Skip to content

Cryptography

Notes from AWS Re/Start (June 2025) and Apprenticeship security modules.

Ultra-Short Summary

Cryptography secures information by transforming it so only the intended recipient can read it. Two fundamental models: symmetric (one key, fast) and asymmetric (key pair, slower but solves key distribution). Understanding these two unlocks SSH, TLS, HTTPS, KMS, and almost every AWS security service.

Symmetric vs Asymmetric

Symmetric
  One key encrypts AND decrypts
  Fast — used for bulk data
  Problem: how do you share the key securely in the first place?

Asymmetric
  Two mathematically linked keys: Public + Private
  Public key  → share with everyone → used to ENCRYPT
  Private key → keep secret         → used to DECRYPT
  Slower, but solves the key-distribution problem
  Used in: SSH, TLS handshakes, digital signatures

A Brief History

  • Scytale (Ancient Greece) — leather strip wrapped around a stick; only readable on same-diameter stick
  • Mary Queen of Scots (1580s) — personal cipher language for spy communication; eventually broken
  • Vigenère Cipher — lookup table cipher; harder to brute-force than simple substitution
  • RSA (1977) — first practical asymmetric encryption; security relies on factoring large primes
  • TLS/HTTPS — hybrid: asymmetric for key exchange, symmetric for bulk data transfer

How SSH Key Auth Works

1. Generate key pair locally:
   id_rsa      → private key (never share)
   id_rsa.pub  → public key (safe to share)

2. Copy public key to server:
   ~/.ssh/authorized_keys

3. Connection:
   Server challenges you using your public key
   Only your private key can respond correctly → identity proven
   Encrypted session established

ssh -i my-key.pem ec2-user@<public-ip>
chmod 400 my-key.pem   # SSH rejects key files with loose permissions

How TLS (HTTPS) Works

TLS is a hybrid — asymmetric for setup, symmetric for everything after:

1. Client → Server: "hello" + cipher suites I support
2. Server → Client: TLS certificate (contains server's public key)
3. Client verifies certificate against trusted Certificate Authorities
4. Client generates session key, encrypts with server's public key → sends it
5. Server decrypts with private key → both now share session key
6. Everything after: encrypted with fast symmetric session key

Why hybrid? Asymmetric is too slow for bulk data. Symmetric has no secure key-exchange mechanism. Together they solve both problems.

Hashing

One-way transformation — you cannot reverse it. Used for integrity verification, not encryption.

"password123"  → SHA-256 → 2cf24dba5fb0a...
"password123!" → SHA-256 → 3657d9483bc2...  (completely different output)

Uses:

  • Password storage (store the hash, compare hashes on login — never store plaintext)
  • File integrity (SHA-256 checksums for downloads)
  • Digital signatures
  • S3 ETags (MD5 for small single-part objects)

Salt: a random value added before hashing so the same password always produces a different hash. Prevents rainbow table attacks.

AWS KMS — Key Management Service

KMS manages encryption keys. Uses envelope encryption:

Your data
    ↓ encrypted by
Data Encryption Key (DEK)    ← generated per operation
    ↓ encrypted by
KMS Master Key (CMK / KMS Key)    ← never leaves KMS

Storage: your encrypted data + encrypted DEK stored together

To decrypt:
1. Send encrypted DEK to KMS
2. KMS decrypts DEK (using CMK inside KMS hardware)
3. DEK returned to your app
4. App decrypts data with DEK
5. DEK discarded from memory

Your actual plaintext data never goes into KMS.

Encryption types in S3:

Type Key Control CloudTrail Use Case
SSE-S3 AWS manages No Default
SSE-KMS (AWS managed key) AWS manages, you see usage Yes Basic compliance
SSE-KMS (CMK) You manage key + rotation Yes Full control, auditing
SSE-C You provide key per request No External key management

SAA pattern: "need to audit who used the key" → SSE-KMS. "customer manages their own key material" → SSE-C or SSE-KMS with CMK.

Initialisation Vector (IV)

A random value added to encryption to ensure the same plaintext always produces different ciphertext.

Without IV: "secret" + Key → same ciphertext every time → pattern analysis possible
With IV:    "secret" + Key + random IV → different ciphertext each time → secure

AWS handles IVs automatically in managed encryption services.

Quantum Computing Threat

Current asymmetric cryptography (RSA, ECDH) relies on the computational hardness of factoring large primes. Quantum computers running Shor's algorithm could break this.

  • Not yet a practical threat — requires millions of stable qubits
  • NIST finalised post-quantum cryptography standards (2024)
  • AWS already supports post-quantum hybrid TLS for some services
  • Estimated timeline for cryptographically-relevant quantum computers: 10–20 years

FHE (Fully Homomorphic Encryption) — allows computation on encrypted data without decrypting it first. Very slow currently, but the AWS Nitro Enclaves and confidential computing space is adjacent to this.

Mental Model

Symmetric = a combination lock (one code opens and locks)
          = fast, but you have to share the code somehow securely

Asymmetric = a padlock with a slot anyone can post messages through
           = only you have the key to open it
           = solves key distribution at the cost of speed

TLS = "use the padlock to agree on a combination code,
       then use the combination lock for all further communication"

Hashing = a paper shredder — input goes in, output comes out, you can't reverse it

AWS Context

Concept AWS Service
Key management KMS
TLS certificates for HTTPS ACM (Certificate Manager)
Secure secrets storage Secrets Manager
Hardware security module CloudHSM
EC2 SSH access EC2 Key Pairs
Encryption at rest (S3) SSE-S3 / SSE-KMS
Encryption in transit TLS enforced via ACM + ALB/CloudFront

30-Second Takeaway

  • Symmetric = one key, fast. Asymmetric = key pair, solves key exchange.
  • SSH: your public key goes on the server, private key stays with you.
  • TLS is hybrid — asymmetric handshake, symmetric bulk transfer.
  • Hashing is one-way — for integrity, not encryption. Add salt against rainbow tables.
  • KMS uses envelope encryption — your data key is encrypted by the master key. Plaintext never enters KMS.

Self-Quiz

  1. Why can't symmetric encryption alone secure a connection over the internet between strangers?
  2. In SSH, what goes on the server? What stays with you?
  3. Walk through a TLS handshake. Why is it hybrid instead of purely asymmetric?
  4. What is envelope encryption and why does KMS use it?
  5. What's the difference between SSE-KMS and SSE-C?
  6. What is a salt in password hashing and what attack does it prevent?
  7. What's the quantum threat to RSA specifically?
  8. "Audit who decrypted this S3 object." Which encryption type do you need?