Cryptography
Symmetric/asymmetric, PKI, TLS/SSL, hashing, post-quantum cryptography, key management.
What is Cryptography?
Cryptography is the mathematical foundation that underpins virtually every security control in modern computing — from the TLS handshake that secures web browsing to the digital signatures that verify software updates to the encryption that protects data at rest on disk. Understanding cryptographic primitives, protocols, and their limitations is essential for any security professional who needs to evaluate whether a system's security claims are actually backed by sound cryptographic design.
The core building blocks include symmetric encryption (AES) for fast bulk data protection, asymmetric encryption (RSA, ECC) for key exchange and digital signatures, cryptographic hash functions (SHA-256, SHA-3) for integrity verification, and Public Key Infrastructure (PKI) for managing trust relationships through certificates. Transport Layer Security (TLS) weaves these primitives together into the protocol that secures the majority of internet traffic, and understanding the TLS handshake — including certificate validation, cipher suite negotiation, and perfect forward secrecy — is fundamental.
The field is facing its most significant disruption in decades with the emergence of quantum computing. Post-quantum cryptography (PQC) — including lattice-based, hash-based, and code-based algorithms — is being standardized by NIST to replace algorithms vulnerable to quantum attack. The migration to quantum-resistant cryptography is expected to be a decade-long effort requiring cryptographic agility in system design.
Why it matters
Cryptography is the bedrock of digital trust. Misconfigured or misunderstood cryptography undermines every security layer built on top of it, from authentication to data protection to secure communications.
Cryptography is a foundational discipline that every other security domain depends on. Whether securing network traffic, protecting stored data, verifying identities, or signing code, the strength of the security ultimately rests on the strength of the underlying cryptography.
Control Access & Trust
Decide who or what can do what, enforce it cryptographically, constrain AI behaviour.
Other domains in this layer
Key topics
People shaping this field
Researchers and practitioners worth following in this space.
Cryptographer, author of Applied Cryptography and security commentator
Cryptography professor at Johns Hopkins, applied cryptography researcher
Post-quantum cryptography researcher, co-founder of pqcrypto.org
Curated resources
Authoritative sources we ground Cryptography questions in — frameworks, research, guides, and tools.
NIST SP 800-175B Rev. 1 — Guideline for Using Crypto Standards
Practical guidance on selecting and implementing cryptographic algorithms. Covers symmetric, asymmetric, hashing, and key management.
Serious Cryptography (Aumasson, 2017)
Practitioner-oriented cryptography textbook. Covers modern symmetric/asymmetric algorithms, protocols, and implementation pitfalls. Good for applied crypto questions vs. pure theory.
RFC 8446 — TLS 1.3
The TLS 1.3 specification. Removes legacy cipher suites, adds 0-RTT, mandates forward secrecy. Required reading for any TLS/PKI question.
NIST Post-Quantum Cryptography Standards
NIST's selected post-quantum cryptographic algorithms: ML-KEM, ML-DSA, and SLH-DSA. The future of cryptography in the quantum era.
Cryptopals Crypto Challenges
Set of practical cryptography exercises. Learn by breaking real-world crypto systems — the best way to understand cryptographic vulnerabilities.
Roles where this matters
Career paths where this domain shows up as core or recommended.
Ethically hack systems to find vulnerabilities before attackers do. Offensive security requires deep technical knowledge.
Design, build, and maintain security infrastructure. The architects of an organization's defensive posture.
Secure cloud infrastructure across AWS, Azure, and GCP. Specialize in the shared responsibility model and cloud-native controls.
Build privacy into systems by design. Navigate GDPR, CCPA, and emerging AI privacy regulations.
Prepare for the post-quantum era. Understand quantum threats and lead cryptographic migration efforts.
Design and operate the identity fabric that every other control inherits. Federated identity, MFA/passkeys, PAM, identity governance, and the policy glue between them.
Senior design role — defines how pillar A components fit together across identity, crypto, network, cloud, and data — and, increasingly, how pillar C bolts into it.
Embedded in a product team — owns threat modelling, secure design, libraries, dependency risk, and increasingly the AI-specific hardening of LLM features the product ships.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
AWS Certified Security — Specialty (SCS-C02)
Deep AWS security: IAM, data protection, detection, incident response within AWS primitives.
Certified Cloud Security Professional
Cloud security architecture: shared responsibility, identity, data protection, crypto, and cloud-native detection.
Certified Information Systems Security Professional
Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.
CISSP Information Systems Security Architecture Professional
Architecture concentration on top of CISSP — trust boundaries, identity / crypto / network composition, defense-in-depth design.
EC Council Certified Encryption Specialist
EC Council Certified Encryption Specialist
Google Cloud Certified — Professional Cloud Security Engineer
GCP-specific security engineering: identity, VPC SC, secrets, logging, compliance.
GIAC Security Essentials
Broad defender fundamentals. Often paired with SANS SEC401.
Information Systems Security Architecture Professional
ISC2 specialization for security architecture. Requires an active CISSP. Focus on GRC, Security Architecture Modeling, Infrastructure Security, and IAM architecture. For senior security architects in enterprise environments.
NIST / vendor PQC migration training (emerging credentials)
Crypto inventory, algorithm selection (ML-KEM/ML-DSA/SLH-DSA), migration planning.
CompTIA Security+
Broad entry-level knowledge across threats, ops, IAM, network, and crypto basics.
(ISC)2 Systems Security Certified Practitioner
The SSCP is ISC2's entry-level certification below the CISSP and targets technically active security professionals with initial work experience. Since October 2025, the exam uses Computerized Adaptive Testing (CAT), which customizes the exam experience individually and increases integrity. The SSCP covers seven technical domains, from access control through cryptography to network security, and positions itself as practical proof of operational security competence. It is less well-known than Security+ or GSEC, but benefits from ISC2's strong brand and serves well as an intermediate step toward the CISSP. The effort for annual certification maintenance (AMF + CPEs) is moderate.
Also touched
Certified Information Privacy Technologist
Privacy engineering, privacy-by-design in products and platforms.
Certified Secure Software Lifecycle Professional
Secure SDLC, threat modelling, secure architecture across product teams.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
More in Cybersecurity
Test what you know about Cryptography
45 questions available. Beginner to expert questions, scored against the global leaderboard.