1.4 Cryptography

🏠

Public key infrastructure (PKI)

Public key

A public key is a cryptographic key that is shared publicly and used for encryption or signature verification.

Example: Securing online transactions with SSL/TLS certificates.

flowchart subgraph PublicKey publickey -->|Shared publicly| EncryptionSignatureVerification end

Private key

A private key is a cryptographic key kept secret and used for decryption or signature generation.

flowchart subgraph PrivateKey privatekey -->|Kept secret| DecryptionSignatureGeneration end

Key escrow

Key escrow is a process where cryptographic keys are stored with a trusted third party for recovery purposes.

flowchart subgraph KeyEscrow keyescrow -->|Stored with third party| Recovery end

Encryption

Level

Full-disk

Full-disk encryption protects an entire storage device, including the operating system and data.

flowchart subgraph FullDiskEncryption fulldisk -->|Protects entire device| OSData end

Partition

Partition-level encryption secures individual partitions on a storage device.

flowchart subgraph PartitionEncryption partition -->|Secures individual partitions| StoragePartitions end

File

File-level encryption protects individual files or directories.

flowchart subgraph FileEncryption file -->|Protects individual files| FilesDirectories end

Volume

Volume-level encryption secures specific storage volumes.

flowchart subgraph VolumeEncryption volume -->|Secures specific volumes| StorageVolumes end

Database

Database encryption protects data stored within a database.

flowchart subgraph DatabaseEncryption database -->|Protects data in databases| Data end

Record

Record-level encryption secures individual records or data elements within a database.

flowchart subgraph RecordEncryption record -->|Secures individual records| DataElements end

Transport/communication

Encryption in transport or communication secures data during transmission.

flowchart subgraph TransportCommunicationEncryption transport -->|Secures data during transmission| SecureTransmission end

Asymmetric

Asymmetric encryption uses a pair of public and private keys for encryption and decryption.

flowchart subgraph AsymmetricEncryption asymmetric -->|Uses public and private keys| EncryptionDecryption end

Symmetric

Symmetric encryption uses the same key for both encryption and decryption.

flowchart subgraph SymmetricEncryption symmetric -->|Uses the same key| EncryptionDecryption end

Key exchange

Key exchange protocols facilitate the secure exchange of encryption keys.

flowchart subgraph KeyExchange keyexchange -->|Facilitates secure key exchange| EncryptionKeys end

Algorithms

Cryptographic algorithms define the mathematical functions used in encryption and decryption.

flowchart subgraph CryptographicAlgorithms algorithms -->|Define mathematical functions| EncryptionDecryption end

Key length

Key length refers to the size or length of encryption keys, which impacts security.

flowchart subgraph KeyLength keylength -->|Impacts security| EncryptionStrength end

Tools

Trusted Platform Module (TPM)

TPM is a hardware-based security module that provides secure storage and cryptographic operations.

flowchart subgraph TPM tpm -->|Hardware-based security| SecureStorageCrypto end

Hardware security module (HSM)

HSM is a dedicated hardware device for secure key management and cryptographic operations.

flowchart subgraph HSM hsm -->|Dedicated hardware device| SecureKeyManagementCrypto end

Key management system

A key management system helps manage cryptographic keys throughout their lifecycle.

flowchart subgraph KeyManagementSystem keymanagement -->|Manages key lifecycle| KeyLifecycle end

Secure enclave

A secure enclave is a protected area in a processor that handles sensitive data and operations.

flowchart subgraph SecureEnclave secureenclave -->|Protects sensitive data| SecureDataOperations end

Obfuscation

Steganography

Steganography hides data within other non-secret data, making it difficult to detect.

flowchart subgraph Steganography steganography -->|Hides data within non-secret data| DataHiding end

Tokenization

Tokenization replaces sensitive data with tokens, preserving the original data's format.

flowchart subgraph Tokenization tokenization -->|Replaces data with tokens| DataReplacement end

Data masking

Data masking disguises sensitive data while keeping the format intact for testing or non-production use.

flowchart subgraph DataMasking datamasking -->|Disguises sensitive data| DataDisguise end

Hashing

Hashing is the process of converting data into a fixed-size string of characters.

flowchart subgraph Hashing hashing -->|Converts data into a fixed-size string| DataConversion end

Salting

Salting involves adding random data (a "salt") to data before hashing to increase security.

flowchart subgraph Salting salting -->|Adds random data before hashing| DataSalting end

Digital Signatures

Digital signatures verify the authenticity and integrity of digital messages or documents.

flowchart subgraph DigitalSignatures digitalsignatures -->|Verifies authenticity and integrity| MessageVerification end

Key Stretching

Key stretching makes cryptographic keys more resistant to brute force attacks.

flowchart subgraph KeyStretching keystretching -->|Enhances resistance to brute force attacks| KeyEnhancement end

Blockchain

Blockchain is a decentralized and secure distributed ledger technology.

flowchart subgraph Blockchain blockchain -->|Decentralized and secure ledger| DistributedLedger end

Open Public Ledger

An open public ledger is a publicly accessible blockchain.

flowchart subgraph OpenPublicLedger openledger -->|Publicly accessible blockchain| AccessibleBlockchain end

Certificates

Certificate Authorities

Certificate authorities issue digital certificates, verifying the identity of entities.

flowchart subgraph CertificateAuthorities authorities -->|Issue digital certificates| IdentityVerification end

Certificate Revocation Lists (CRLs)

CRLs contain information about revoked digital certificates.

flowchart subgraph CertificateRevocationLists crls -->|Contain information about revoked certificates| RevokedCertificateInfo end

Online Certificate Status Protocol (OCSP)

OCSP checks the revocation status of a digital certificate in real-time.

flowchart subgraph OCSP ocsp -->|Real-time certificate status checks| CertificateStatusCheck end

Self-signed Certificates

Self-signed certificates are signed by the entity they belong to, not by a certificate authority.

flowchart subgraph SelfSignedCertificates selfsigned -->|Signed by the entity| EntitySigning end

Third-party Certificates

Third-party certificates are issued by trusted certificate authorities.

flowchart subgraph ThirdPartyCertificates thirdparty -->|Issued by trusted authorities| TrustedIssuance end

Root of Trust

The root of trust is the most trusted entity in a public key infrastructure.

flowchart subgraph RootOfTrust rootoftrust -->|Most trusted entity| TrustedEntity end

Certificate Signing Request (CSR) Generation

A CSR is a request for a digital certificate, typically generated by the entity.

flowchart subgraph CSRGeneration csr -->|Request for a digital certificate| CertificateRequest end

Wildcard Certificates

Wildcard certificates secure a domain and its subdomains using a single certificate.

flowchart subgraph WildcardCertificates wildcard -->|Secures a domain and subdomains| DomainSecurity end