Computer Atlas

Cryptography Crash Course

For intermediates 9 topics (6 required · 3 optional) · updated 2026-06-07

A practical tour of the cryptography most engineers actually use — symmetric and public-key, TLS, password storage, and the auth flows on top.

Reading time
~28 min (+15 min optional)
Level mix
1 beginner · 8 intermediate

You don’t need to invent cryptography to ship secure software, but you do need to know which tool answers which question. This path covers the toolkit (symmetric and public-key crypto), the protocol that makes the web safe (TLS), how to store passwords without making a future breach catastrophic, and how authn and authz fit together on top.

Aim: by the end, the questions “how should we hash these passwords?” and “is TLS enough for service-to-service auth?” should have obvious answers.

Edit this path on GitHub

Roadmap

Loading progress...

  1. The math

  2. Cryptography

    The science of keeping information secret and verifying it has not been tampered with — built from math and careful engineering.

  3. Public-Key Cryptography

    Cryptography using a pair of mathematically linked keys — one you share, one you keep secret. The basis of TLS, signatures, and modern authentication.

  4. In use on the wire

  5. TLS

    The protocol that encrypts and authenticates almost all secure traffic on the internet — the "S" in HTTPS, IMAPS, SMTPS, and many more.

  6. HTTPSOptional

    HTTP wrapped in TLS — the encrypted, authenticated version of the web's core protocol, now the default for every public site.

  7. Storing secrets

  8. Password Hashing

    One-way, deliberately slow transformations of a password used so that a database breach doesn't reveal the originals.

  9. Identity and access

  10. Authentication

    Proving *who* a user is — by something they know (password), have (token, phone), or are (biometric).

  11. Authorization

    Deciding *what* an authenticated user is allowed to do — the system of permissions, roles, and policies that protects resources.

  12. OAuthOptional

    A standard for delegated authorization — letting an app act on a user's behalf at another service without ever seeing the user's password.

  13. Common pitfalls

  14. CSRFOptional

    A vulnerability where an attacker tricks the victim's browser into making a state-changing request to a site the victim is logged into.