Security Fundamentals & OWASP
Cryptography Essentials for Interviews
4 min read
Cryptography questions appear in almost every security interview. This lesson covers the concepts and comparisons you need to articulate clearly.
Symmetric vs Asymmetric Encryption
A classic interview question:
| Aspect | Symmetric | Asymmetric |
|---|---|---|
| Keys | Same key encrypts/decrypts | Public/private key pair |
| Speed | Fast | Slow (100-1000x slower) |
| Key Distribution | Challenge | Public key can be shared |
| Use Cases | Bulk data encryption | Key exchange, signatures |
| Examples | AES, ChaCha20 | RSA, ECC, Ed25519 |
Interview Question
Q: "When would you use symmetric vs asymmetric encryption?"
Answer:
- Asymmetric: Initial key exchange, digital signatures, TLS handshake
- Symmetric: Encrypting the actual data after key exchange
- Hybrid approach: TLS uses asymmetric to exchange symmetric session keys
Hashing vs Encryption
| Aspect | Hashing | Encryption |
|---|---|---|
| Reversibility | One-way (cannot recover input) | Two-way (can decrypt) |
| Output size | Fixed (e.g., SHA-256 = 256 bits) | Variable (depends on input) |
| Use cases | Password storage, integrity | Data protection |
| Examples | SHA-256, bcrypt | AES-256-GCM |
# Hashing (one-way)
import hashlib
hash_value = hashlib.sha256(b"data").hexdigest()
# Encryption (two-way)
from cryptography.fernet import Fernet
key = Fernet.generate_key()
cipher = Fernet(key)
encrypted = cipher.encrypt(b"data")
decrypted = cipher.decrypt(encrypted) # Can recover original
TLS/SSL Deep Dive
Interview favorite: "Explain the TLS handshake."
TLS 1.3 Handshake (Simplified)
Client Server
| |
|-------- ClientHello --------------->| (1) Supported versions, cipher suites
| |
|<------- ServerHello ----------------| (2) Chosen version, cipher suite
|<------- Certificate ----------------| (3) Server's certificate
|<------- CertificateVerify ----------| (4) Signature proving key ownership
|<------- Finished -------------------| (5) Handshake MAC
| |
|-------- Finished ------------------>| (6) Client handshake MAC
| |
|<======= Application Data ==========>| (7) Encrypted communication
Key Points for Interviews
- TLS 1.3 is current standard (TLS 1.2 still acceptable)
- 1-RTT handshake in TLS 1.3 (was 2-RTT in 1.2)
- 0-RTT resumption possible but has replay risks
- Perfect Forward Secrecy via ephemeral keys
- Certificate pinning prevents MITM with rogue CAs
Password Storage
Never store passwords in plaintext or simple hashes.
Recommended Algorithms
| Algorithm | Notes | Parameters |
|---|---|---|
| Argon2id | Winner of PHC, recommended | Memory: 64MB, Iterations: 3, Parallelism: 4 |
| bcrypt | Widely supported | Cost factor: 12+ |
| scrypt | Memory-hard | N=2^14, r=8, p=1 |
Interview Code
# Modern password hashing with Argon2
from argon2 import PasswordHasher
ph = PasswordHasher(
time_cost=3, # Number of iterations
memory_cost=65536, # 64 MB memory usage
parallelism=4, # 4 parallel threads
hash_len=32, # Output length
salt_len=16 # Salt length
)
# Hash password
hashed = ph.hash("user_password")
# Verify password
try:
ph.verify(hashed, "user_password")
# Password correct
except argon2.exceptions.VerifyMismatchError:
# Password incorrect
Key Management
Interview Scenario: "Where would you store encryption keys?"
Key Storage Hierarchy
| Level | Solution | Use Case |
|---|---|---|
| Development | Environment variables | Local testing only |
| Production | Secrets Manager (AWS, Vault) | Application secrets |
| High Security | HSM (Hardware Security Module) | Master keys, signing keys |
Key Rotation
# Key rotation pattern
class KeyManager:
def __init__(self, secrets_client):
self.current_key_id = "key-v2"
self.previous_key_ids = ["key-v1"]
def encrypt(self, data):
key = self.get_key(self.current_key_id)
return encrypt_with_key(data, key, self.current_key_id)
def decrypt(self, encrypted_data, key_id):
# Support decryption with old keys during rotation
if key_id == self.current_key_id or key_id in self.previous_key_ids:
key = self.get_key(key_id)
return decrypt_with_key(encrypted_data, key)
raise KeyNotFoundError(f"Unknown key: {key_id}")
Quick Reference: Algorithm Selection
| Purpose | Recommended | Avoid |
|---|---|---|
| Passwords | Argon2id, bcrypt | MD5, SHA1, SHA256 |
| Data encryption | AES-256-GCM | DES, 3DES, ECB mode |
| Digital signatures | Ed25519, ECDSA P-256 | RSA < 2048 bits |
| Key derivation | HKDF, PBKDF2 | Simple hashing |
| Random numbers | secrets module, /dev/urandom | random module |
Interview Tip: When asked about cryptography choices, always mention the specific algorithm AND parameters. "I'd use bcrypt" is okay; "I'd use bcrypt with a cost factor of 12 or higher" is much better.
In the next module, we'll cover application security including secure code review and threat modeling. :::