Cryptography Index

Purpose

This index is the root entry point for the cryptography branch of the cybersecurity atlas.

Use it to: - navigate the cryptography notes - understand the order of study - connect symbolic primitives (hash, MAC, signature, KDF, AEAD) to applied use cases (TLS, JWT, password storage, secrets, MFA) - support web-security, api-security, networking, devsecops, and identity-security depth work that depends on crypto correctness

Use Reference Registry — Cryptography as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches.

Before this branch: - Foundations (Phase 0). - TLS/HTTPS and HTTP overview — crypto is most meaningful once TLS, sessions, and JWTs are concrete.

Why this branch exists

Most security failures that look like "TLS misconfiguration", "broken JWT", "weak password storage", or "secret leak" are really cryptographic-correctness failures. The atlas was missing a canonical place to reason about:

• which primitive to use for which problem
• which parameters and modes are still acceptable
• where nonce reuse, IV reuse, MAC stripping, signature confusion, and key confusion break otherwise-correct designs
• why "rolling your own" usually fails even when the math looks right

This branch teaches the primitives and the common applied failures, then links downstream to the branches that put them under load (web auth, API auth, TLS, password storage, secrets management, MFA, deserialization).

Recommended learning order

Phase 1 — Primitives and intent

1. hashing-vs-encryption-vs-signing
2. symmetric-encryption-modes
3. mac-and-hmac
4. asymmetric-encryption-and-key-exchange
5. digital-signatures

Phase 2 — Applied storage and identity

6. password-hashing
7. kdf-and-key-stretching
8. random-and-csprng-pitfalls

Phase 3 — Transport and certificates

9. tls-handshake-and-pki
10. certificate-validation-and-pinning

Phase 4 — Token-shape correctness

11. jwt-cryptographic-correctness

Phase 5 — Failure-mode literacy

12. aead-and-nonce-misuse
13. roll-your-own-crypto-failures
14. post-quantum-awareness

Core clusters

Primitives

• hashing-vs-encryption-vs-signing
• symmetric-encryption-modes
• mac-and-hmac
• asymmetric-encryption-and-key-exchange
• digital-signatures
• aead-and-nonce-misuse
• random-and-csprng-pitfalls

Applied storage and identity

• password-hashing
• kdf-and-key-stretching

Transport and certificates

• tls-handshake-and-pki
• certificate-validation-and-pinning

Token-shape correctness

• jwt-cryptographic-correctness

Failure-mode literacy

• roll-your-own-crypto-failures
• post-quantum-awareness

Connections to other branches

• TLS/HTTPS depends on tls-handshake-and-pki and certificate-validation-and-pinning
• Auth Flaws depends on password-hashing, mac-and-hmac, and jwt-cryptographic-correctness
• Session Management depends on random-and-csprng-pitfalls
• JWT Attacks depends on jwt-cryptographic-correctness and digital-signatures
• Secrets Management depends on symmetric-encryption-modes and kdf-and-key-stretching
• MFA Phishing Resistance depends on digital-signatures (WebAuthn signing model)
• End-to-End Encryption and PGP depend on asymmetric-encryption-and-key-exchange and digital-signatures

Calibration

• This branch is a primitives-and-correctness branch, not a math branch. The goal is to reason confidently about real-world failures, not to derive elliptic-curve arithmetic.
• The branch deliberately includes a "what does not work" section across notes (e.g., MD5 for password storage, ECB mode, encryption-without-MAC, JWT alg=none) — false-friend defenses are the common shape of crypto bugs.
• Quantum-resistance is treated as one note for awareness, not a current operational concern.