Cryptography fundamentals encompass the core principles and protocols-including cryptographic hashing, public-key infrastructure (PKI), secure enclaves, and modern authentication standards like FIDO2/WebAuthn-that collectively provide the foundations for data integrity, confidentiality, authentication, and non-repudiation in digital systems.
This skill is highly valued because it directly mitigates critical business risks such as data breaches, fraud, and regulatory non-compliance by securing data at rest and in transit, and enabling strong, phishing-resistant user authentication. Its impact is a reduction in financial and reputational losses, the enabling of secure digital transactions, and meeting stringent compliance frameworks like GDPR, HIPAA, and PCI DSS.
1Careers
1Categories
8.9 Avg Demand
20%
Avg AI Risk
How to Learn Cryptography fundamentals (hashing, public-key infrastructure, secure enclaves, FIDO2/WebAuthn)
Focus first on mastering the theory and purpose of core primitives: understand how hash functions (SHA-256, SHA-3) provide integrity, the difference between symmetric and asymmetric encryption, and the core components of a Public Key Infrastructure (certificate authorities, certificates, key pairs). Use interactive platforms like CryptoHack or OverTheWire's Krypton wargame for hands-on learning.
Move from theory to implementation and threat analysis. Practice implementing PKI chains using OpenSSL, including generating self-signed certificates and creating a simple Certificate Authority. Analyze real-world case studies like certificate mis-issuance or Logjam/FREAK attacks. A common mistake is focusing only on cryptographic strength while neglecting key management lifecycle (generation, storage, rotation, destruction).
Master at the architect level by designing and auditing complex systems that integrate multiple cryptographic components. Focus on strategic alignment: selecting the right primitive (e.g., when to use a hardware security module (HSM) vs. a software key store vs. a cloud KMS), designing FIDO2 rollout strategies for enterprise-wide passwordless authentication, and conducting threat modeling for systems using secure enclaves (e.g., Intel SGX, ARM TrustZone) against sophisticated side-channel attacks. Mentor others by leading design reviews and contributing to security architecture standards.
Practice Projects
Beginner
Project
Build a Simple Certificate Authority (CA) and TLS Server
Scenario
You need to create a secure internal testing environment where a client and server can communicate over TLS, authenticated by your own CA, simulating an enterprise intranet service.
How to Execute
1. **Set Up the CA**: Use OpenSSL to generate a root CA private key and self-signed certificate. This certificate will be trusted by clients.,2. **Issue Server Certificate**: Generate a Certificate Signing Request (CSR) for a fictional server (e.g., 'app.internal.com'), then sign it with your CA's key to create the server certificate.,3. **Configure a Simple Server**: Use Python's `http.server` with SSL enabled (or Nginx) configured to use the server certificate and key.,4. **Client Verification**: Install your root CA certificate in the trust store of a client machine (or browser). Access the server URL and verify the TLS lock icon appears, confirming the chain of trust.
Intermediate
Project
Implement and Attack a FIDO2/WebAuthn Prototype
Scenario
You are tasked with evaluating the security and user experience of adding passwordless authentication to a sample web application, and you must understand its attack surface.
How to Execute
1. **Prototype Setup**: Use a library like `py_webauthn` (Python) or SimpleWebAuthn (Node.js) to integrate FIDO2 registration and authentication flows into a basic web app (e.g., Flask/Express). Use a simulator for the authenticator if you lack a physical key.,2. **Record Legitimate Flows**: Use browser developer tools (Network tab) to capture the raw `PublicKeyCredential` creation and assertion requests/responses during registration and login. Analyze the structures.,3. **Attempt Attacks**: Simulate common threats. Try to replay a captured authentication assertion. Modify the 'origin' field in a request to test origin binding. Understand why these fail (challenge-response, origin verification).,4. **Document and Harden**: Write a brief security analysis report highlighting how FIDO2 resists phishing (origin bound), credential stuffing (no shared secret), and replay attacks (challenge). Propose any additional server-side checks (e.g., token binding).
Advanced
Case Study/Exercise
Threat Modeling and Design Review for a Multi-Party Computation (MPC) Wallet System
Scenario
Your fintech company is designing a cryptocurrency custody solution using Multi-Party Computation to eliminate single points of failure for private key storage. As the lead security architect, you must assess the design's resilience against both external and insider threats, considering operational processes.
How to Execute
1. **Decompose the System**: Map the MPC protocol flows, identify all participating nodes (servers, HSMs, secure enclaves), and define trust boundaries. Use a framework like STRIDE or PASTA.,2. **Analyze Key Management Lifecycle**: Scrutinize the key generation ceremony (is it auditable?), the protocol for refreshing key shares (proactive security), and the disaster recovery process (how many parties need to collaborate?).,3. **Evaluate Secure Enclave Usage**: If enclaves (e.g., SGX) are used for share protection, assess the design against known side-channel attacks (Spectre, cache timing) and the plan for remote attestation and patching.,4. **Formulate Mitigations & Governance**: Propose specific controls (e.g., quorum rules for transaction signing, geographic separation of nodes, continuous anomaly monitoring). Define the operational security policy for personnel with access to MPC nodes.
OpenSSL is the essential CLI/library for PKI operations (key generation, certificate creation, TLS testing). The WebAuthn libraries are used to integrate passwordless auth into apps. Vault/KMS are production systems for secret and key lifecycle management. The enclave SDKs are required for developing applications that leverage hardware-based secure execution environments.
Standards & Protocols
X.509 Standard (RFC 5280)FIDO2/WebAuthn (W3C/FIDO Alliance)NIST Cryptographic Standards (e.g., FIPS 186-5, SP 800-57)IETF RFCs (e.g., 8446 for TLS 1.3)
These are the authoritative documents that define interoperability and security requirements. Mastery involves knowing which standard governs which protocol (e.g., FIDO2 for auth, X.509 for PKI) and being able to reference them during design, implementation, and compliance audits.
sslyze and testssl.sh are for rapidly scanning TLS server configurations for known vulnerabilities. Wireshark is used to capture and dissect cryptographic protocol traffic (e.g., TLS handshakes). Specialized tools like TLS Attacker are used for advanced protocol fuzzing and vulnerability research against custom or emerging standards.
Interview Questions
Answer Strategy
Structure the answer by first defining each term's goal (integrity vs. confidentiality), then providing a concrete architectural example. **Sample Answer**: 'Hashing is a one-way function to produce a fixed-size digest for data integrity; encryption is a two-way (reversible with a key) function for confidentiality. For hashing: storing user passwords as a salted SHA-256 hash in the database. For encryption: using TLS (which uses symmetric and asymmetric encryption) to protect data in transit between the client and server.'
Answer Strategy
This tests risk assessment and pragmatic modernization. **Sample Answer**: 'The primary risks are: 1) Key compromise if the server is breached, 2) Lack of non-repudiation, 3) No secure key rotation. A practical first migration step would be to implement a Public Key Infrastructure. We would generate an asymmetric key pair for the server, store the private key in a dedicated secrets manager (like Vault), and have the legacy clients encrypt data with the server's public key. This immediately reduces the attack surface and sets the foundation for future certificate-based authentication.'
Answer Strategy
This assesses organizational and strategic thinking. **Sample Answer**: 'Beyond the technical setup, key considerations include: 1) **User Enrollment Strategy**: How do we handle enrollment for remote employees? Do we ship keys and what's the backup plan for lost keys? 2) **Cost and Procurement**: Sourcing keys, managing inventory, and budgeting for replacements. 3) **Policy Update**: Rewriting acceptable use policies and training security staff to handle new support ticket types (e.g., key registration issues). 4) **Integration Scope**: Identifying legacy applications that cannot support FIDO2 and determining a fallback MFA method (like TOTP) for them during the transition period.'