Let me come straight to the point before I tell the story behind it.
People in the open source community know me by -- vkweb.
I have created a free and open-source course to teach cryptography concepts to developers. It's purpose designed for the needs of a developer. Contains only what we developers need to understand. Basically, anybody who opens a terminal during the day (or night) should benefit from it.
đ˘ It's live asâ: Curious Cryptography.
Let's now get to the story behind it. At the end we have course's contents.
It started during my initial days as a beginner developer learning to code with Harvard's online course CS50x. I found various cryptography terms while I used to read documentations around the web.
Terms likeâ -- âsalt, password hashing, PBKDF-2, key pairs
. Like most of the developers, I too did not pay much attention to them, just skimmed through them a little on Google and moved on to fixing the next most important bug or the next feature to write.
Some time went by. I was progressing with CS50x. I saw a tweet or maybe it was a blog post, I can't recall accurately, but it was surely from Quincy Larson, the founder of freeCodeCamp.org. He informed the open source community that they have decided to revamp their full-stack curriculum.
Quincy encouraged the open source community to help build the new curriculum. I thought, let's see if there's anything I can help with. I browsed through the issues of their CurriculumExpansion GitHub repository, and found an issue I wanted to dive into.
The issue was about teaching cryptography concepts to freeCodeCamp learners. I decided to take it on. So, I first studied in depth how RSA public-key algorithm works internally. Khan Academy's videos and articles were my best friend during those times.
Me with inputs from Kristofer Koishigawa, created a pull request with course contents. In this course, freeCodeCamp learners would build a digital signature system by coding their own public key RSA algorithm. As they built, they would learn about encryption, hashing, public keys, private keys
.
A small disclaimer: do not ever write your own cryptographic algorithm for production. That RSA implementation was just for teaching purposes. Now, let's move on.
We are here today. Now, after these 4â5 years, that course never went live. I don't know the reason. And when I look back I realize, that course was not the right way to teach.
Recently, I got some free time to work on my own projects. I decided to build a fresh new course for developers on cryptography.
This time I wanted to do it right. The freeCodeCamp's course that we made was not very useful for developers.
We developers don't need to and should not deal with the internal maths that go inside the algorithm. That's for cryptography experts, that's a whole different subject. We developers should care about the concepts in enough depth, that we know what we are doing and why we are doing.
So that we developers don't do like the below xkcd comic guy (the stick character's name is cueball).
I started working on this new course. I collected concepts that were important for developers. I wanted to cover only those concepts that developers might encounter in their daily developer life.
Also, I wanted the course to be interactive, fun and with some depth. So, I built my own course website with a coding challenge and interesting diagrams.
Let me give you an overview of the concepts that will be covered in the course. This way you can see if you should spend time on the course or pass it. The course should take around 1.5 hours to complete. It is divided into 6 parts.
1. Symmetric key encryption
Our course starts with how Cryptography started off as a need for ancient emperors to be able to talk to their army commanders without their enemy being able to understand the messages. We discuss one of the most fundamental cryptography principleâ --âKerchoff's principle. We make you realize why having very high variations in a key is core to the security of encryption.
2. Code challenge: Caesar's cipher
This is a coding challenge where you will complete the decrypt
function so that ciphertext
gets converted to plaintext
in the expected way. You will understand the most famous encryption technique in codeâ -- âCaesar's cipher!
3. Cryptographic hash functions
We talk about hash functions in use with hash tables and then we introduce cryptographic hash functions. We will understand why cryptographic hash functions must not have hash collisions. We see two examples where hash collisions could be dangerousâ -- âin Ubuntu package integrity checks and in Git commits.
4. Password hashing
It only gets more interesting. We give you a problem. Imagine you have a precious database of thousands of users, how will you store the passwords so that even if the attacker breaches the DB, your users' passwords are not revealed. And also, why encrypting the passwords is not the right way.
5. Rainbow table and the salt
We see why simply hashing the passwords is never enough. Attackers started using a powerful data structure called Rainbow table to crack passwords in matter of seconds. Then we see how the salt come into the picture to protect us from this attack!
6. PBKDF-2: slowing down
The final attack we face isâ -- âGPU based attacks. GPUs are packed with thousands of cores. They can run billions of parallel tasks. They are a super power for password crackers.
We will learn about PBKDF-2 (Password based key derivation function). And how it helps to defend against the GPU-based attacks. We also see how Django uses PBKDF-2 internally to protect passwords.
Congratulations buddy đ. This completes the first half of the course!
The second half of the course is expected to be aroundâ-âDiffie-Hellman key exchange, RSA public-key encryption and TLS.
Before I make second-half, I decided to release the first-half so that I can get developers' feedback and see if the first-half is providing any value.
If lots of developers get some real value out of this, then I will work hard on the second-half. It all will forever remain free, that's a promise.
I will post updates on my Twitter. Follow me there, I tweet rarely but I try to be useful.
Please let me know in the comments below or on my Twitter DM if you feel this course is valuable, it'll act as a source of motivation to work further on the course!
I will be waiting for your comments and feedback!
Thank you for reading this, you champion! <3
-- vkweb
Top comments (17)
Congratulations for this great contribution towards not just the coder community but also for the non-coders. I went through your course and found it detailed yet easy to understand. I truly appreciate your work and I am sure that all this coming from one of the top contributors of freecodecamp community will surely be meaningful.
All the bestđđ
Thanks for the appreciating words! Means a ton! â¤ď¸
I never understood why, I need to know this. I use it every day, but still, I never had the chance to get into something that required me to know how password hashing works, for example. Looking forward part 2, especially for the TLS part.
Thank you!
Do you understand now why and how password hashing works? :D Was cryptography-for-devs.github.io/ helpful?
For updates regarding the second part, please follow me on Twitter, I will post updates there when / if I do: twitter.com/vkwebdev
Well done! And thanks!
Thanks Doug. I am really glad you liked it! đ
Do you feel the course was valuable to you?
Yes, I think your focus on the externals, interfaces, configuration, etc is insightful and makes sense. While I find it interesting to understand as much as I can about how these algorithms work internally, choosing the right one for the job and using it correctly is much more important.
Yup. The best thing to do is to use a library or function that your framework recommends. For example, Django has some recommendations around storing passwords, so if we follow that, we will be fine :D
Nice blog
Thanks buddy!
Great initiative! Looking forward to the second half!
Thanks Priya!
Did you find value in the first half?
Also, please share this with your classmates or co-workers to widen its reach :D
I will be waiting for your comments down here, let me know your perspectives! Looking forward!
Congratulations, this is really interesting!
Please share with your friends / co-workers! đ
Some comments may only be visible to logged-in visitors. Sign in to view all comments.