Module 9 - Security

Encryption

Protecting data so only authorized parties can read it.

1The Lock and Key Analogy

Simple Analogy

Symmetric: Same key locks and unlocks. Like a house key-you share copies with trusted people.
Asymmetric: One key locks (public), another unlocks (private). Like a mailbox-anyone can drop mail in, only you have the key to open it.

Encryption transforms readable data (plaintext) into unreadable data (ciphertext). Only those with the correct key can reverse it (decrypt).

2Symmetric Encryption

Same key for encryption and decryption. Fast but key distribution is tricky.

AES-256

Very FastVery Strong

Data at rest, database encryption, file encryption

ChaCha20

Very FastVery Strong

TLS (mobile), when AES hardware unavailable

Key Challenge

How do you securely share the key? If attacker intercepts the key, encryption is useless.

3Asymmetric Encryption

Public key encrypts, private key decrypts. Solves key distribution.

RSA

SlowStrong (2048+ bits)

Key exchange, digital signatures, certificates

ECDSA

FasterStrong

Bitcoin, modern TLS, smaller keys than RSA

Public Key

Share freely. Used to encrypt data or verify signatures.

Private Key

Keep secret! Used to decrypt data or create signatures.

4Hashing (Not Encryption)

Hashing is one-way. You cannot reverse a hash to get the original data. Used for passwords, data integrity, checksums.

bcrypt/scrypt/Argon2

Password hashing

Intentionally slow. Salted. Resistant to brute force.

SHA-256

Data integrity, checksums

Fast. Not for passwords (too fast to brute force).

MD5/SHA-1

DEPRECATED

Broken. Don't use for security.

5Encryption at Rest vs In Transit

At Rest

Data stored on disk: databases, S3, hard drives

AES-256 encryption. Keys in KMS.

AWS S3 server-side encryption

In Transit

Data moving over network

TLS/HTTPS encrypts the connection

HTTPS, TLS 1.3

End-to-end encryption (E2EE): Data encrypted on sender's device, only decrypted on recipient's device. Server can't read it. (WhatsApp, Signal)

6Common Mistakes

Rolling Your Own Crypto

Don't invent encryption algorithms. Use well-tested libraries (libsodium, OpenSSL).

Hardcoding Keys

Keys in source code = keys in version control = compromised.

Using MD5/SHA-1 for Passwords

Too fast. Use bcrypt, scrypt, or Argon2 which are intentionally slow.

Encrypting with ECB Mode

ECB reveals patterns. Use GCM or CBC with proper IV.

7Key Takeaways

1Symmetric (AES): same key, fast. Asymmetric (RSA): key pairs, slower.

2Hashing is one-way. Use bcrypt/Argon2 for passwords.

3Encrypt at rest (disk) and in transit (network).

4Never roll your own crypto. Use proven libraries.

5Store keys in KMS/HSM, not in code.

?Quiz

1. Storing user passwords. Best approach?

2. TLS uses which encryption primarily?