Learn Cryptography Fundamentals with Python

Începe

This course is a practical, code-first introduction to applied cryptography using Python. It covers the primitives that secure every real system — randomness and entropy, hash functions, password storage, symmetric and asymmetric encryption, digital signatures, certificates and TLS, and JSON Web Tokens — and, just as importantly, the mistakes that quietly break them. No cryptography background is required, only comfortable Python and a willingness to think like an attacker as well as a builder.

Every chapter hardens one layer of a single running project: Vaultkeeper, a secrets-management service for a small engineering team that stores API keys, database passwords, and private notes on behalf of its users. From the first chapter you generate the tokens and keys the whole system depends on; by the last you are issuing signed session tokens over an authenticated TLS channel. Each new primitive is introduced because Vaultkeeper concretely needs it, and each is shown first in its broken or naive form so the reason the correct construction exists is never abstract.

By the end you will understand the difference between random and secrets and why it decides whether tokens are guessable; why hashing is not encryption and HMAC is not a plain hash; how salts, PBKDF2, and scrypt defend password databases against precomputation and brute force; when to reach for AES-GCM versus RSA and why real systems combine them in hybrid encryption; how digital signatures give you authenticity and non-repudiation that encryption alone does not; how X.509 certificates and the TLS handshake bootstrap trust over an untrusted network; and how a JWT is really just base64 and an HMAC, along with the claims, expiry, and verification rules that make tokens safe to trust.

Laborator compatibil

VSCode Cloud Sandbox

The VSCode Cloud IDE sandbox offers a wide range of core technologies used in programming such Python pytest, GIT, python poetry, Cerberus and many more....

10,0 (2)

Capitole

10
Capitol 1

Randomness and Entropy

This chapter builds Vaultkeeper's token and key generator and establishes why randomness is the foundation of all cryptography. It contrasts Python's predictable random module with the cryptographically secure secrets module and os.urandom, generates session tokens, API keys, and raw key bytes in the right formats, measures token strength in bits of entropy, explains the 128-bit brute-force threshold, and shows why secret comparison must use secrets.compare_digest to avoid a timing side channel.

Capitol 2

Hash Functions, Integrity, and HMAC

This chapter gives Vaultkeeper tamper-detection for its audit log and backups using cryptographic hash functions and HMAC. It explains why hashing is one-way and not encryption, hashes data with hashlib using SHA-256, SHA-3, and BLAKE2, demonstrates the avalanche effect, streams large files in chunks to hash them with constant memory, shows why a plain public hash cannot stop a deliberate attacker, and fixes that with keyed HMAC verified in constant time with hmac.compare_digest.

Capitol 3

Password Safety: Salts and Key Derivation

This chapter builds Vaultkeeper's account system to survive a full database theft, covering why plaintext and plain fast-hash password storage both fail against rainbow tables and GPU brute force. It adds a per-user random salt to defeat precomputation, switches to the deliberately slow PBKDF2 with hashlib.pbkdf2_hmac, goes memory-hard with hashlib.scrypt, and assembles a complete register-and-verify flow with a self-describing algorithm-parameters-salt-hash storage format and constant-time verification.

Capitol 4

Symmetric Encryption with AES

This chapter encrypts Vaultkeeper's secrets at rest with symmetric AES, showing why ECB mode leaks patterns by producing identical ciphertext for identical plaintext blocks. It switches to authenticated encryption with AES-GCM so tampering raises InvalidTag, binds ciphertext to its owner and record name using associated data to block relabelling attacks, explains the absolute rule that a GCM nonce must never be reused under the same key, and introduces Fernet as the foolproof high-level recipe that manages the nonce and tag for you.

Capitol 5

Asymmetric Encryption

This chapter adds teammate-to-teammate secret sharing to Vaultkeeper using asymmetric encryption, solving the key distribution problem that symmetric encryption cannot. It generates an RSA keypair, serialises the public and private keys to PEM, encrypts a secret to a public key with OAEP padding so only the private-key holder can decrypt, hits RSA's ~190-byte size limit, and solves it with hybrid encryption — using AES-GCM for the payload and RSA only to wrap the symmetric key, the construction behind TLS, PGP, and secure messaging.

Capitol 6

Digital Signatures

This chapter makes Vaultkeeper's audit log independently verifiable and authenticates shared secrets using digital signatures. It shows why HMAC cannot provide non-repudiation because signer and verifier share one key, then signs and verifies with Ed25519 so a private key signs and anyone with the public key can verify, demonstrates verification rejecting any tampering with InvalidSignature, explains precisely why signatures give integrity, authenticity, and non-repudiation where HMAC gives only mutual authentication, and covers RSA-PSS signatures for systems already using RSA keypairs.

Capitol 7

Certificates and TLS

This chapter puts Vaultkeeper's API behind TLS, solving the man-in-the-middle problem that plain encryption leaves open. It builds an X.509 certificate binding a public key to a hostname, shows why a self-signed certificate proves nothing because anyone can mint one, stands up a Certificate Authority that signs a server certificate, verifies the chain of trust with the signature check from the signatures chapter, and runs a real TLS 1.3 handshake between a Python ssl client and server over a socket — accepting the CA-trusted certificate and rejecting an impostor.

Capitol 8

JSON Web Tokens and Session Tokens

This chapter builds Vaultkeeper's API authentication with tokens, contrasting stateful opaque session tokens with stateless JSON Web Tokens. It generates opaque tokens with secrets.token_urlsafe, constructs a JWT from scratch to show it is just base64url plus an HMAC, verifies and rejects tampered tokens in constant time, adds expiry and standard claims with the PyJWT library, explains refresh tokens, and shuts down the signature-stripping and alg=none algorithm-confusion attacks by pinning an explicit algorithms allowlist. It stresses that a JWT is signed, not encrypted, so its claims are public and must never hold secrets.

Capitol 9

Summary

A recap of the cryptography fundamentals course, tracing the Vaultkeeper system hardened chapter by chapter: randomness and entropy, hash functions and HMAC, password storage with salts and key-derivation functions, symmetric AES-GCM encryption, asymmetric RSA and hybrid encryption, digital signatures, X.509 certificates and TLS, and JSON Web Tokens — with the key decision rules and the mistakes that defeat each primitive.

Test 10

Cryptography Fundamentals Assessment

The final assessment for the cryptography fundamentals course — ten multiple-choice questions covering secure randomness versus the random module, bits of entropy, why HMAC beats a plain hash, the purpose of a salt, ECB versus AES-GCM, hybrid encryption, why signatures give non-repudiation, self-signed versus CA-signed certificates in TLS, the signed-not-encrypted nature of JWTs, and pinning the algorithms allowlist in jwt.decode.

Comentarii

Niciun comentariu încă. Fii primul care își împărtășește părerea.
Avansat
0,0 (0)

Autor

Software engineer and the creator of the Bytestark learning platform