Practice real cryptography concepts before moving to reading resources.
Cybersecurity Essentials
Track your progress through this week's content
Week Introduction
๐ก Mental Model
Cryptography is the mathematical foundation that makes trust
possible in adversarial networks. It enables confidentiality (secrets stay secret), integrity
(tampering is detected), and authentication (prove identity) even when communicating over
untrusted channels.
This week explores how cryptographic primitives (encryption, hashing, signatures) work, when
to use each, and why implementation details matter more than you'd think. You'll learn why
"just encrypt it" isn't enough โ key management, algorithm selection, and proper usage
determine whether crypto protects or creates false security.
Learning Outcomes (Week 10 Focus)
By the end of this week, you should be able to:
LO2 - Technical Foundations: Explain how symmetric vs asymmetric encryption
work and when to use each
Lesson 10.1 ยท What Is Cryptography? (Mathematical Foundation for Security)
Definition: Cryptography uses mathematical algorithms to transform data in ways
that
provide security properties (confidentiality, integrity, authentication) even when attackers can
observe, intercept, or manipulate communications.
Four core security properties enabled by cryptography:
Confidentiality: Only authorized parties can read data
Mechanism: Encryption (plaintext โ ciphertext)
Example: HTTPS encrypts web traffic so ISPs can't read passwords
Authentication: Parties can verify each other's identity
Mechanism: Digital signatures, certificates
Example: TLS certificates prove you're really talking to github.com, not an
attacker
Non-repudiation: Actions cannot be denied after the fact
Mechanism: Digital signatures (only private key holder could have signed)
Example: DocuSign โ signer can't later claim "I didn't sign that"
Why cryptography is essential in untrusted networks:
The internet is fundamentally insecure โ traffic passes through routers/ISPs you don't control,
attackers can intercept/modify packets. Cryptography enables secure communication despite
adversarial infrastructure.
Lesson 10.2 ยท Encryption: Symmetric vs Asymmetric
Core concept: Encryption transforms plaintext (readable) into ciphertext
(unreadable
without the key). The two major approaches differ in how keys are used and distributed.
Symmetric Encryption (Same key encrypts and decrypts):
How it works: Both sender and receiver share the same secret key
Analogy: Physical lock where both parties have identical keys
Strengths: Very fast (can encrypt gigabytes/second), simple concept
Weakness: Key distribution problem โ how do parties securely share the key
initially?
Use cases: Encrypting data at rest (disk encryption, database encryption), bulk
data transfer after key exchange
Example: Your laptop's disk encryption (FileVault, BitLocker) uses AES
How it works: Key pair โ public key (shareable) encrypts, private key (secret)
decrypts
Analogy: Mailbox with slot (anyone can drop letters) and key (only you can open)
Strengths: Solves key distribution โ publish public key, keep private key
secret
Weakness: 100-1000x slower than symmetric, limited message size
Use cases: Initial key exchange, digital signatures, encrypting small secrets
Example: HTTPS uses RSA/ECC to securely exchange AES keys at connection start
Hybrid approach (Best of both worlds):
Real systems combine symmetric and asymmetric:
Use asymmetric (RSA/ECC) to securely exchange a symmetric key (AES)
Why not just use asymmetric for everything? Too slow for large data. Encrypting a
1GB file
with RSA would take hours; with AES takes milliseconds.
Lesson 10.3 ยท Hashing and Integrity (One-Way Functions)
Definition: A cryptographic hash function transforms arbitrary-length input into
fixed-length output (digest/hash). Hash functions are one-way โ easy to compute, impossible to
reverse.
Three critical properties of cryptographic hashes:
1. Deterministic: Same input always produces same hash
Why it matters: Enables verification โ recompute hash, compare with original
Example: SHA-256("hello") = 2cf24dba... (always the same)
2. One-way (Preimage resistance): Cannot reverse hash to recover original input
Why it matters: Safe to store hashes of secrets (passwords) โ even if database
leaks, can't recover passwords
Example: Password databases store hash(password), not plaintext password
3. Collision-resistant: Computationally infeasible to find two different inputs
with same hash
Why it matters: Ensures integrity โ attacker can't substitute malicious file with
same hash
Example: Download verification โ if file hash doesn't match published hash, file
was tampered with
Common hash algorithms:
MD5: โ Broken (collisions found), do not use for security
SHA-256/SHA-512: โ Strong, widely used (part of SHA-2 family)
SHA-3: โ Modern alternative to SHA-2, different design
BLAKE2/BLAKE3: โ Fast, secure, growing adoption
Practical use cases for hashing:
File integrity verification: Download software โ compute SHA-256 hash โ compare with published hash
If hashes match, file wasn't corrupted or tampered with
Password storage: Store hash(password + salt), not plaintext password
Login: hash(entered password + salt), compare with stored hash
Note: Use password hashing algorithms (bcrypt, Argon2), not raw SHA-256 (too fast,
vulnerable to brute force)
Digital signatures: Sign hash of document (not entire document) โ faster, fixed size
Blockchain/Git commits: Each block/commit identified by hash of its contents โ tampering changes hash
Lesson 10.4 ยท Key Management: The Hardest Part of Cryptography
Core reality: "Cryptography is easy to get wrong, and when you get it wrong, you
get it very wrong."
Most cryptographic failures aren't algorithm breaks โ they're key management failures.
Key lifecycle management (cradle to grave):
1. Generation: Keys must be truly random (cryptographically secure random
number generator)
Failure example: Debian OpenSSL bug (2008) โ weak RNG made keys predictable,
millions of certificates compromised
2. Storage: Keys must be protected at rest
Bad: Hardcoded in source code, stored in plaintext config files
Better: Environment variables, encrypted configuration
Best: Hardware Security Modules (HSMs), cloud key management services (AWS KMS,
Azure Key Vault)
3. Distribution: Keys must be shared securely (if shared at all)
Symmetric problem: How do parties securely exchange keys initially? (Use asymmetric
crypto)
Asymmetric solution: Public keys can be distributed openly (verified via
certificates)
4. Rotation: Keys should be changed periodically
Why: Limits damage if key is compromised (old data stays encrypted with old key)
Practice: Rotate every 90 days (compliance requirement), more frequently for
high-risk keys
5. Destruction: Keys must be securely deleted when no longer needed
Why: Old keys on backup tapes become future attack vector
Practice: Cryptographic shredding (overwrite with random data), hardware
destruction for HSMs
Common key management failures (real-world disasters):
Hardcoded keys in source code: Uber breach (2016) โ AWS keys hardcoded in GitHub repo, 57M records stolen
Keys stored unencrypted: Target breach (2013) โ Network credentials stored in plaintext, led to 40M credit card theft
Weak key generation: PlayStation Network (2011) โ Weak random number generation in ECDSA signatures, private keys
recovered
No key rotation: Same encryption key used for years, single compromise exposes all historical data
Best practices for key management:
Never hardcode keys (use environment variables, secrets managers)
Use HSMs or cloud KMS for production systems
Implement principle of least privilege (separate keys for different purposes)
Persistence means "staying after reboot." You don't need to learn how to build malware โ
you need to understand what defenders look for: unexpected startup entries, scheduled tasks, new
services, unusual child processes.
Scope boundary: This platform teaches defensive understanding. We focus on
recognizing persistence concepts and hardening choices โ
not step-by-step offensive instructions.
Lab 10 ยท Cryptographic Controls Design
Time estimate: 40-50 minutes
Objective: Design cryptographic controls for a system that handles sensitive data.
You will select appropriate cryptographic primitives (encryption, hashing, signatures), justify
algorithm choices, and address the key management lifecycle.
Task Overview
Choose one scenario:
Messaging app: End-to-end encrypted chat, media sharing
Practice real cryptography concepts before moving to reading resources.
๐ฎ TryHackMe: Cryptography 101
What you'll do: Learn core crypto concepts like symmetric/asymmetric encryption, hashing, and key usage.
Why it matters: Crypto mistakes are catastrophic. This lab builds intuition for correct usage.
Time estimate: 1.5-2 hours
What you'll do: Solve classic cryptography challenges involving substitution ciphers, frequency analysis, and encoding.
Why it matters: Krypton builds intuition for why modern crypto uses strong algorithms and correct key management.
Time estimate: 2-3 hours
What you'll do: Solve beginner crypto challenges involving hashing, basic ciphers, and key concepts.
Why it matters: Reinforces the difference between encoding, hashing, and encryption.
Time estimate: 1-2 hours
๐ก Lab Tip: Always ask which security property you need first (confidentiality, integrity, authentication). Crypto choice follows that.
Resources (Free + Authoritative)
Work through these in order. Focus on understanding when to use each cryptographic
primitive.
๐ฅ Computerphile - Public Key Cryptography Explained (Video)
What to watch: Visual explanation of RSA and asymmetric encryption.
Why it matters: Best intuitive explanation of how public/private key pairs
work.
Time estimate: 12 minutes
What to watch: How cryptographic hashes work and why they're one-way.
Why it matters: Understand the difference between encryption (reversible)
and hashing (one-way).
Time estimate: 10 minutes
What to read: Browse FIPS 140-2 (cryptographic module standards) and
recommended algorithms.
Why it matters: Government/industry standards for approved cryptographic
algorithms.
Time estimate: 20 minutes
๐ Cryptographic Best Practices Cheat Sheet (OWASP)
What to read: Algorithm selection, key management, common implementation
mistakes.
Why it matters: Practical guide to avoiding cryptographic pitfalls in real
applications.
Time estimate: 25 minutes
Tip: Completion and XP persist via localStorage. If progress doesn't update immediately, refresh
once.
Weekly Reflection Prompt
Aligned to LO2 (Technical Foundations) and LO6 (Software Security)
Write 200-300 words answering this prompt:
Explain how cryptography enables security in untrusted networks. Use your Lab 10 cryptographic
design as an example.
In your answer, include:
The difference between symmetric and asymmetric encryption, and when to use each
How hashing provides integrity (detecting tampering) even though it's one-way
Why key management is often the weakest link in cryptographic systems
One real-world cryptographic failure (weak algorithms, hardcoded keys, poor implementation)
How you addressed confidentiality, integrity, and authentication in your lab design
What good looks like: You demonstrate understanding that cryptography is a tool,
not a silver bullet. You explain when to use encryption (confidentiality), hashing (integrity),
and signatures (authentication). You acknowledge that implementation matters โ strong algorithms
with weak key management fail. You connect cryptographic primitives to real-world use cases
(HTTPS, password storage, digital signatures).