Asymmetric Encryption — RSA-OAEP (Public/Private Keys)
1) Keys
no keys
Public key (shareable) encrypts; Private key (secret) decrypts.
Public Key (PEM)
—
Private Key (PEM)
—
2) Encrypt → Decrypt
Plaintext
Ciphertext (Base64)
—
Decrypted Output
—
Terms (encryption)
- Asymmetric: two keys — a public key (shareable) and a private key (secret). Data encrypted with one can only be decrypted with the other.
- RSA-OAEP: RSA with OAEP padding for semantic security; no IV required.
- PEM: a text wrapper for binary key formats.
Digital Signatures — RSA-PSS (Private Sign · Public Verify)
1) Signing Keys
no signing keys
Private key creates signatures; Public key verifies them.
Signing Public Key (PEM)
—
Signing Private Key (PEM)
—
2) Sign → Verify
Message to Sign
Signature (Base64)
—
Verification Result
—
Terms (signing)
- Digital Signature: a cryptographic stamp proving who signed and that the message wasn’t altered.
- RSA-PSS: a modern, randomized padding scheme for RSA signatures (uses salt); verify fails if the message or signature changes.
- Salt Length: extra randomness per signature; we use 32 bytes here.
Symmetric Encryption — AES-GCM (One Shared Key)
1) Key
no key
Key (JWK)
—
2) Encrypt → Decrypt
Plaintext
IV (nonce, Base64)
—
Ciphertext (Base64)
—
Decrypted Output
—
Terms (symmetric)
- Symmetric: the same secret key is used to encrypt and decrypt.
- AES-GCM: provides confidentiality + integrity (auth tag). Uses a random IV per message. Tampering makes verify fail.
- JWK: JSON Web Key — a JSON representation of a key.
What this demonstrates
- RSA-OAEP for confidentiality: encrypt with public key, decrypt with private key.
- RSA-PSS for authenticity/integrity: sign with private key, verify with public key.
- AES-GCM for fast shared-key crypto with built-in integrity (auth tag).