Cryptographic Primitives#
Reference of cryptographic algorithms by category, with the operator-relevant notes on safe defaults, deprecated variants, and the post-quantum migration timeline.
For PKI / TLS detail, see Network Protocols. For sanctions / export-control around crypto, see Sanctions Lists and Standards & Regulations (CNSA 2.0).
Symmetric block ciphers#
Algorithm |
Notes |
|---|---|
AES-128 / 192 / |
FIPS 197; the universal default. Modes: GCM (AEAD), |
256 |
CTR, CBC, ECB (never), CFB, OFB. AES-256 mandatory in CNSA 2.0 + most TLS profiles. |
ChaCha20 |
RFC 7539 / 8439; ARX cipher; faster than AES on no-AESNI hardware; Google preference. |
Camellia |
ISO/IEC 18033; comparable to AES; rare outside JP / KR. |
Serpent |
AES finalist; conservative. |
Twofish |
AES finalist; widely embedded. |
3DES |
deprecated 2023 (NIST SP 800-67 Rev2 retirement). |
DES |
long-broken; never use. |
Blowfish |
avoid for new work; small block. |
RC4 |
broken; deprecated 2015. |
AEAD modes#
Mode |
Notes |
|---|---|
AES-GCM |
the default for TLS 1.2+; nonce-misuse-vulnerable. |
AES-GCM-SIV |
RFC 8452; nonce-misuse-resistant. |
ChaCha20-Poly1305 |
RFC 8439; default in TLS 1.3 + Wire / Signal etc. |
XChaCha20-Poly1305 |
larger nonce; libsodium variant. |
AES-CCM |
constrained-device variant. |
AES-OCB |
RFC 7253; patent-cleared since 2021; very efficient. |
AEGIS-128 / 256 |
Standardized RFC 9380; AES-NI-friendly. |
Hash functions#
Algorithm |
Notes |
|---|---|
SHA-256 / 384 / |
FIPS 180-4; the universal default; Merkle-Damgård |
512 |
construction. |
SHA-3 (Keccak) |
FIPS 202; sponge construction; SHA3-224 / 256 / 384 / 512. |
SHAKE-128 / 256 |
extendable-output (XOF); SHA-3 family. |
BLAKE2b / 2s |
RFC 7693; faster than SHA-256. |
BLAKE3 |
modern; tree mode + parallelism + XOF. |
SHA-1 |
deprecated 2017; collisions found (SHAttered, Shambles); never use for security. |
MD5 |
broken; only checksums for non-security use. |
RIPEMD-160 |
legacy; used in Bitcoin addresses. |
MAC / KDF#
Algorithm |
Notes |
|---|---|
HMAC-SHA256 |
RFC 2104 + 4231; the universal MAC. |
HMAC-SHA1 |
still secure as MAC despite SHA-1 collision attacks. |
KMAC |
Keccak-MAC; based on SHA-3. |
Poly1305 |
one-time MAC; pair with ChaCha20 / AES. |
HKDF |
RFC 5869; the universal KDF (extract + expand). |
PBKDF2 |
RFC 8018; password hashing; minimum 100k iterations (SHA-256) per OWASP 2024. |
Argon2id |
RFC 9106; modern password hashing winner. |
scrypt |
RFC 7914; memory-hard. |
bcrypt |
older but accepted password hash; cost factor 10+. |
Public-key (asymmetric)#
Algorithm |
Notes |
|---|---|
RSA-2048 / 3072 / |
legacy default; key sizes 2048 minimum, 3072 (SP 800-131A |
4096 |
Rev2), 4096 in regulated estates. |
ECDSA P-256 |
NIST curve; broadly compatible. |
ECDSA P-384 |
CNSA 2.0 transitional. |
ECDSA P-521 |
less common. |
EdDSA Ed25519 |
RFC 8032; faster + safer than ECDSA in many ways; modern default for SSH / Tor / Signal / Nostr. |
EdDSA Ed448 |
longer-key variant. |
ECDH |
key agreement; X25519 (Curve25519) and X448 are modern defaults. |
DSA |
deprecated. |
DH (FFDH) |
classic discrete-log; replaced by ECDH except for compliance reasons. |
Post-quantum cryptography#
NIST PQC selections (FIPS 203 / 204 / 205 finalised 2024):
Algorithm |
Notes |
|---|---|
ML-KEM (Kyber) |
FIPS 203; key encapsulation; the new TLS / hybrid KEM. ML-KEM-512 / 768 / 1024. |
ML-DSA (Dilithium) |
FIPS 204; signature; the new general-purpose PQ signature. ML-DSA-44 / 65 / 87. |
SLH-DSA (SPHINCS+) |
FIPS 205; stateless hash-based signature; conservative backup. |
HQC |
FIPS-pending; alt KEM. |
Falcon |
alt signature; pending standard. |
NTRU / NTRUEncrypt |
submitted but not selected. |
McEliece |
code-based; key sizes huge but conservative. |
CNSA 2.0 (US national security):
Use |
Algorithm + parameters |
|---|---|
Symmetric |
AES-256. |
Hash |
SHA-384 / SHA-512. |
Sig (until 2030) |
ECDSA P-384 + RSA 3072. |
Sig (PQ) |
ML-DSA-87 (= Dilithium-5). |
KEM (PQ) |
ML-KEM-1024. |
TLS cipher suites (modern)#
Suite (TLS 1.3) |
Notes |
|---|---|
TLS_AES_256_GCM_SHA |
384 standard. |
TLS_CHACHA20_POLY13 |
05_SHA256 standard. |
TLS_AES_128_GCM_SHA |
256 standard; for older HW + low-power. |
TLS_AES_128_CCM_SHA |
256 constrained. |
TLS_AEGIS_256_SHA38 |
4 / 128_SHA256 RFC 9380; nascent. |
TLS 1.3 always uses ECDHE + (optional) PSK; no static RSA; no CBC; no compression; no renegotiation.
Curves#
Curve |
Notes |
|---|---|
P-256 (secp256r1) |
NIST; broadly supported. |
P-384 (secp384r1) |
NIST; CNSA. |
P-521 (secp521r1) |
NIST; rare. |
secp256k1 |
Bitcoin / Ethereum curve. |
Curve25519 (X25519) |
Bernstein; SSH / Tor / Signal default. |
Curve448 (X448) |
longer-key variant. |
brainpool |
European-flavoured curves; rare. |
Encoding / framing#
Format |
Notes |
|---|---|
PEM |
|
DER |
binary ASN.1. |
PKCS#1 |
RSA private key DER. |
PKCS#7 / CMS |
signed / encrypted message format (.p7b / .p7c). |
PKCS#8 |
private key DER (any algorithm). |
PKCS#10 |
CSR (certificate signing request). |
PKCS#12 |
.p12 / .pfx; cert + key + chain bundle (password- protected). |
X.509 |
certificate format (RFCs 5280 + family). |
JOSE |
JWS / JWE / JWK / JWT (RFCs 7515-7519). |
COSE |
CBOR Object Signing and Encryption. |
OpenSSH key |
base64-wrapped variant. |
GPG / OpenPGP |
RFC 4880 + 9580; ASCII-armored + binary. |
Hashes for non-security use#
Algorithm |
Notes |
|---|---|
xxHash (XXH64 / 3) |
fast non-crypto checksum. |
MurmurHash3 |
hash-table workhorse. |
CityHash / FarmHash |
Google. |
SipHash |
keyed; hash-flooding resistance. |
MD5 |
legacy checksum only. |
CRC32 / CRC32C |
integrity for Ethernet / disk. |
RNG / entropy#
Concept |
Notes |
|---|---|
|
Linux; the right answer for nearly every userland use. |
|
Linux; blocking on early-boot entropy; use only in boot scripts on old kernels. |
|
Linux syscall; modern API. |
|
BSD / macOS; userland CSPRNG. |
|
Windows. |
DRBG |
NIST deterministic RNG (HMAC-DRBG, CTR-DRBG, Hash-DRBG). |
ChaCha20-RNG |
Linux RNG since 5.18. |
seedfs / seedrng |
early-boot entropy seeding. |
TRNG |
hardware RNG (CPU RDSEED, TPM, hardware token). |
Common library choices#
Library |
Notes |
|---|---|
OpenSSL 3.x |
the dominant TLS + crypto library; multiple providers. |
LibreSSL |
OpenBSD fork. |
BoringSSL |
Google fork; used in Chrome + many proxies. |
WolfSSL |
embedded-friendly. |
mbedTLS |
ARM-sponsored; embedded. |
NSS |
Mozilla; Firefox + Thunderbird + Linux distros. |
GnuTLS |
GPL; some EU gov / Telegram clients. |
libsodium |
opinionated NaCl-based; safer-by-default. |
Tink (Google) |
opinionated multi-language; deprecated 2024 (replaced by per-language libs). |
Bouncy Castle |
Java + .NET. |
PyCryptodome / cryp |
tography (Python). |
Web Crypto API |
browser standard. |
WebAuthn |
passwordless / FIDO2 web standard. |
Operator notes#
Default to AEAD, AES-GCM, ChaCha20-Poly1305. Never invent your own composition.
Constant-time, key compare, MAC compare, PIN compare must use
hmac.compare_digest/crypto_subtle/CRYPTO_memcmp, not==.Nonce / IV reuse with the same key under GCM is catastrophic; use random or counter; use SIV variants if in doubt.
Key wrap uses the AES-KW algorithm (RFC 3394) rather than encrypting keys directly.
PQ migration, TLS hybrid (X25519 + ML-KEM) ramping in 2024-2026; signing slower because cert chains need both roots and intermediates updated.
HSM / KMS, AWS KMS, GCP Cloud KMS, Azure Key Vault, HashiCorp Vault for production key management; YubiHSM / CloudHSM for hardware-rooted.
GPG defaults, avoid; use
age(modern asymmetric file encryption) or libsodium-based tools; if you must use GPG use Ed25519 + cv25519.
References#
Real-World Cryptography (Wong, 2021)
Cryptographic Engineering (Ferguson / Schneier / Kohno, 2010)
Network Protocols, TLS context.
Standards & Regulations, CNSA 2.0 + FIPS 140-3.
Notable CVEs, crypto-bug catalog.