes of data.

Common algorithm: AES

• AES-GCM: provides confidentiality and integrity
• AES-CBC: older mode, easier to misuse without extra integrity protection

from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os

key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
nonce = os.urandom(12)
data = b"sensitive payload"
ciphertext = aesgcm.encrypt(nonce, data, None)
plaintext = aesgcm.decrypt(nonce, ciphertext, None)
print(plaintext)

3. Asymmetric cryptography

Asymmetric systems use a public key and a private key. The public key can be shared, while the private key must remain secret.

Typical uses:

• Digital signatures
• TLS certificates
• Secure key exchange
• Identity verification

This model is central to HTTPS and modern software distribution pipelines. When designing modular systems, the same architectural rigor you apply in hexagonal architecture also helps isolate cryptographic concerns into well-defined adapters and boundaries.

4. Digital signatures

A digital signature proves that a message was signed by the holder of a private key and that the message was not altered afterward.

openssl genpkey -algorithm RSA -out private.pem
openssl rsa -pubout -in private.pem -out public.pem
openssl dgst -sha256 -sign private.pem -out signature.bin message.txt
openssl dgst -sha256 -verify public.pem -signature signature.bin message.txt

Cryptography basics vs common misconceptions

One of the biggest mistakes in beginner implementations is confusing encoding with encryption. Base64 is not security. It is formatting.

How cryptography basics power real applications

TLS and HTTPS

When a browser connects to your site over HTTPS, several cryptographic primitives work together:

• Certificates help authenticate the server
• Asymmetric cryptography helps establish trust and negotiate secrets
• Symmetric encryption protects the actual session efficiently
• Message authentication ensures data integrity

Password storage

Passwords should not be encrypted for storage in most application designs. Instead, hash them with a slow, salted password hashing algorithm.

const bcrypt = require('bcrypt');

async function hashPassword(password) {
  const rounds = 12;
  return await bcrypt.hash(password, rounds);
}

async function verifyPassword(password, hash) {
  return await bcrypt.compare(password, hash);
}

JWTs and signed tokens

Many authentication systems use signed tokens. Developers must understand whether a token is merely signed, encrypted, or both. That distinction affects what data can safely be placed inside.

If your frontend stack is evolving toward distributed UI delivery, secure token handling becomes even more important across independently deployed surfaces, especially in architectures like micro frontends.

Safe algorithm choices in cryptography basics

Use modern, well-reviewed algorithms and trusted libraries. As a rule of thumb:

• Hashing: SHA-256, SHA-3 for general integrity
• Password hashing: Argon2, bcrypt, scrypt
• Symmetric encryption: AES-GCM or ChaCha20-Poly1305
• Signatures: Ed25519, ECDSA, RSA where compatibility requires it
• Key exchange: X25519, ECDH

Key management: the real heart of cryptography basics

Strong algorithms fail if keys are handled poorly. In production systems, the hardest problems are often operational:

• Where are keys stored?
• Who can access them?
• How are they rotated?
• How are they backed up?
• How do you revoke compromised keys?

Best practices include using cloud KMS products, HSM-backed services where needed, environment isolation, secret rotation policies, and audit logging.

Implementation pitfalls developers should avoid

Rolling your own crypto

Custom cryptographic design is dangerous. Use established standards and mature libraries.

Reusing nonces or IVs

Some algorithms and modes become insecure if nonces are reused. Follow library guidance exactly.

Ignoring randomness quality

Cryptography depends on secure randomness. Use cryptographically secure random generators from your platform.

Leaking secrets in logs

Never log keys, raw tokens, passwords, or decrypted sensitive payloads.

Skipping threat modeling

Cryptography cannot fix broken trust assumptions. Understand attackers, assets, and boundaries first.

A practical developer workflow for cryptography basics

1. Define what you are protecting and from whom.
2. Choose the correct primitive: hash, encrypt, sign, or derive keys.
3. Pick a trusted library, not a low-level homemade implementation.
4. Use secure defaults and authenticated encryption.
5. Store and rotate keys safely.
6. Test failure paths, expiration, revocation, and tampering cases.
7. Document your assumptions for future maintainers.

FAQ: cryptography basics for developers

What is the difference between hashing and encryption?

Hashing is primarily for integrity and fingerprinting, while encryption is for confidentiality. Hashes are one-way in practice; encryption is designed to be reversible with the right key.

Should I encrypt passwords in my database?

No. In most applications, passwords should be stored using a slow salted password hashing algorithm like Argon2 or bcrypt, not reversible encryption.

What is the safest way to start using cryptography in an app?

Start with trusted libraries, modern defaults, authenticated encryption, secure key storage, and a clear threat model. Avoid custom algorithms and undocumented shortcuts.