Module 0: Cryptography Fundamentals - DataCenter Hardware Security

🎯 Learning Objectives

🔑

Symmetric & Asymmetric Cryptography

Understand the fundamental difference between symmetric (AES) and asymmetric (RSA/ECC) encryption, and when to use each in hardware security contexts.

✍️

Digital Signatures & PKI

Learn how digital signatures provide authentication and non-repudiation, and how Public Key Infrastructure secures hardware device identity.

🛡️

Hardware Root of Trust

Explore how cryptographic keys are securely generated, stored, and used in hardware security modules (HSMs) and Trusted Platform Modules (TPMs).

🔐 Core Cryptographic Concepts

1. Symmetric Cryptography (AES)

Same key encrypts and decrypts data - fast but requires secure key distribution

📄

Plaintext

"Sensitive server data"

+

🔑

Secret Key

256-bit AES key

→

🔒

Ciphertext

7f4a2b8c9d1e...

Hardware Security Use Cases:

Storage Encryption: NVMe SSD self-encrypting drives
Memory Encryption: AMD SEV, Intel TME
Network Encryption: High-speed datacenter links
Backup Encryption: Encrypted data at rest

2. Asymmetric Cryptography (RSA/ECC)

Public-private key pairs enable secure communication without sharing secrets

🏢

Server A

Has Public Key B
Sends encrypted message

🔒→

🖥️

Server B

Uses Private Key B
Decrypts message

🔓 Public Key

Shared openly
Used for encryption
Verifies signatures
Can't decrypt data

🔐 Private Key

Kept secret
Used for decryption
Creates signatures
Proves identity

3. Digital Signatures & Authentication

Prove authenticity and integrity of firmware, software, and device communications

1. Hash Document

📄 → 🏷️

SHA-256 creates unique fingerprint

2. Sign Hash

🏷️ + 🔐 → ✍️

Private key encrypts the hash

3. Verify Signature

✍️ + 🔓 → ✅

Public key verifies authenticity

Hardware Security Applications:

🔧 Firmware Signing

UEFI firmware updates are digitally signed by the manufacturer. The motherboard verifies the signature before installing updates, preventing malicious firmware installation.

🏢 Device Attestation

TPM chips create signed attestation reports proving the integrity of boot measurements and system configuration to remote verifiers.

📦 Secure Boot

Each component in the boot chain verifies the signature of the next component, creating a chain of trust from hardware root to operating system.

4. Hash Functions & Integrity

Create unique fingerprints for data integrity verification and secure storage

Enter text to hash:

SHA-256

Click "Generate Hashes" to see result

SHA-512

Click "Generate Hashes" to see result

Key Properties:

Deterministic: Same input always produces same hash
Fixed Length: Any input size produces fixed-length output
Avalanche Effect: Small input change drastically changes output
One-Way: Cannot reverse hash to get original input
Collision Resistant: Extremely difficult to find two inputs with same hash

5. Hardware Security Modules (HSMs)

Secure hardware devices that generate, store, and manage cryptographic keys

🔧 Hardware Layer

Tamper-resistant hardware, secure key storage, true random number generation

⚙️ Firmware Layer

Cryptographic operations, key lifecycle management, access controls

🔌 API Layer

PKCS#11, CryptoAPI, application interfaces for key usage

HSM vs Software Crypto:

Security

Hardware tamper protection

Software vulnerabilities

Performance

Dedicated crypto processors

CPU resource sharing

Key Storage

Hardware-protected storage

File system storage

Compliance

FIPS 140-2 Level 3/4

Limited certification

🧪 Interactive Cryptography Lab

Hands-on experimentation with cryptographic concepts

🔐 Encryption Playground

Experiment with different encryption algorithms and see real-time results

🏷️ Hash Generator

Generate and compare hash values with different algorithms

✍️ Digital Signature Tool

Create and verify digital signatures step-by-step

🏷️ Hash Function Generator

Enter text to hash:

SHA-256:

Type above and click "Generate Hashes"

SHA-512: