The fundamental set of cryptograph algotithms can be divided into three groups:

- Symmetric
- Asymmetric
- Hash functions

Symmetric algorithms encrypt and decrypt a message using the same key. If you hold a key, you can exchange messages with anybody else holding the same key. It is a shared secret. But be careful who you give the key to. Once it gets in the wrong hands, there is no getting it back. That person can read all of your past messages, and create new messages that are indistinguishable from valid data.

Several symmetric algorithms have been used in the past. These include:

- Blowfish
- DES
- 3DES (Triple DES)
- AES

The first three of these algorithms are generally considered obsolete. Today, the standard symmetric algorithm is AES.

Asymmetric algorithms use a different key to encrypt than they do to decrypt. The encrypting key is called the *public key* and the decrypting key is the *private key*. If you hold the private key, I can send you a message that only you can read.

These keys will also work in the opposite direction. That is, anything you encrypt with your private key, I can decrypt with your public key. You can use this to digitally sign a document. Encrypt it with your private key, and I'll be able to verify your signature by decrypting with your public key. I have confidence that the message came from you, because only someone who holds your private key could have produced a working signature.

There are three asymmetric algorithms in use today:

- Diffie-Hellman
- RSA
- Elliptic Curve

Diffie-Hellman is not quite suitable for establishing identity as describe above, but the other two are. RSA is the most common today, but Elliptic Curve appears to be on its way to becoming the next standard.

An asymmetric algorithm is limited in the size of message that it can encrypt and decrypt. It can't be run over a large message the way that a symmetric algorithm can. So if I wan to use an asymmetric algorithm to sign a message, I have to first compute a digest, a smaller number based on the larger message. The way I do that is to run a hash function.

Some hash functions were invented for error detection during transmission. These hash functions are not suitable for digital signitures because they are easily reversible. Instead, we have devised cryptographically secure hash functions, which produce hashes that are hard to reverse. In other words, given a hash, it's hard to make up a document that computes that hash. These hash functions include:

- MD5
- SHA 1
- The SHA 2 family (SHA-128, SHA-192, and SHA-256)
- The SHA 3 family

MD5 has been found to contain weaknesses, and is therefore no longer recommended for use. SHA 1 is somewhat stronger, but should still be phased out at this time. SHA 2 is secure, but was invented by the NSA. SHA 3 is secure, and was invented using an open selection process.

By combining algorithms from these three groups, you can create a cryptosystem. This is a protocol for communicating with both confidentiality and authenticity.

To achieve confidentiality, make up a random symmetric key. Encrypt your message with that key. Then encrypt the key using the recipient's public key. The recipient can then decrypt first the symmetric key, and then the message. Only they will be able to do so, provided that their private key is kept secret.

To achieve authenticity, compute a digest of your message using a cryptographically secure hash function. Encrypt this digest using your private key to produce the signature. When the recipient recieves the message, they will be able to compute the digest themselves, and then decrypt your signature with your public key. If the answers are the same, then they have confidence that the message came from you and was not altered, provided that you've kept your private key secret.

This is the basis of all digital encryption today. Understanding the algorthms will help you choose the right ones, and to construct a secure. cryptosystem.