Cryptography Fundamentals: Encryption, Hashing, Steganography & Ciphers (2026)

TL;DR

Cryptography is the technical backbone of confidentiality and integrity — without it, data in transit and at rest is readable by anyone who intercepts it. Symmetric encryption is fast and efficient for bulk data; asymmetric encryption solves the key distribution problem and enables digital signatures. Hashing is irreversible and used for integrity verification and password storage — it is not encryption. Steganography hides the existence of information rather than just its content. Understanding which cryptographic tool addresses which security requirement prevents the critical mistake of deploying the wrong mechanism for the job.

Introduction

Confidentiality and integrity are among the most fundamental guarantees in security — yet they are routinely misunderstood, conflated, or implemented incorrectly. Using hashing where encryption is required, relying on symmetric cryptography where asymmetric trust is needed, or misunderstanding what a primitive actually guarantees are not theoretical mistakes; they are the kinds of errors that lead to compromised systems.

Cryptography is not a single mechanism. It is a collection of mathematically distinct primitives, each designed to solve a specific problem under specific assumptions. Encryption protects secrecy. Hashing verifies integrity. Digital signatures establish authenticity and non-repudiation. Key exchange enables secure communication across untrusted networks. None of these mechanisms are interchangeable.

Understanding what each primitive guarantees — and where those guarantees end — is essential for building secure systems correctly. This post establishes that foundation.

What Is Cryptography?

Cryptography is the science of hiding information, most commonly by encoding and decoding data using a secret algorithm or key. The goal is to make information unintelligible to unauthorized parties while remaining accessible to authorized ones.

In security practice, cryptography serves two primary functions:

Protecting information in transit — data crossing networks (the internet, internal LANs, wireless connections) is exposed to interception. Encrypting it makes captured traffic unreadable without the decryption key.

Protecting information at rest — data stored on devices, servers, and databases is exposed to theft or unauthorized access if those systems are compromised. Encrypting stored data ensures that physical or logical access to storage does not translate into access to the data itself.

Plaintext vs. Ciphertext vs. Cleartext

These three terms are frequently confused. The distinctions matter for understanding what cryptographic operations do and what protection they provide.

Plaintext is readable data that has not been encrypted but may be intended for encryption before transmission or storage. The term is neutral — it describes the state of data before the cryptographic process, not a security failure.

Ciphertext is the output of the encryption process — the encoded, unreadable form. Ciphertext is what travels across the network or sits in an encrypted file. Without the decryption key, ciphertext is computationally unreadable.

Cleartext describes data that is transmitted or stored without any encryption protection, making it immediately accessible to anyone who intercepts it. Cleartext is a security failure — credentials sent over HTTP, passwords stored in plain text databases, and unencrypted email are all cleartext problems. The distinction from plaintext: plaintext can be secured; cleartext is currently unprotected.

Ciphers

A cipher is the algorithm used to perform encryption or decryption. The cipher defines the mathematical transformation applied to the plaintext to produce ciphertext. A cipher combined with a key produces encryption — the same cipher with a different key produces completely different ciphertext from the same input.

Historical ciphers (Caesar cipher, Vigenère cipher) operated by simple character substitution or transposition and are trivially broken by modern computing. Modern ciphers — AES (Advanced Encryption Standard), RSA, ChaCha20 — rely on mathematical problems that are computationally infeasible to reverse without the key.

The cipher is public. The security of modern encryption does not depend on keeping the algorithm secret — it depends entirely on keeping the key secret. This is Kerckhoffs's principle: a cryptographic system should be secure even if everything about it except the key is public knowledge.

Encryption and Decryption

Encryption converts plaintext into ciphertext using a cipher and a key. Decryption reverses the process — converting ciphertext back to plaintext using the same cipher and the appropriate key.

ENCRYPTION:
Plaintext + Key + Cipher Algorithm → Ciphertext
 
DECRYPTION:
Ciphertext + Key + Cipher Algorithm → Plaintext
 
Example (conceptual):
Plaintext:  "Transfer $10,000 to account 4521"
Key:         [256-bit AES key]
Ciphertext: "7f3a9c2e1d8b4f6a0e7c9d3b5a1f2e8d..." (unreadable)

The key is the critical secret. The cipher algorithm is public. The security of the entire system rests on the secrecy and strength of the key — its length, randomness, and protection.

Symmetric Encryption

Symmetric encryption uses a single shared key for both encryption and decryption. The same key that locks the data unlocks it. Both the sender and receiver must possess the identical key.

SYMMETRIC ENCRYPTION:
Sender:   Plaintext + [Shared Key] → Ciphertext  (encrypts)
Receiver: Ciphertext + [Shared Key] → Plaintext  (decrypts)
 
Common algorithms: AES-128, AES-256, ChaCha20, 3DES

Strengths of symmetric encryption:

• Fast — optimized for bulk data encryption
• Low computational overhead
• AES-256 is effectively unbreakable with current and foreseeable computing power

The fundamental problem — key distribution: Both parties must share the same secret key before encrypted communication can begin. How do you securely transmit the key to the other party without it being intercepted? If the communication channel were already secure, you would not need encryption. This circular problem is the key distribution problem, and it is what asymmetric encryption was designed to solve.

Asymmetric Encryption

Asymmetric encryption uses a mathematically linked key pair: a public key and a private key. Data encrypted with one key can only be decrypted with the other key of the pair. The two keys are linked but cannot be derived from each other in any computationally feasible way.

KEY PAIR:
Public Key:  Shared openly — anyone can have it
Private Key: Kept secret — only the owner holds it
 
ENCRYPTION FOR CONFIDENTIALITY:
Sender encrypts with recipient's PUBLIC key
Recipient decrypts with their own PRIVATE key
 
→ Only the recipient (private key holder) can decrypt
 
DIGITAL SIGNATURE (AUTHENTICATION + INTEGRITY):
Sender signs with their own PRIVATE key
Recipient verifies with sender's PUBLIC key
 
→ Only the sender (private key holder) could have created the signature

How asymmetric encryption solves key distribution: To receive encrypted messages, you publish your public key openly — post it on your website, include it in your email signature, register it with a key server. Anyone who wants to send you an encrypted message uses your public key to encrypt it. Only your private key decrypts it, and only you hold your private key. The key used to encrypt is different from the key used to decrypt, eliminating the need to securely share a secret key in advance.

In practice — TLS (HTTPS): When a browser connects to an HTTPS website, asymmetric cryptography is used during the handshake to securely negotiate a symmetric session key. The actual data transfer then uses the faster symmetric encryption with that negotiated key. This hybrid approach combines the key distribution advantage of asymmetric encryption with the performance advantage of symmetric encryption.

Image context: The side-by-side shows the fundamental structural difference — symmetric requires a shared secret while asymmetric eliminates that requirement by separating the encryption and decryption keys entirely.

Hashing

Hashing is a one-way transformation — it converts input data of any length into a fixed-length output called a hash, hash value, or message digest. Unlike encryption, hashing is not reversible. There is no key to "unhash" the output back to the original input.

HASHING:
Input (any length) + Hash Algorithm → Hash Value (fixed length)
 
Example (SHA-256):
Input:   "Password123"
Hash:    "ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f"
 
Input:   "Password124"  (one character different)
Hash:    "3a7ac9e3c3e8e74a023dfe79c87f4a9dc9fe28e72c0a0d0e0f3b0e8c9f1d2..."
                         (completely different hash)

Image context: The flow diagram shows two key hashing properties at once — the one-way nature (no reverse arrow) and the avalanche effect (tiny input change produces a completely different output), both of which make hashing suitable for integrity verification and password storage.

Properties that make hashing useful for security:

• Deterministic: The same input always produces the same hash — enabling verification.

• One-way: Computationally infeasible to reverse — the hash cannot be decrypted back to the original input.

• Avalanche effect: A tiny change in input (one character, one bit) produces a completely different hash — making tampering immediately detectable.

• Fixed output length: SHA-256 always produces a 256-bit hash regardless of input size, enabling efficient comparison.

Primary security uses of hashing:

• Integrity verification: Hash the data before sending, send the hash separately or sign it, recipient hashes the received data and compares. Any difference in hash values proves the data was modified in transit.

• Password storage: Storing plaintext passwords in a database is catastrophic when that database is breached. Instead, hash the password and store only the hash. At login, hash the entered password and compare to the stored hash — no decryption needed, and the original password never needs to be stored.

Password hashing with salt:

Without salt:
"password123" → always produces the same hash
→ Rainbow table attack: precomputed hash → plaintext lookup is instant
 
With salt (unique random value added per user):
"password123" + "x7k2m9p1" (salt) → unique hash per user
→ Rainbow tables become useless — no precomputed table can cover every possible salt

Common hashing algorithms and their security status:

Digital Signatures

Digital signatures combine asymmetric cryptography with hashing to provide both authentication (proof of sender identity) and integrity (proof the data has not been modified) in a single mechanism.

CREATING A DIGITAL SIGNATURE:
1. Sender computes hash of the document
2. Sender encrypts the hash with their PRIVATE key → this is the signature
3. Sender attaches signature to the document and sends both
 
VERIFYING A DIGITAL SIGNATURE:
1. Recipient decrypts the signature with sender's PUBLIC key → recovers hash
2. Recipient independently computes hash of the received document
3. Compare the two hashes:
   → Match: document is authentic (from the private key holder) and unmodified
   → No match: document was tampered with OR signature is invalid

Image context: The two-row diagram shows that digital signatures involve two separate processes — the sender creates a hash and signs it, the recipient independently recomputes the hash and compares — making it clear why both authentication and integrity are simultaneously proven.

Digital signatures enforce non-repudiation: because only the holder of the private key could have created the signature, the sender cannot deny having signed the document. This is legally binding in many jurisdictions under electronic signature laws.

Steganography

Steganography hides the existence of a message — not just its content. Rather than encrypting data into ciphertext that is obviously protected, steganography conceals the secret data inside an ordinary-looking carrier file.

STEGANOGRAPHY CONCEPT:
 
Carrier file: A normal-looking image (JPEG, PNG)
Hidden data:  A secret message embedded in the image
To the world: Just an ordinary photo
To the recipient (who knows where to look): A carrier containing a hidden message

How steganography works in common file types:

In images: Each pixel contains color data (RGB values). Changing the least-significant bit of each color channel alters the color by an imperceptible amount visually, but allows a significant amount of data to be hidden in a large image without visible change.

In text files: Hidden data encoded through unusual spacing, specific capitalization patterns, or null characters invisible in rendered text.

In audio and video: Slight alterations to file structure or sample values that are inaudible or invisible but encode hidden data.

Steganography vs. encryption — the key distinction:

Steganography alone is not sufficient security — if the carrier file is suspected and analyzed with steganalysis tools, the hidden data may be detected even if not immediately readable. Encrypting data before hiding it steganographically provides protection even if the steganography is detected.

Image context: The side-by-side makes the key distinction tangible — encryption announces that something is being protected while steganography hides the fact that anything is being protected at all, explaining why combining both provides the strongest privacy guarantee.

Cryptography Quick-Reference Cheat Sheet

CRYPTOGRAPHY DECISION GUIDE
──────────────────────────────────────────────────────────────────
NEED TO PROTECT CONFIDENTIALITY (keep data unreadable)?
  → Use ENCRYPTION
  → Bulk data / file encryption: Symmetric (AES-256)
  → Key exchange / public communication: Asymmetric (RSA / ECC)
  → In practice (HTTPS/TLS): Asymmetric handshake → Symmetric session
 
NEED TO VERIFY INTEGRITY (detect tampering)?
  → Use HASHING
  → File integrity: SHA-256
  → Password storage: bcrypt or Argon2 with salt
  → Never use MD5 or SHA-1 for new implementations
 
NEED AUTHENTICATION + INTEGRITY + NON-REPUDIATION?
  → Use DIGITAL SIGNATURES
  → Hash the data, sign the hash with private key
  → Recipient verifies with public key
 
NEED TO HIDE THE EXISTENCE OF DATA?
  → Use STEGANOGRAPHY
  → Best combined with encryption for defense-in-depth
 
KEY LENGTHS (minimum for current security):
  Symmetric:  AES-128 minimum, AES-256 preferred
  Asymmetric: RSA-2048 minimum, RSA-3072/ECC preferred
  Hash:       SHA-256 minimum for integrity, Argon2 for passwords
──────────────────────────────────────────────────────────────────

Common Mistakes

Using hashing where encryption is needed. Hashing is one-way — you cannot recover the original data from a hash. Storing sensitive user data as a hash means that data is permanently unrecoverable. Password storage is the correct use case for hashing (you never need the original password, only the ability to verify it). Storing a user's home address, payment information, or any data you need to retrieve requires encryption, not hashing.

Using MD5 or SHA-1 for security-sensitive applications. MD5 has been cryptographically broken since 2004 — collisions (two different inputs producing the same hash) can be generated in seconds on modern hardware. SHA-1 was deprecated by NIST in 2011. Both are still in legacy systems but must not be used in any new security implementation. SHA-256 is the minimum acceptable standard.

Confusing symmetric key sharing with security. Symmetric encryption is only as secure as the key sharing process. If the shared key is transmitted unencrypted, an attacker who intercepts the key exchange intercepts all subsequent encrypted communication. Key exchange should use asymmetric cryptography (Diffie-Hellman or RSA key exchange) to establish a symmetric session key without ever transmitting the key in a recoverable form.

Treating steganography as a substitute for encryption. Steganography without encryption means that if the hidden data is detected and extracted, it is immediately readable. Steganalysis tools can detect statistical anomalies in files that indicate hidden data. Steganography and encryption are complementary — encrypt the sensitive data first, then hide the ciphertext steganographically for maximum protection.

Frequently Asked Questions

Conclusion

Cryptography is the technical mechanism that makes confidentiality and integrity enforceable rather than aspirational. Symmetric encryption handles bulk data efficiently; asymmetric encryption solves key distribution and enables digital signatures; hashing provides one-way integrity verification and secure password storage; steganography hides the existence of information entirely. Each mechanism has a precise security guarantee and a specific set of scenarios where it is the correct choice. Deploying the right cryptographic tool for the right problem — and understanding the failure modes of each — is what separates security controls that actually work from ones that create false confidence. This concludes the Information Security Fundamentals series. The next step is seeing how these concepts are applied in practice — access control frameworks, PKI implementation, and the protocols that make encrypted communication work at internet scale.

Sources

• NIST SP 800-175B — Guideline for Using Cryptographic Standards — NIST guidance on selecting and implementing cryptographic mechanisms
• NIST FIPS 197 — Advanced Encryption Standard (AES) — The official AES specification
• NIST SP 800-107 — Recommendation for Applications Using Approved Hash Algorithms — Hash algorithm selection and usage guidance
• OWASP — Password Storage Cheat Sheet — Practical implementation guidance for bcrypt, Argon2, and salting
• Kerckhoffs's Principle — Crypto Museum — Historical context for the foundational principle of modern cryptographic system design