Cryptography Foundations
AES, ChaCha20, AEAD, Curve25519, Ed25519, Noise, HKDF, post-quantum hybrid — the math you need to read RFC 8446 without flinching.
8 of 8 modules published
Symmetric encryption, block ciphers, and AES
AES from first principles: what a block cipher actually is, why ECB is the canonical embarrassment, modes of operation, and why AES alone is not an encryption scheme.
Stream ciphers and AEAD construction
Stream ciphers, ChaCha20, GCM, Poly1305: how authenticated encryption is actually built, why nonce reuse is catastrophic, and how to choose between AES-GCM and ChaCha20-Poly1305.
Hash functions and message authentication
Cryptographic hashes from first principles: SHA-2, SHA-3, BLAKE3, what they each guarantee, why HMAC exists, and the length-extension trap that motivates careful MAC design.
Asymmetric crypto: RSA and the discrete-log family
Public-key cryptography from first principles: what RSA actually does, why TLS 1.3 dropped RSA key exchange, and why X25519 is the engineering default in modern protocols.
Digital signatures
Digital signatures from first principles: RSA-PSS, ECDSA's nonce trap, why Ed25519 is the modern default, and what verification actually proves.
Key derivation: HKDF and friends
Why one secret becomes many keys: HKDF extract-then-expand, PBKDF2 vs Argon2id, salts, domain separation, and the failure mode of reusing keys across contexts.
The Noise protocol framework
Noise from first principles: handshake patterns, the state-machine triple (Cipher/Symmetric/Handshake), why WireGuard chose Noise IK, and how to read pattern notation.
Post-quantum cryptography in transit
Why TLS and QUIC are migrating to post-quantum key agreement now: ML-KEM, ML-DSA, hybrid X25519+ML-KEM, harvest-now-decrypt-later, and what 2026 deployment actually looks like.
Need this curriculum applied to your network?
Custom training, downloadable companion assets, network architecture review, and on-call deployment help land inside our consulting engagements.
See engagements