Chapter Two · Cryptography You Use

Cryptography in Practice

The beginner course taught you what encryption, hashing, and signatures are. Here you use them. Every topic runs a real command in the Meridian lab — encrypting a backup, hashing a password the right way, reading a TLS handshake — and the chapter ends with you able to protect Meridian's data in transit and at rest, and to spot the crypto mistakes that quietly void all of it.

7 topics

Cryptography fails in practice far more often through misuse than through broken math. The algorithms — AES, SHA-256, RSA, elliptic curves — are sound; what breaks is the mode chosen, the nonce reused, the key committed to git, the fast hash used on a password. This chapter is about using the sound primitives correctly, on Meridian's real data.

Seven topics move from symmetric encryption to the usage mistakes that undo it. Along the way you protect a database backup, store passwords so a stolen table is nearly useless, exchange keys over a channel an eavesdropper is watching, and open the black box that the beginner course drew as a padlock. The rule underneath all of it: use vetted libraries and standard constructions, and never roll your own.

Four jobs, four tools — do not use one where you need another
Confidentiality
Keep it secret → AES-GCM, ChaCha20-Poly1305
Integrity
Prove it is unaltered → SHA-256, HMAC
Password storage
Store safely → argon2, bcrypt
Authenticity
Prove who made it → signatures, PKI

Topics in This Chapter

Topic 07
Symmetric Encryption for Real
AES is the standard — but the mode decides whether the ciphertext is actually secure. AES-GCM protects confidentiality and integrity; ECB leaks your data's structure, and a reused nonce breaks everything.
Encryption
Topic 08
Hashing, MACs, and Integrity
A hash gives integrity; a MAC adds a secret key so you also know who produced the data. Three jobs people constantly conflate — and why a bare published hash proves less than you think.
Integrity
Topic 09
Password Storage Done Right
Never store passwords recoverably, and never with a fast hash. The right tool is a slow, salted function — argon2, bcrypt, scrypt — tuned so a stolen database yields only expensive-to-crack hashes.
Passwords
Topic 10
Public-Key Crypto and Key Exchange
How two parties who never met agree on a secret over a watched channel. Key pairs, RSA versus elliptic curve, Diffie-Hellman key exchange, and the forward secrecy every HTTPS session depends on.
Public-Key
Topic 11
Digital Signatures and PKI
A signature proves a specific key signed a specific message — integrity, authenticity, and non-repudiation at once. And PKI is how you know the key really belongs to who you think.
PKI
Topic 12
TLS Under the Hood
Where the chapter's pieces come together: the handshake, cipher suites, and what the padlock does and doesn't promise. Open the black box the beginner course drew as a padlock.
TLS
Topic 13
Common Crypto Mistakes
Most crypto breaks are broken usage, not broken math. A defender's field guide to rolling your own, nonce reuse, hard-coded keys, weak randomness, and using the wrong primitive for the job.
Pitfalls