Track 08 — Cryptography, PKI & Secrets¶
The trust layer of everything. Go beyond the Foundations primer into applied cryptography, PKI, secrets management, and email authentication — and how to audit them.
What you'll be able to do¶
- Choose and use the right primitive, and recognise when one is misused.
- Run and reason about TLS and a certificate chain end to end.
- Manage secrets properly and hunt for leaked ones.
- Audit email authentication and applied-crypto failures.
Modules¶
| # | Module | What you'll learn | OSS tools |
|---|---|---|---|
| 01 | Primitives in Practice | What each guarantees — and doesn't | openssl |
| 02 | Symmetric & AEAD | AES, modes, and authenticated encryption | openssl |
| 03 | Asymmetric & Key Exchange | RSA/EC, Diffie-Hellman, key agreement | openssl |
| 04 | Hashing, MACs & Passwords | Integrity, HMAC, and password storage | openssl, argon2 |
| 05 | TLS Deep Dive | The handshake, ciphers, and inspection | openssl, testssl.sh |
| 06 | PKI & Certificate Management | CAs, chains, revocation, and issuance | step-ca, openssl |
| 07 | Secrets Management | Storing and brokering secrets properly | vault, sops |
| 08 | Secret Detection & Leakage | Finding credentials in code and history | gitleaks, trufflehog |
| 09 | Email Authentication | SPF, DKIM, and DMARC in practice | dig, openssl |
| 10 | Auditing Applied-Crypto Failures | Spotting the real-world mistakes | testssl.sh |
| 11 | Post-Quantum & Crypto-Agility Migration | Migrating to hybrid PQC key exchange, proven by handshake capture | openssl 3.5, oqs-provider |
| 12 | Choosing Your Crypto: an ADR | Making and documenting a defensible crypto decision | openssl |
Phases & projects¶
The twelve modules run in four phases; each ends in a project that integrates its modules (a phase is the substantial, standalone unit — a single module is a few hours).
- Phase 1 · Primitives in your hands (01–04) — Project: a small, tested crypto toolkit that exercises each primitive correctly — AEAD encrypt/decrypt, a key exchange, an HMAC, and password hashing with argon2 — plus a written note on the misuse each one invites (ECB, nonce reuse, fast hashes for passwords).
- Phase 2 · TLS & PKI (05–06) — Project: run a private CA with
step-ca, issue and chain a certificate, stand up a TLS service, then scan it withtestssl.shand explain every handshake step and cipher decision the scan reports. - Phase 3 · Secrets & applied audit (07–10) — Project: the track capstone — audit a small system's full crypto posture (TLS config, cert hygiene, secrets handling, SPF/DKIM/DMARC), hunt for leaked credentials, fix each finding, and re-test — delivering the before/after audit report.
- Phase 4 · Migration & decisions (11–12) — Project: migrate a service to hybrid post-quantum key exchange and prove it with before/after handshake captures, then write the architecture decision record (ADR) that justifies each crypto choice against current standards.
Prerequisites¶
Complete Track 00 — Foundations (module 09 — Cryptography Basics).
Capstone¶
Audit a small system's crypto posture: TLS configuration, certificate hygiene, secrets handling, and SPF/DKIM/DMARC — then fix each finding and re-test. Deliverable: the audit report with before/after evidence.
The starter scaffold and acceptance checks live in
plaintext-labs/cryptography/capstone/.
Capstone rubric¶
Audit the whole crypto posture, fix each finding, and re-test to prove the fix. Proficient is the bar to ship.
| Dimension | Developing | Proficient | Exemplary |
|---|---|---|---|
| TLS configuration | Ran testssl.sh, didn't interpret |
Weak protocols/ciphers identified and explained, with the standard each violates | Re-tested after the fix; cites RFC 8446 / current NIST guidance for each decision |
| Certificate hygiene | Checked expiry only | Chain, key strength, SAN, and revocation reviewed against RFC 5280 | Issuance/renewal automated (step-ca/ACME); short-lived certs or rotation demonstrated |
| Secrets handling | Found a secret, no remediation | Leaked/poorly-stored secrets found and moved to proper storage (Vault/SOPS) | History scrubbed, rotation done, detection wired to prevent recurrence |
| Email auth | Checked one of SPF/DKIM/DMARC | SPF, DKIM, and DMARC all assessed with the policy gaps named | Recommends an enforce-mode rollout path with the risk of each step |
| Audit report | Findings without before/after | Each finding has evidence, a fix, and a re-test proving it | Severity-ranked, tool output attached, no "trust me" — every claim has a test behind it |
AI & automation¶
Crypto is where confident-but-wrong AI advice is dangerous — models suggest broken modes and deprecated ciphers. Use AI to explain and to draft audit tooling, then verify every recommendation against current standards and the actual configuration. Trust the test output, not the model's assurance.
Standards & further reading¶
- RFC 8446 (TLS 1.3) and RFC 5280 (X.509/PKI)
- NIST SP 800-175B and SP 800-57 (key management)
- RFCs 7208/6376/7489 (SPF/DKIM/DMARC)
- OWASP Cryptographic Storage Cheat Sheet
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).