Cryptography FAQ
Common questions about hashing, encryption, digital signatures, key exchange, and the cryptographic primitives behind TLS. Each answer is short. Links go to the full explanation.
What is the difference between hashing and encryption?
Hashing is one-way. You feed data in and get a fixed-size fingerprint out. There is no key, and no way to recover the original data. SHA-256 always produces a 256-bit output regardless of input size.
Encryption is two-way. You encrypt data with a key and decrypt it with a key (the same key for symmetric, a key pair for asymmetric). The original data is fully recoverable.
Use hashing when you need to verify data without storing it — passwords, file checksums, commit identifiers. Use encryption when the data needs to be read later — files at rest, messages in transit, database fields.
See How Hashing Works for the full explanation of one-way functions.
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses one key for both encryption and decryption. AES-256 is the standard. It is fast — hardware-accelerated AES processes over 10 GB/s. The problem is key distribution: both parties must have the same secret key.
Asymmetric encryption uses a key pair. The public key encrypts, the private key decrypts. It solves the distribution problem — you publish the public key openly. But it is much slower than symmetric encryption.
In practice, both are used together. TLS uses Diffie-Hellman (asymmetric) to agree on a session key, then AES-GCM (symmetric) to encrypt the actual data.
See How Symmetric Encryption Works and How Asymmetric Encryption Works.
Why can't you reverse a hash?
A hash function maps an infinite number of possible inputs to a fixed-size output. Information is destroyed in the process. SHA-256 produces 256 bits whether the input is 1 byte or 1 terabyte — most of the input data is gone.
Multiple different inputs can produce the same hash (this is called a collision). Since there is no unique reverse mapping, "unhashing" is mathematically impossible. The only way to find what input produced a given hash is brute force: try inputs until one matches. For a strong hash function with sufficient input entropy, this is computationally infeasible.
See How Hashing Works for the full treatment of collision resistance and preimage resistance.
What is forward secrecy?
Forward secrecy (also called perfect forward secrecy) means that compromising a server's long-term private key does not let an attacker decrypt previously recorded traffic. Each connection generates a fresh ephemeral key pair through Diffie-Hellman. After the session ends, the ephemeral keys are destroyed and cannot be recovered.
Without forward secrecy, an attacker who records encrypted traffic today and steals the server's private key next year could decrypt all of it retroactively. With forward secrecy, each session's encryption key is independent.
TLS 1.3 mandates ECDHE (elliptic curve Diffie-Hellman ephemeral) for every connection, making forward secrecy the default.
See How Key Exchange Works for the full walkthrough of ephemeral key exchange.
What is AES-GCM?
AES-GCM (Galois/Counter Mode) is an authenticated encryption mode that combines AES encryption with integrity checking in a single operation. It encrypts data using counter mode (turning the block cipher into a stream cipher) and simultaneously computes a polynomial hash (GHASH) that produces an authentication tag.
The authentication tag detects any tampering. If an attacker modifies even one bit of the ciphertext, decryption fails. This makes AES-GCM an AEAD cipher — Authenticated Encryption with Associated Data. The "associated data" part means you can also authenticate unencrypted metadata (like packet headers) alongside the encrypted payload.
AES-GCM is the default cipher suite in TLS 1.3 and the most common choice for disk encryption, API encryption, and database field encryption.
See How Symmetric Encryption Works for the full explanation of cipher modes.
Why are elliptic curves replacing RSA?
A 256-bit elliptic curve key provides roughly the same security as a 3072-bit RSA key. Smaller keys mean faster computations, smaller certificates, faster TLS handshakes, and less bandwidth.
TLS 1.3 uses ECDHE exclusively for key exchange — RSA key exchange was removed entirely because it cannot provide forward secrecy. Ed25519 has become the recommended SSH key type, replacing RSA keys. ECDSA is the most common signature algorithm in web certificates.
RSA is not broken. It still works and is still used in legacy systems. But for new deployments, ECC is faster, smaller, and equally secure.
See How Asymmetric Encryption Works for the full comparison.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format with three Base64-encoded parts separated by dots: header, payload, and signature.
The header specifies the algorithm (e.g., HS256, RS256, ES256). The payload contains claims — key-value pairs like user ID, expiration time, and permissions. The signature is a digital signature or HMAC over the header and payload.
JWTs are signed, not encrypted by default. Anyone can decode the payload and read it. The signature only proves the token has not been tampered with and was issued by someone with the signing key. If you need confidentiality, use JWE (JSON Web Encryption) instead.
JWTs are stateless — the server does not need to store session data. But they cannot be revoked individually without additional infrastructure (a blocklist or short expiration times).
See How Digital Signatures Work for how the signature verification works.
How does password hashing differ from SHA-256?
SHA-256 is designed to be fast. Modern hardware computes billions of SHA-256 hashes per second. That speed is a liability for passwords — an attacker with a GPU can try billions of password guesses per second.
Password hashing algorithms — bcrypt, scrypt, and Argon2 — are deliberately slow and memory-intensive. They add three defenses:
- Salt — a unique random value mixed into each password before hashing. Identical passwords produce different hashes. Precomputed rainbow tables are useless.
- Cost factor — a tunable parameter that controls how many iterations the algorithm performs. More iterations = slower hashing = harder brute force.
- Memory hardness (scrypt, Argon2) — the algorithm requires a large amount of memory, making GPU and ASIC attacks impractical.
Argon2id is the current recommendation (winner of the Password Hashing Competition in 2015). Never use raw SHA-256 for passwords.
See How Hashing Works for the full explanation of password hashing versus general-purpose hashing.