Cryptography & Authentication

Master cryptographic fundamentals, TLS/SSL, PKI, OAuth2, and multi-factor authentication for secure digital communications and identity management.

TLS/SSL
PKI
OAuth2
MFA

Cryptographic Fundamentals

Understanding the building blocks of modern cryptography and security.

Symmetric Encryption

Uses the same key for encryption and decryption. Fast and efficient for bulk data encryption.

Common Algorithms:

  • • AES (Advanced Encryption Standard) - 128, 192, 256-bit keys
  • • ChaCha20 - Stream cipher, good for mobile devices
  • • 3DES (Triple DES) - Legacy, being phased out
  • • Blowfish - Legacy, replaced by AES
Key Management Challenge:

How to securely share the secret key between parties?

Asymmetric Encryption

Uses public/private key pairs. Public key encrypts, private key decrypts. Solves key distribution problem.

Common Algorithms:

  • • RSA - Based on factoring large numbers
  • • ECC (Elliptic Curve Cryptography) - More efficient than RSA
  • • DSA (Digital Signature Algorithm)
  • • Ed25519 - Modern, efficient curve
Use Cases:

Key exchange, digital signatures, certificate-based authentication

Hash Functions

One-way functions that convert data into fixed-size hash values. Used for integrity verification.

Properties:

  • • Deterministic - Same input always produces same output
  • • Collision resistant - Hard to find two inputs with same hash
  • • Preimage resistant - Hard to find input from hash
  • • Avalanche effect - Small input change = big output change
Common Algorithms:

SHA-256, SHA-3, BLAKE2, Argon2 (for passwords)

Digital Signatures

Provide authenticity, integrity, and non-repudiation for digital messages and documents.

How They Work:

  • • Hash the message to create digest
  • • Encrypt digest with private key
  • • Verify with public key and original message
  • • Ensures message hasn't been tampered with
Applications:

Code signing, email security (S/MIME), document authentication

TLS/SSL Protocol Deep Dive

Understanding the Transport Layer Security protocol that secures web communications.

TLS Handshake Process

The process by which client and server establish a secure connection.

1. Client Hello

Client sends supported TLS versions, cipher suites, and random number

2. Server Hello

Server responds with chosen TLS version, cipher suite, and certificate

3. Key Exchange

Client generates pre-master secret and encrypts with server's public key

4. Session Keys

Both parties derive session keys from pre-master secret

5. Secure Communication

All subsequent communication is encrypted with session keys

TLS Security Features

Key security mechanisms that make TLS secure for web communications.

Certificate Validation:

  • • Verify certificate chain of trust
  • • Check certificate expiration dates
  • • Validate certificate revocation (CRL/OCSP)
  • • Verify hostname matches certificate

Perfect Forward Secrecy:

  • • Session keys are ephemeral
  • • Compromised long-term keys don't affect past sessions
  • • Uses Diffie-Hellman key exchange
  • • Protects against future key compromise

Cipher Suite Selection:

  • • Prefer strong algorithms (AES-256, ChaCha20)
  • • Avoid weak ciphers (RC4, DES, 3DES)
  • • Use authenticated encryption (AEAD)
  • • Implement cipher suite prioritization

Public Key Infrastructure (PKI)

Understanding the framework for managing digital certificates and public key encryption.

Certificate Authority (CA)

Responsibilities:

  • • Issue digital certificates
  • • Verify certificate requests
  • • Maintain certificate revocation lists
  • • Provide certificate status checking
  • • Establish trust hierarchy

Digital Certificates

Certificate Components:

  • • Public key of the subject
  • • Subject identity information
  • • Issuer (CA) information
  • • Validity period
  • • Digital signature of the CA
  • • Key usage extensions

Certificate Revocation

Revocation Methods:

  • • Certificate Revocation Lists (CRL)
  • • Online Certificate Status Protocol (OCSP)
  • • OCSP Stapling
  • • Short-lived certificates
  • • Certificate Transparency logs

OAuth 2.0 & OpenID Connect

Modern authorization and authentication protocols for web and mobile applications.

OAuth 2.0 Flows

Different authorization flows for various application types and security requirements.

Authorization Code Flow

Most secure flow for web applications with backend servers

Implicit Flow

Legacy flow for single-page applications (deprecated)

Client Credentials Flow

For server-to-server communication

PKCE Flow

Authorization code flow with additional security for mobile apps

Security Best Practices

Essential security measures when implementing OAuth 2.0 and OpenID Connect.

Token Security:

  • • Use short-lived access tokens
  • • Implement secure token storage
  • • Validate token signatures
  • • Use refresh tokens for long-term access

State Parameter:

  • • Always use state parameter to prevent CSRF
  • • Generate cryptographically secure random state
  • • Validate state parameter on callback
  • • Store state securely during authorization

Redirect URIs:

  • • Whitelist exact redirect URIs
  • • Use HTTPS for all redirects
  • • Avoid wildcard redirects
  • • Validate redirect URI on authorization

Multi-Factor Authentication (MFA)

Implementing multiple layers of authentication for enhanced security.

Something You Know

Examples:

  • • Passwords and PINs
  • • Security questions
  • • Passphrases
  • • Knowledge-based authentication

Most common but also most vulnerable to attacks

Something You Have

Examples:

  • • Hardware tokens (YubiKey)
  • • Smart cards
  • • Mobile phones (SMS/App)
  • • USB security keys
  • • TOTP authenticator apps

Provides strong security when properly implemented

Something You Are

Examples:

  • • Fingerprint scanning
  • • Facial recognition
  • • Voice recognition
  • • Iris scanning
  • • Behavioral biometrics

Most convenient but can have false positives/negatives