1.4 Cryptographic Solutions

PKI (Public Key Infrastructure)

🏛 The entire system (hardware, software, Certificate Authorities - CAs) used to create, manage, and distribute digital certificates.

Digital Certificate

💳 A driver's license for the internet. Proves identity and contains a public key. (Issued by a CA).

Encryption

🔒 Scrambling data so it's unreadable (ciphertext). Reversible with the correct key. (Provides Confidentiality)

Hashing

💯 Fingerprinting data. Creates a fixed-length, unique string. One-way (irreversible). (Provides Integrity)

Obfuscation

🎭 Hiding data to make it confusing or unreadable, but not securely. (e.g., Base64). Not a substitute for encryption.

Digital Signature

✍ Provides Integrity + Authentication + Non-repudiation. (Created by hashing a message and then encrypting the hash with your private key).

Blockchain

A decentralized, distributed, and immutable (unchangeable) digital ledger. (Provides high Integrity).

Steganography

🖼 Hiding data inside another file. (e.g., a secret message hidden in a JPG image).

Key Escrow

🏦 Giving a spare key to a trusted third party. Used for legal/recovery access.

Secure Enclave

📱 A security chip in a CPU (like Apple's M-series). Manages keys for biometrics (Face ID) and payments.

Tokenization

🎟 Replacing sensitive data with a non-sensitive placeholder (a "token"). (e.g., ...1234 becomes tok_ABC). (Used in PCI-DSS).

Data Masking

🙈 Hiding part of a data field. (e.g., ***-**-1234 or john.s****@email.com).

Wildcard Certificate

A certificate for *.domain.com. Secures all subdomains at one level. (e.g., mail.google.com, drive.google.com).

Certificate Revocation List (CRL)

🚫 A downloaded list of bad/invalid certs. (Problem: Not instant, can be outdated).

OCSP (Online Certificate Status Protocol)

📞 A live check. Asks the CA "Is this cert (Serial #123) good right now?" (Faster than CRL).

Root of Trust

The ultimate CA (e.g., DigiCert). The browser trusts this implicitly.

Self-Signed Certificate

A "homemade" certificate. Good for internal testing, but browsers do not trust it (shows a warning).

Third Party Certificate

A "real" certificate issued by a trusted public CA. (Required for public-facing websites).

Salting

🧂 Adding random data to a password before hashing it. (Defeats rainbow table attacks).

Key Stretching

🏃 A slow hashing algorithm (e.g., PBKDF2, bcrypt). Makes brute-force attacks much harder and slower.

Key Exchange

🤝 The process of securely sending a symmetric key to someone, usually by encrypting it with their public key. (e.g., Diffie-Hellman)

Asymmetric Encryption

🗝 Two keys (a "key pair"). (Analogy: Mailbox). Slow. (e.g., RSA)

Symmetric Encryption

🔑 One key (a "shared secret") is used to both encrypt and decrypt. (Analogy: House key). Very fast.

Key Management System (KMS)

🗄 The software that manages the entire lifecycle of keys (creation, storage, rotation, destruction).

TPM (Trusted Platform Module)

💻 A security chip on a motherboard. Stores keys, handles disk encryption (BitLocker), and provides secure boot.

HSM

🔒 A high-security appliance or card (a "key safe"). Manages keys for servers (e.g., a CA server, a database).

Transport Encryption

Encrypts data in-transit (over the network). (e.g., TLS, HTTPS, VPN).

FDE (Full Disk Encryption)

Encrypts the entire drive, including the OS. (e.g., BitLocker, FileVault). Protects data when the system is powered off.

Partition/Volume Encryption

Encrypts a specific section (logical drive, e.g., "D:") of a disk.

File Encryption

Encrypts individual files. Allows different users on the same system to have separate encrypted files. (e.g., EFS)

Database Encryption

Encrypts the entire database file (at rest).

Record Encryption

Encrypts specific entries (rows or fields) in a database. (e.g., only the credit card number column).