Skip to main content
Ordinary Utils Fast, free tools that respect your time.

Introduction to Cryptography for Developers

Understanding the building blocks of secure applications.

Security 14 min read Last updated: June 19, 2026

What is Cryptography?

Cryptography is the practice of securing information by transforming it into an unreadable format. Modern applications use cryptography for confidentiality (keeping data secret), integrity (detecting tampering), authentication (verifying identity), and non-repudiation (proving actions).

As a developer, you don't need to implement cryptographic algorithms—that's dangerous. But understanding the concepts helps you use cryptographic tools correctly and design secure systems.

Symmetric Encryption

Symmetric encryption uses the same key for encryption and decryption. It's fast and efficient, ideal for encrypting large amounts of data.

Plaintext + Key → [Encrypt] → Ciphertext
Ciphertext + Key → [Decrypt] → Plaintext

Common Algorithms

AES (Advanced Encryption Standard)

The current standard. Use AES-256 for maximum security. Modes: GCM (recommended), CBC, CTR.

ChaCha20

Modern alternative to AES. Often paired with Poly1305 for authentication. Faster on devices without AES hardware.

DES/3DES (Deprecated)

Outdated. DES has only 56-bit keys. Don't use for new applications.

The Key Distribution Problem

Symmetric encryption's weakness: how do you securely share the key? If you have a secure channel to share keys, why not use it for the message? This problem led to asymmetric encryption.

Asymmetric Encryption

Asymmetric (public-key) cryptography uses a key pair: a public key anyone can know and a private key kept secret.

// Encryption: anyone can encrypt with your public key
Plaintext + Public Key → [Encrypt] → Ciphertext

// Decryption: only you can decrypt with your private key
Ciphertext + Private Key → [Decrypt] → Plaintext

Common Algorithms

RSA

The classic. Use 2048-bit keys minimum, 4096-bit for long-term security. Slower than alternatives.

Elliptic Curve Cryptography (ECC)

Modern choice. Smaller keys with equivalent security. P-256 is common; Ed25519 for signatures.

Use Cases

  • Key exchange: Securely share symmetric keys
  • Digital signatures: Prove message authenticity
  • TLS/HTTPS: Establishing secure connections
  • Email encryption: PGP/GPG

Hybrid Encryption

In practice, applications combine both approaches:

  1. Generate a random symmetric key (session key)
  2. Encrypt the data with the symmetric key (fast)
  3. Encrypt the symmetric key with the recipient's public key
  4. Send both encrypted data and encrypted key

This gives you the speed of symmetric encryption with the key distribution benefits of asymmetric encryption. TLS works this way.

Cryptographic Hashing

Hash functions create a fixed-size "fingerprint" of any data. Unlike encryption, hashing is one-way—you can't recover the original data.

Data → [Hash Function] → Fixed-size hash

"Hello" → SHA-256 → 185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969
"Hello!" → SHA-256 → 334d016f755cd6dc58c53a86e183882f8ec14f52fb05345887c8a5edd42c87b7

Hash Properties

  • Deterministic: Same input always produces same hash
  • One-way: Can't reverse to get original data
  • Collision resistant: Extremely hard to find two inputs with the same hash
  • Avalanche effect: Small input change = completely different hash

Use Cases

  • Password storage (with proper salting and stretching)
  • Data integrity verification
  • Digital signatures (sign the hash, not the whole message)
  • Deduplication (detect duplicate files)

Digital Signatures

Digital signatures prove that a message came from a specific sender and hasn't been modified. They use asymmetric cryptography in reverse:

// Signing: use your private key
Message → [Hash] → [Sign with Private Key] → Signature

// Verification: anyone can verify with your public key
Message + Signature → [Verify with Public Key] → Valid/Invalid

How It Works

  1. Hash the message (fast, fixed size)
  2. Encrypt the hash with your private key (the signature)
  3. Send message + signature
  4. Recipient hashes the message
  5. Recipient decrypts signature with your public key
  6. If hashes match, signature is valid

Common Uses

  • Code signing (verify software authenticity)
  • Document signing (legally binding electronic signatures)
  • TLS certificates (prove server identity)
  • Git commits (verify commit author)

Key Derivation Functions

KDFs transform passwords or keys into cryptographic keys. They're designed to be slow to prevent brute-force attacks.

Argon2 (Recommended)

Password Hashing Competition winner. Memory-hard, resistant to GPU attacks. Use Argon2id variant.

bcrypt

Battle-tested, widely supported. Built-in salting. Good choice if Argon2 isn't available.

PBKDF2

NIST-approved, FIPS-compliant. Less resistant to GPU attacks than Argon2 or bcrypt.

Common Cryptographic Mistakes

Rolling your own crypto

Use well-tested libraries. Don't implement algorithms yourself—subtle bugs create vulnerabilities.

Using encryption without authentication

Use authenticated encryption (AES-GCM, ChaCha20-Poly1305). Plain encryption doesn't detect tampering.

Reusing nonces/IVs

Never reuse nonces with the same key. It can completely break security. Generate random nonces or use a counter.

Using fast hashes for passwords

SHA-256 is too fast for passwords. Use Argon2, bcrypt, or PBKDF2 with high iteration counts.

Hardcoding keys in source code

Use environment variables or secret management services. Never commit keys to git.

Practical Examples

Password Storage (PHP)

// Hashing
$hash = password_hash($password, PASSWORD_DEFAULT);
// Stores: $2y$10$abcd...

// Verification
if (password_verify($password, $hash)) {
    // Password correct
}

Symmetric Encryption (JavaScript)

async function encrypt(data, key) {
  const iv = crypto.getRandomValues(new Uint8Array(12));
  const encoded = new TextEncoder().encode(data);
  const ciphertext = await crypto.subtle.encrypt(
    { name: 'AES-GCM', iv },
    key,
    encoded
  );
  return { iv, ciphertext };
}

Data Integrity (Python)

import hmac
import hashlib

# Create HMAC for integrity
message = b"Important data"
key = b"secret-key"
signature = hmac.new(key, message, hashlib.sha256).hexdigest()

# Verify HMAC
def verify(message, signature, key):
    expected = hmac.new(key, message, hashlib.sha256).hexdigest()
    return hmac.compare_digest(signature, expected)

Key Takeaways

  • Use symmetric encryption (AES-GCM) for encrypting data
  • Use asymmetric encryption for key exchange and signatures
  • Use proper KDFs (Argon2, bcrypt) for password hashing
  • Always use authenticated encryption to detect tampering
  • Never implement crypto algorithms yourself
  • Use well-maintained libraries and keep them updated
  • Store keys securely—not in code or config files

Generate Hashes

Use our hash generator to create MD5, SHA-1, SHA-256, and SHA-512 hashes.

Open Hash Generator →

Related Tools

Hash Generator
Generate MD5, SHA1, SHA256, and SHA512 hashes from text instantly.
Password Generator
Build strong, memorable passwords with custom character sets and strength meter.
Base64 Encode/Decode
Convert text to Base64 encoding or decode Base64 strings back to text.