🔐 Simple is Sometimes Best
Basic AES Encryption
In 15 minutes: Start with just a password
Prerequisite: None
🎯 When Simple Beats Complex
Sometimes, the simplest solution is the best solution.
Complex (5+ layers):
- Encryption speed: 2+ seconds (slow!)
- Complexity: Hard to implement
- Overhead: 100+ bytes per message
- Debugging: Which layer failed?
Simple (1 layer):
- Encryption speed: 50ms (fast!)
- Complexity: Easy to implement
- Overhead: 28 bytes per message
- Debug: If it fails, it's either: AES works or it doesn't!
🎮 Basic AES Encryption Example
Let's start with just the AES layer to protect a file.
Step 1: Set Up
import { CascadingCipherManager, AESCipherLayer } from "cryptography/CascadingCipher";
// Create manager
const manager = new CascadingCipherManager();
// Add just ONE layer (AES)
manager.addLayer(new AESCipherLayer());
Step 2: Prepare Your Keys
const password = "my-secret-password";
const keys = {
"AES-GCM-256": {
password: password
}
};
Step 3: Encrypt
// Your message
const message = "This is my secret note";
// Convert to bytes
const plaintext = new TextEncoder().encode(message);
// Encrypt
const encrypted = await manager.encrypt(plaintext, keys);
console.log("Encrypted:", encrypted.finalCiphertext);
// Output: Uint8Array of scrambled data
Step 4: Decrypt
// Decrypt
const decrypted = await manager.decrypt(encrypted, keys);
// Convert back to text
const message = new TextDecoder().decode(decrypted);
console.log("Decrypted:", encrypted); // "This is my secret note"
console.log("Decrypted:", message); // "This is my secret note"
🧠 Mental Model
Think of it like a password-protected locker:
Plain Old Locker (Just Password):
┌─────────────────────┐
│ Simple lock code: "1234" │
│ │
│ Anyone with password → Open! │
│ │
│ ❌ Problem: │
│ - Eve tries "1234"... │
│ - "1234" is common! │
│ - Easy to guess! │
└─────────────────────┘
AES Cipher Layer Scrypt Locker:
┌─────────────────────┐
│ Lock combination: 32769 iterations │
│ of your password "secret" │
│ │
│ Eve tries: │
- Password: "secret" → Scrypt tries │
- Scrypt takes: 5-10 seconds per try! │
- 1000 passwords needed = 5000-10000 seconds! │
- Eve: "This is too slow!" │
│ - Gives up! │
│ ✓ Alice's password is safe! │
└─────────────────────┘
📊 AES-GCM Authentication
Why Not Just Encryption?
Without Authentication:
Alice encrypts: "I have $1000" with "password123"
→ Encrypted: "x7k!m#4L$d"
Eve tampers: Change "x7k!m#4L$d" → "x7k!m#4L" (deletes)
Bob decrypts with "password123":
→ "I have $10" instead of "I have $1000"!
Bob: "Phew, I only lost $990 instead of $1000!"
With AES-GCM (Authentication):
Alice encrypts: "I have $1000" with "password123"
→ Encrypted: "x7!m#4L$d"
→ Auth Tag: "7x!mL#4$dK9"
Eve tampers: Change "x7!m!#4L$d" → "x7!m#4L"
→ Auth Tag changes to: "7x!mL#4$dK8" (different!)
Bob decrypts with "password123":
→ "Tam!" (auth tag doesn't match!)
→ "Someone changed the data!"
Bob: "I'll reject the message entirely!"
🔐 Password Strength Matters
Weak vs. Strong Passwords
Weak (easy to guess):
- "password123" - Cracked in seconds
- "12345678" - Cracked in minutes
- "qwerty" - Common password db!
Strong (harder to guess):
- "C0rr3ct h0rs3 batt3ry!" = Cracked in years
- "Tr@in!ng c@nnect!" = Very hard
- "Th1s is my s3cr3t!" = Strong but predictable!
Best: Use password manager to generate random 20+ character passwords!
🎮 Try It Yourself
Question 1: Alice encrypts "hello" with password "123456". Eve gets the encrypted data. What must Eve also need to decrypt it?
Answer: Eve needs:
- The encrypted data (has it)
- Alice's password "123456" (she can guess!)
- The salt and IV (but these are embedded in the encrypted data)
If Eve guesses the password (which she might!), she also needs the salt and IV (which are tricky because they're inside the cipher data). But password is the main weakness - if it's weak, she can decrypt everything!
Question 2: What's the difference between encryption that's authenticated (AES-GCM) and encryption that's not (just AES)?
Answer: AES-GCM not only encrypts your message, it also signs it with an authentication tag. Without this, someone could tamper with the encrypted file and you might not know! AES-GCM detects tampering by checking the auth tag first, rejecting if it doesn't match.
Question 3: How does AES-GCM ensure you know if someone tampered with the ciphertext?
Answer: AES-GCM produces an "authentication tag" after encrypting. This tag is like a signature on your encrypted data. When Bob tries to decrypt, he checks if the tag matches what it should be. If someone tampered with even ONE byte of the ciphertext, the tag won't match and Bob rejects the message as tampered with!
💡 Real-World Use Cases
Scenario 1: Password Manager
1Password, LastPass, Bitwarden:
- Use AES to encrypt your vault
- Your "master password" → Scrypt → Key → Unlock vault
Even if attacker steals encrypted vault:
- Without YOUR password → Impossible to decrypt
- Scrypt is TOO SLOW to brute force!
- Your vault stays safe!
Scenario 2: Cloud Storage
Google Drive, Dropbox, iCloud:
- Files uploaded → AES encrypted
- Your account password + OAuth = Key
- Without your credentials → Files stay encrypted!
Even company breach:
- Encrypted files stolen
- Without keys → Files look like gibberish
- Your secrets stay safe!
Scenario 3: Temporary Files
Browser extensions, apps, backups:
- Save temporary encrypted data
- Use your password → AES encrypted
- Delete original plaintext
- Later: Decrypt with password when needed
Result: Files look like gibberish to anyone who steals them!
✅ Quick Check
**Can you explain AES-GCM encryption to a 5-year-old?
Try saying this out loud:
"AES-GCM is like writing a secret letter and putting it in a magic box. The box has a lock that only opens with your special password. You give the box to Bob but keep your password secret. Even if someone steals the box, they can't open it without your password. And if they try to change what's inside, the box detects it and shows: 'Someone tampered with this!'"
🎓 Key Takeaways
✅ AES Cipher Layer = Password-protected safe deposit box
✅ Scrypt = Makes password brute force impractically slow
✅ AES-GCM = Encryption + authentication
✅ Salt + IV = Make each encryption unique
✅ Strong password = Critical for security
✅ Fast = Simple encryption (50ms vs 2+ seconds for multiple layers)
Now you know basic AES encryption. Next: Building secure group chat with multiple layers!