A simple primer on cryptographic primitives

A field guide

Or “don’t trust anything that screws these up even slightly.”


A private, hard to guess piece of information, meaningless on its own, but used to secure other pieces of information.

Public Key / Private Key

Specifically, these are keys with certain properties: They come as a pair, they’re usually a couple prime numbers (which are mathematically hard to factor, which is where their security comes from)

Things encrypted with one key can be decrypted with the other and vice versa.


Using a cryptographic hash function (which is often based on an encryption function, but not always) takes an often big piece of information and turns it into a fixed length token that represents it, in a hard to fake way. Even small changes will make a cryptographically strong hash function change its output entirely.

Some example hash functions: MD5, SHA1, SHA256, SHA512


The result of using a key and a hash function together on a piece of information to give some proof that the information wasn’t forged. If the key and signing algorithm used are public/private paired keys, then the public key can verify that the information was signed by the private key.


A signature on a public key, and usually some ID information. If the certificate was signed by a trusted party (trust is a complicated thing, though) then there’s usually some assurance that the information signed by the the private key that matches the certificate is from a known source. Of course, can you spot a forged ID?


A way of hashing information with a key securely to form a signature that can’t be altered. Turns out that if you just start with the key and add data to the end of it, then hash that, an attacker can keep adding things and keep running the hash function from where it left off and the signature will look valid. HMAC mixes the key with the information being signed in a way that prevents this.


When you’re using a hash to make information hard to brute-force, you make sure that an attacker can’t just build a list of all the likely things and see if you have them by adding randomness to the thing you’re hashing. Now, since this changes the hash value, you have to include it in a way that the thing comparing the hash can do the same way, so a salted hash often looks like data + salt = $salt$HASH. Usually this is combined with a very slow, hard to do hash function, so you can’t just whip through all the possibilities on a fast computer in a day or two. Computers keep getting faster, though…


Key = random unguessable; Key + hash = signature, signature + keypair = certificate; Hash + salt = hard to crack hash + salt.