Module 02

Cryptography

Three subdomains, twenty-four reference pages, ten hands-on interactive labs. Symmetric encryption (one shared key), asymmetric cryptography (key pairs), and hash functions (fingerprints). Every protocol that protects your traffic, every certificate that proves a server's identity, every password your accounts depend on draws on the primitives in this module.

3
Subdomains
24 / 24
Pages Live
10
Interactive Labs

Cryptography is the math that turns "I have a secret" into "I can prove that secret without revealing it, transmit it without being overheard, and verify that nobody altered it on the way." None of the rest of cybersecurity works without it.

The three subdomains map to the three problems cryptography solves. Symmetric encryption protects data when both parties already share a secret. Asymmetric cryptography solves the bootstrapping problem: how do two parties who have never met agree on a key without an eavesdropper hearing? Hash functions make fingerprints that catch tampering, anchor signatures, and ground every modern integrity check.

Pick a subdomain below, start at 02.A.01 and walk straight through, or jump to the interactive labs at the bottom of this page.

02.A

Symmetric Encryption

7 pages · 7 live

The classical model: Alice and Bob share a secret key and use it to encrypt and decrypt the same way. Fast, well-understood, and the workhorse of every TLS session once the handshake completes. The catch is that both parties have to obtain the same key somehow without an eavesdropper intercepting it, which is the entire reason asymmetric cryptography had to be invented. Hands-on Caesar, substitution, Vigenere, and XOR challenges live in the labs section below.

02.A.01
Foundations of Symmetric Encryption
The shared-secret model, plaintext and ciphertext, what a cipher actually does, and the vocabulary you will use for the rest of this subdomain.
Live 02.A.02
Block Ciphers and AES
Fixed-size input blocks transformed by a key. DES and 3DES historically, Rijndael becoming AES in 2001, and why AES is the cipher you will encounter almost everywhere today.
Live 02.A.03
Stream Ciphers vs Block Ciphers
Encrypting one bit at a time vs encrypting fixed-size blocks. ChaCha20 as the modern stream standard, RC4 as the cautionary tale, and when streams beat blocks in practice.
Live 02.A.04
Modes of Operation
How a block cipher encrypts data longer than one block. ECB and its famous penguin, CBC with its sequential dependencies, CTR turning a block cipher into a stream, and GCM combining encryption with integrity.
Live 02.A.05
Padding and Initialization Vectors
Making variable-length plaintext fit fixed-size blocks. PKCS#7 padding, why IVs must be unique per encryption, and the padding-oracle attacks that exploit careless implementations.
Live 02.A.06
Authenticated Encryption (AEAD)
Encryption alone is not enough. AES-GCM and ChaCha20-Poly1305 combine confidentiality and integrity in a single operation, defeating the bit-flipping and chosen-ciphertext attacks that plagued earlier modes.
Live 02.A.07
Key Management
Generation, storage, rotation, and destruction of symmetric keys. KEKs and DEKs, hardware security modules, key escrow, and how cloud KMS services (AWS KMS, GCP Cloud KMS, Azure Key Vault) handle the lifecycle.
Live
02.B

Asymmetric Cryptography

10 pages · 10 live

Public-key cryptography. Every party has two keys: one private, one public. Encrypt with the public key and only the holder of the matching private key can decrypt. Sign with the private key and anyone with the public key can verify. The math is harder than symmetric crypto and the operations are slower, but the result solves problems symmetric crypto cannot: key distribution at scale, digital signatures, and the entire model of TLS, SSH, and code signing. Hands-on PKI labs (sign/verify, encrypt/decrypt, key picker) are in the labs section below.

02.B.01
The Key Distribution Problem
Why symmetric cryptography alone fails at scale: n(n-1)/2 keys for n parties, no way to bootstrap secure communication with strangers. The problem asymmetric crypto was invented to solve.
Live 02.B.02
Foundations of Asymmetric Cryptography
The key-pair model, one-way functions with trapdoors, and the directional rule: encrypt to a public key, sign with a private key. The mnemonic that resolves the most common student confusion.
Live 02.B.03
RSA
The first practical public-key algorithm. Choose two primes, compute n and \u03c6(n), find e and d such that ed \u2261 1 mod \u03c6(n), and you have a key pair. The math, the trapdoor, and why factoring large semiprimes is hard.
Live 02.B.04
Diffie-Hellman Key Exchange
Alice and Bob agree on a shared secret over a public channel while Eve listens to everything and learns nothing. The discrete logarithm problem, ephemeral DH for forward secrecy, and why this is the foundation of every modern TLS session.
Live 02.B.04i
Diffie-Hellman — The Paint Analogy (Interactive)
A step-by-step visual: mix a common color with secret colors, swap the mixtures in public, and watch Alice and Bob arrive at the same shared secret while Eve—who sees every exchange—learns nothing. Play, pause, or step through it.
Interactive 02.B.05
Elliptic Curve Cryptography
The same conceptual model as RSA and DH, different math underneath. Point addition, scalar multiplication, the ECDLP, and why a 256-bit ECC key offers the same security as a 3072-bit RSA key.
Live 02.B.06
Digital Signatures
Same key pair, opposite direction. Sign with private, verify with public. Authenticity, integrity, non-repudiation. RSA-PSS, ECDSA, Ed25519, and the PlayStation 3 disaster of 2010.
Live 02.B.07
Hybrid Encryption
Nobody encrypts a 5 MB file with RSA. Use asymmetric crypto to wrap a small symmetric session key, then use AES on the bulk data. The pattern behind PGP, S/MIME, age, and the early phases of every TLS handshake.
Live 02.B.08
Public Key Infrastructure (PKI)
Public keys by themselves prove nothing about ownership. X.509 certificates, certificate authorities, chains of trust, revocation, Certificate Transparency, and how Let\u2019s Encrypt drove HTTPS adoption past 95%.
Live 02.B.09
The TLS Handshake
The capstone. Every algorithm in this subdomain converges in a single sub-second exchange. ECDHE, certificate verification, signatures, KDFs, AEAD, all in one round trip. TLS 1.3 in full detail.
Live
02.C

Hashing

8 pages · 8 live

Hash functions take any input and produce a fixed-size fingerprint that looks like random noise but is fully deterministic. Change one bit and the entire output transforms. Hashes are not encryption, have no key, and cannot be reversed by design. They are the integrity proofs of file downloads, the storage form of passwords, the anchor under every digital signature, the address of every git commit and Docker image, and the structural backbone of blockchains.

02.C.01
Foundations of Hashing
What a hash function is, the five properties that define a cryptographic hash, the avalanche effect, and why hashes are not encryption.
Live 02.C.02
The Hash Function Family Tree
MD5, SHA-1, SHA-2, SHA-3, BLAKE2, BLAKE3. The history, current status, and use cases of every hash family you will encounter in production.
Live 02.C.03
Collisions and the Birthday Attack
Why every hash has collisions (pigeonhole), why they appear sooner than expected (birthday paradox), how MD5 and SHA-1 fell to practical attacks, and what defenders do about it.
Live 02.C.04
Hashes For Integrity
The publish-download-hash-compare pattern. Linux ISOs, apt and dpkg, Docker, npm, git. The difference between integrity and authenticity, and why a plain hash file plus a GPG signature is the right shape.
Live 02.C.05
HMAC: Hashing With A Key
Plain hashes prove integrity but not authenticity. HMAC folds a secret key into the hash to make the output unforgeable without the key. JWT, AWS Signature V4, TLS, IPsec, SSH, webhooks.
Live 02.C.06
Password Hashing
SHA-256 is too fast for passwords. The slow-by-design family: bcrypt, scrypt, Argon2id. Work factors, memory hardness, GPU attacker economics, and why OWASP recommends Argon2id for new systems.
Live 02.C.07
Salting and KDFs
Why slow hashing alone is not enough. Per-user salts defeat rainbow tables. Pepper as defense-in-depth. PBKDF2, scrypt, Argon2 as password KDFs. HKDF as the extract-and-expand workhorse of TLS 1.3, Signal, and WireGuard.
Live 02.C.08
Hashes In The Wild
The capstone. Git, Bitcoin, Merkle trees, Docker image digests, IPFS content addressing, TLS certificate fingerprints, and HTML Subresource Integrity. The same primitive, deployed everywhere.
Live
Hands-on

Interactive Labs

Reference pages are not enough. Each subdomain has companion lab pages that put the math on a keyboard. Each lab runs in the browser, no install required, and uses real cryptographic primitives where the browser exposes them.

Symmetric Encryption Labs
Caesar Cipher Challenge Substitution Cipher Challenge Vigenere Cipher Challenge XOR Cryptography Cipher Modes Visualizer Symmetric Encryption Flow Man-in-the-Middle Attack Demo
Asymmetric & PKI Labs
PKI: Pick the Right Key PKI: Encryption / Decryption PKI: Digital Signatures