GARY'S SECRETRECIPES.

That's symmetric encryption — one key, both sides, fast, bulk data. But there's a problem: how did Gary get the key to the second shop in the first place? If he sent it by courier, the courier could copy it. That's the key distribution problem.

Gary's lockboxes come in models. DES — the old rusty one, 56-bit keyhole. Anyone with a crowbar can pop it. Broken. 3DES — three rusty lockboxes chained together. Better, but slow. Legacy. AES — the titanium lockbox. Three keyhole sizes: 128, 192, or 256-bit. Nobody's ever cracked it. Current standard. AES works in blocks — it chops the recipe into fixed-size chunks. That's a block cipher. The alternative encrypts one character at a time: a stream cipher.

A food blogger wants Gary's recipe. Gary's never met her. He can't hand her a key in person. So Gary does something clever. He makes two keys — a gold key he keeps in his pocket (private key), and a silver key he hangs on the shop door for anyone to grab (public key).

The blogger grabs the silver key, locks her message in a box, and sends it. Only Gary's gold key can open it. That's asymmetric encryption. Public key encrypts, private key decrypts. It's slow — so in practice, Gary uses the asymmetric box to send a brand-new symmetric key to the blogger. Then they switch to fast lockboxes for the actual recipes. That's how TLS works — asymmetric for the handshake, symmetric for the data.

Asymmetric algorithms: RSA — the classic. Big keys (2048/4096-bit). Heavy iron padlock. ECC — smaller keys, same strength. Lightweight titanium. Modern favourite. Diffie-Hellman — not for locking boxes. For agreeing on a key without ever sending it. Gary and the blogger each shout a number, do some maths, and end up with the same secret. Nobody listening can figure it out. That's key exchange.

Gary prints a recipe and runs it through a magic shredder. The shredder spits out a unique fingerprint — a short fixed-length code. Change ONE ingredient and the fingerprint is completely different. You can't reconstruct the recipe from the fingerprint.

That's hashing — one-way fingerprint, no key, fixed output. Shredders: MD5 — 128-bit, has known collisions. Broken, never use. SHA-1 — 160-bit, also has collisions. Deprecated. SHA-256 — 256-bit, no known collisions. Current standard.

Gary wants to send a recipe and prove two things: it hasn't been tampered with, and he definitely wrote it. He hashes the recipe to get a fingerprint, then locks the fingerprint with his gold key (private key). He sends the recipe plus the locked fingerprint. The blogger unlocks it with Gary's silver key (public key), hashes the recipe herself, and compares. Match = untampered AND Gary signed it. That's a digital signature — hash plus encrypt with private key. Proves integrity and non-repudiation.

Gary keeps staff passwords as hashes. Problem: two staff with the same password produce the same hash. A thief with a rainbow table could match them instantly. Fix: Gary adds a salt — a unique random value — to each password before hashing. Now identical passwords produce different hashes. Extra fix: key stretching — run the hash thousands of times. Deliberately slow. Brute force takes thousands of operations per guess. Algorithms: PBKDF2, bcrypt, scrypt.

Gary's paranoid mate hides a recipe inside a photo of a cat. The photo looks perfectly normal. Nobody knows there's data hidden in it. That's steganography — hiding the existence of the message, not just the content. Encryption hides the content. Steganography hides the existence.

Gary uses a new temporary key for every recipe delivery. Even if someone steals Gary's gold key next year, they can't decrypt last year's deliveries — those used different keys that no longer exist. That's forward secrecy — ephemeral (temporary) keys per session. DHE or ECDHE provides forward secrecy.