Cryptographic Systems Overview

Understanding symmetric & asymmetric encryption, hashes, hardware key vaults, and distributed consensus.

Learning Environment Active

Unlock the Science of Secrets

Welcome to CryptoLab. This environment is designed to demystify how digital security layers work in practice. Explore hashing, symmetric/asymmetric locking, data masking, steganography, tamper-resistant blockchain ledgers, and dedicated secure hardware. Try each visual sandbox, then test your skills in the Assignment console.

Hashing, Salt & Pepper

Observe how one-way functions transform text into fixed digests, and how salting and peppering prevents rainbow table attacks.

Symmetric & Asymmetric Ciphers

Interact with single shared keys vs public/private key pairs. Safely exchange messages across an insecure visual space.

Data Protection & Masking

Explore Tokenization, dynamic Data Masking, ROT13/Base64 Obfuscation, and computing-heavy Key Stretching techniques.

Steganography (LSB)

Embed secret text messages directly inside the pixel colors of an image canvas, invisible to the naked eye.

Secured Hardware Modules

Understand the mechanical differences between dedicated security chips: TPM, HSM, KMS, and CPU Secure Enclaves.

Blockchain Ledger

Interact with a real distributed ledger. Attempt to tamper with historic block data and watch the integrity hash fall apart.

Visual Hashing Playground

Sandbox

Salt is generated randomly per password and stored alongside the hash in the DB.

Pepper is a secret constant stored separately (e.g. environment variable, KMS).

"MySuperSecurePassword123" Plaintext
+
"d9a1f8c" Salt (Dynamic)
+
"KablePepperSecret..." Pepper (Static)
SHA-256 Engine
Computed Cryptographic Hash (SHA-256)
Calculating...

How Hashing & Salting Protects Us

Security Guide

What is a Hash?

A hashing function is a one-way mathematical function. It takes an input of any size and converts it into a fixed-length string of characters (a digest). It is mathematically impossible to reverse-engineer the original plaintext from the digest.

Why Plain Hashing is Insecure

If two users have the password password123, their hashes are identical. Attackers pre-compute billions of hashes for common words (called Rainbow Tables) to reverse hashes in milliseconds.

No Salt DB Entry:
User: Alice | Hash: ef92...c12
User: Charlie | Hash: ef92...c12 Identical!
Salted DB Entry:
Alice: Salt: abc | Hash: 9a2f...11a
Charlie: Salt: xyz | Hash: fb84...30d Different!

Salt vs. Pepper

  • Salt: Unique, random value stored in the database next to the password. Defeats Rainbow Tables and ensures identical passwords result in completely different hashes.
  • Pepper: Secret constant stored in the code configuration, not the database. If the database leaks, the attacker still cannot crack the hashes because they lack the "Pepper" key from the application server.

Symmetric Cipher Playground

Interactive
Alice (Sender)
Ciphertext
[Empty Channel]
Bob (Receiver)

Symmetric vs Asymmetric

Security Guide

Symmetric Encryption (Single Key)

Uses the exact same key to encrypt and decrypt data. It is extremely fast and suited for bulk data encryption (e.g. encrypting hard drives, databases, file transfers).

The Core Problem: Key Distribution. How do Alice and Bob securely share the key in the first place without someone sniffing it?

Asymmetric Encryption (Key Pairs)

Uses a mathematical relationship of two matching keys:

  • Public Key: Shared with anyone. Encrypts data.
  • Private Key: Kept secret. Decrypts data.

Data encrypted with the public key can only be decrypted by the corresponding private key. This resolves the key exchange issue entirely.

Real-World Solution: Hybrid Cryptography

In modern systems (like HTTPS/TLS), asymmetric encryption is used to securely exchange a temporary symmetric key. Once both parties have the symmetric key, they switch to symmetric encryption for speed.

Obfuscation & Masking

Sandbox
Processing...

Replaces identifiable data elements with placeholder characters (e.g. asterisks) to prevent exposure without changing database values.

ROT13: Loading...
Base64: Loading...

Obfuscation makes code or data hard for humans to read but provides zero mathematical security because it can be reversed instantly without a key.

Tokenization Laboratory

Interactive Flow
1. The Swivel

Browser sends PAN. It is intercepted and routed directly to the Tokenization Vault before reaching merchant servers.

BrowserPAN DataVault
2. Vault Exchange

Vault stores PAN in a secure enclave DB and yields a randomized Token holding zero mathematical relation to the card.

Token KeyActual PAN
TOK_PENDING... 4532-7182-9901-2248
3. Insecure Storage

The Vault sends only the Token back out. The merchant stores this Token in their database. If hacked, card data cannot be decrypted.

Stored TokenMerchant PCI Risk
TOK_PENDING... 0% Exposure

Key Stretching (PBKDF2/bcrypt)

Sandbox
10,000
Simulated CPU Delay: 0ms
Difficulty Multiplier: 1x

Key Stretching: Runs a password hash through thousands of nested loops. This makes authentication take a fraction of a second for a user, but makes it computationally impossible for an attacker to test millions of keys per second on a GPU.

LSB Steganography Canvas

Sandbox

Encode Secret Message

Original & Steg version look identical because only the lowest bit of pixel RGB values is modified.

Decode & Read Message

Scan the Least Significant Bits of the pixel canvas values to extract the hidden string.

No message extracted yet. Click "Extract".

Steganography vs. Encryption

Security Guide

What is Steganography?

Unlike encryption which scrambles a message to make it unreadable, steganography hides the existence of the message. The message is embedded inside a carrier medium (like an image, audio file, or network packet).

How LSB (Least Significant Bit) Works

Digital images represent colors with three channels: Red, Green, and Blue (RGB). Each channel is a number between 0 and 255 (represented in 8 bits, e.g., 11110010).

By replacing the last bit (the least significant bit) with our secret message's binary bits, we change the color value by at most 1 (e.g. from 242 to 243). This subtle shift is completely invisible to human eyes.

Standard Bit: 11010110 (RGB: 214)
Modulated Bit: 11010111 (RGB: 215)
Color change is 0.39%, impossible to notice visually.

Cryptographic calculations require secure spaces. Software can be compromised; hardware protection anchors security directly to physical chips. Explore the four primary hardware architectures:

TPM

Trusted Platform Module

A dedicated microcontroller soldered onto computer motherboards. It measures system startup configuration (Secure Boot) and seals keys to ensure they are only released if the OS is tamper-free.

Form Factor: Local motherboard chip.
Primary Role: Device health, disk encryption keys (e.g., BitLocker).

HSM

Hardware Security Module

Enterprise-grade, tamper-resistant physical devices connected to servers. They generate, store, and manage millions of cryptographic keys, performing cryptographic actions directly on the card to ensure keys never enter RAM.

Form Factor: Server rack appliance or PCIe card.
Primary Role: Corporate CA signing, credit card verification transactions.

KMS

Key Management Service

A centralized cloud utility (often backed by cloud-linked HSMs) for managing and auditing key lifecycles. It enables software components to request encryption operations or transient keys programmatically via APIs.

Form Factor: Cloud Service API (AWS KMS, Google Cloud KMS).
Primary Role: Cloud database encryption, access control policies.

Secure Enclave

Isolated CPU Execution Zone

An isolated processor subsystem built into the main system-on-chip (SoC). It runs its own micro-kernel to process biometric data (FaceID, TouchID) and cryptography entirely separate from the main operating system memory.

Form Factor: Built inside CPU chip (Apple T-series/A-series, ARM TrustZone).
Primary Role: FaceID / fingerprint scanning, secure device unlock.

Visual Architecture Flow: TPM 2.0 Local Sealing

PC Motherboard (Main Area) Insecure OS Space
Main CPU: running OS Kernel & BitLocker Drivers
Main System RAM (Volatile Memory)
LPC / SPI Bus Traces
TPM 2.0 Chip Boundary Cryptographic Microcontroller
PCR (Platform Config Registers): Stores startup firmware hashes
Storage Root Key (SRK): Hardware-isolated master key
Status: If boot hashes matches PCR values, release BitLocker key!
Pending Transactions: 0

Blockchain & The Power of Public Ledgers

Security Guide

What is a Blockchain?

A blockchain is an append-only distributed ledger. Each block contains transactions, a unique mathematical counter called a Nonce, and a reference to the **Previous Block's Hash**.

Why is it Immutable (Tamper-Proof)?

Because each block links to the previous block's hash, changing even a single character in Block 1 recalculates its hash. This causes a cascade mismatch in Block 2, Block 3, and so on. In a public ledger, if an attacker attempts to overwrite historical data, their network node's chain will differ from the majority's ledger, and it will be instantly rejected.

Proof of Work (Mining)

To secure the network, miners must solve a cryptographic puzzle: find a Nonce value that makes the Block Hash start with a specific number of zeroes (e.g., 0000...). Try changing the Transaction data in any block above, then watch the blocks turn red (broken), and mine them back to validity!

CryptoLab Challenge Assignments

Apply your knowledge of symmetric/asymmetric encryption, hashing, salting, tokenization, data masking, hardware secure devices, and blockchains to resolve real-world security tasks.

Task 1: The Password DB Leak

Topic: Hashing & Salting

Task 2: PCI-DSS Compliance

Topic: Tokenization vs. Encryption

Task 3: IoT Secure Authentication

Topic: Security Devices (TPM/HSM/etc)

Task 4: Blockchain Ledger Verification

Topic: Public Ledger & Hashes

Scenario 1: Defeating Rainbow Tables

A web application stored passwords using plain SHA-256 hashes. During a security audit, the database was leaked. Because no salt was used, the auditor was able to crack 80% of passwords instantly using precompiled rainbow tables.

Your Goal: Help the engineering team choose the correct strategy to salt their passwords securely.

Which formula correctly processes the user's password to ensure that identical passwords generate different stored database hashes, and cannot be cracked using default rainbow tables?

Completion Certificate Locked

Complete all 4 cryptographic assignment challenges successfully to unlock your official, cryptographically verifiable completion certificate.