CodeGrave
Act VII · Trust & CraftVIIa

Security & Cryptography

These aren't a layer — they weave through every act.

On this page

The working table of contents.

  1. Threat modeling — before you defend, understand what you're defending, from whom, and what they want. STRIDE as a thinking framework, not a checklist.
  2. The three crypto primitives — symmetric encryption (one shared key, fast: AES), asymmetric encryption (two keys, slow, enables key exchange: RSA, ECC), hashing (one-way fingerprint: SHA-256). Every security protocol is built from these three.
  3. PKI and certificates — how strangers trust each other on the internet. Certificate Authorities, certificate chains, certificate transparency. The trust model and its weaknesses.
  4. Identity — authentication (who are you? passwords, MFA, passkeys), authorization (what can you do? roles, policies, tokens), the protocol stack (OAuth 2.0, OIDC, GNAP and why it exists as the next step).
  5. Zero trust — the old model (castle and moat: trust the network) is dead. The new model: verify every request, regardless of where it comes from.
  6. Web security — the OWASP top 10 as a map of how web apps actually get attacked (injection, broken auth, XSS, CSRF). Not a checklist, a mental model of attack surfaces.
Going deeper

Branches that earn their own article.

  • Symmetric cipher internals (AES rounds, ChaCha20).
  • Asymmetric crypto math (RSA, elliptic curves, Diffie-Hellman).
  • TLS 1.3 handshake byte-by-byte.
  • OAuth 2.0 and OIDC flows in detail.
  • GNAP (RFC 9635) deep dive.
  • Supply-chain security (SBOMs, Sigstore, SLSA).
  • Secrets management (Vault, SOPS).
  • Penetration testing methodology.
  • Security compliance frameworks (SOC 2, ISO 27001).
  • Incident response for security breaches.