Cryptography
Cryptography protects confidentiality, integrity and authenticity of data using mathematical methods. It includes encryption, digital signatures, hashing and key management to secure communication and stored data.
Classification
- ComplexityHigh
- Impact areaTechnical
- Decision typeArchitectural
- Organizational maturityAdvanced
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Key loss or theft compromises all dependent data.
- Using deprecated algorithms results in silent compromises.
- Lack of proper randomness undermines cryptographic security.
- Use vetted standard libraries instead of homegrown crypto implementations.
- Introduce automated key rotation and strict access controls.
- Schedule regular security reviews and algorithm updates.
I/O & resources
- Threat model, data sensitivity, hardware profiles
- Legal and regulatory requirements
- Available key management systems and infrastructure
- Key pair and certificate inventory
- Configured encryption and signature protocols
- Audit logs and attestation records for security tests
Description
Cryptography is the scientific discipline for protecting confidentiality, integrity, and authenticity of information using mathematical techniques. It covers encryption, signatures, hashing, and key management. Use cases range from secure communications to data at rest and include algorithm lifecycle management; it requires careful protocol selection, implementation and compliance considerations.
✔Benefits
- Protects confidentiality and prevents unauthorized data access.
- Ensures integrity and traceability of messages.
- Enables trust models between distributed systems.
✖Limitations
- Incorrect implementation can lead to severe vulnerabilities.
- Performance impact for strong encryption or on constrained hardware.
- Long-term security depends on algorithm and key length choices.
Trade-offs
Metrics
- Key rotation frequency
How often cryptographic keys are rotated according to policy.
- Throughput of encrypted operations
Number of encryption/decryption operations per time unit.
- Time-to-Compromise (TTC)
Estimated time an attacker needs to break cryptographic protections.
Examples & implementations
End-to-end encrypted messaging app
Uses asymmetric keys for handshake and symmetric keys for message transport with forward secrecy.
Disk encryption for enterprise laptops
Hardware-backed encryption tied to TPM and centrally managed recovery keys.
PKI for internal services
Internal CA to issue and manage service certificates with lifecycle processes.
Implementation steps
Create threat model and classify protection needs.
Select appropriate algorithms and protocols per standards.
Integrate key management solution, configure rotation and auditing.
Test implementation, perform penetration tests and monitor.
⚠️ Technical debt & bottlenecks
Technical debt
- Outdated cryptography libraries not updated.
- Insufficient documentation of key ownership and restore processes.
- Incompatible protocol variants across system components.
Known bottlenecks
Misuse examples
- Reusing symmetric keys unchanged for years.
- Using insecure randomness sources for key generation.
- Misconfiguring TLS and permitting outdated protocol versions.
Typical traps
- Relying on obscurity instead of vetted cryptography.
- Underestimating importance of key lifecycles.
- Lack of monitoring for cryptographic performance issues.
Required skills
Architectural drivers
Constraints
- • Regulatory mandates on algorithms and key lengths.
- • Hardware constraints on embedded systems.
- • Compatibility requirements with existing protocols.