🔐

Learning Track · 15 modules

Cryptography & PKI

Modern crypto primitives, TLS, PKI architecture, secrets management at scale.

Why this track

Modern crypto primitives, TLS, PKI architecture, secrets management at scale. This track walks you from fundamentals through advanced techniques across 15 practitioner modules — the same body of knowledge senior security professionals build over years, structured for self-paced progression with India-specific context throughout.

Prerequisite: See module 1 for entry context. Most modules are self-contained but follow the suggested sequence for best results.

Modules

10.3 h

Total time

Free modules

∞

Quiz retries

Difficulty mix

Beginner · 1 Intermediate · 10 Advanced · 4

Module sequence

Modern Cryptography Fundamentals

Symmetric, asymmetric, hashing, MACs, password hashing, RNG, libsodium, post-quantum status, the cardinal rule.

Beginner 60 min →

TLS in Practice

TLS 1.2/1.3, cipher suites, handshake, certificate validation, HSTS, CT, common misconfigurations, testing with testssl.sh.

Intermediate 90 min →

PKI Architecture

CAs, cert types, ACME, lifecycle, revocation, internal PKI, service mesh PKI, code signing, lifetime trends.

Intermediate 90 min →

Quantum-Safe Cryptography Readiness

ML-KEM, ML-DSA, SLH-DSA — what NIST PQC standards mean for 2026 organisations, harvest-now-decrypt-later threat, crypto-agility, hybrid TLS, migration roadmap for Indian banks.

Advanced 85 min →

Secrets Management at Scale

Vault, dynamic secrets, rotation strategies, CI/CD secrets, leak detection, multi-environment isolation, audit.

Advanced 120 min →

Symmetric Cryptography in Practice

Symmetric crypto is fast, ubiquitous, and routinely misused. Modes that matter AES-256-GCM — authenticated encryption with associated data; default choice ChaCha20-Poly1305 — alternative AEAD; faster on devices without AES-NI AES-CBC — legacy; no built-in auth (vulnerable to padding-oracle if MAC absent) AES-CTR — fast; needs separate MAC; nonce reuse catastrophic AES-ECB — never use; reveals […]

Intermediate 20 →

Asymmetric Cryptography

Asymmetric (public-key) crypto for digital signatures and key exchange. The choices RSA-2048 — minimum acceptable; phasing out for 4096 in regulated RSA-4096 — slow; use only when compatibility requires ECDSA P-256 — fast; smaller keys (256-bit ~ RSA-3072 strength) Ed25519 — modern; fast; safer-by-default than ECDSA X25519 — for ECDH key agreement When to use […]

Intermediate 20 →

PKI Fundamentals

PKI = the trust infrastructure for asymmetric crypto. Most engineers use it; few understand it. The components Certificate Authority (CA) — issues certs; private key very protected Certificate Signing Request (CSR) — what you submit to a CA X.509 certificate — public key + identity, signed by CA Certificate chain — your cert → intermediate […]

Intermediate 20 →

TLS Cipher Suite Selection

TLS 1.3 covered in Networking Module 10. This is the operational hardening view. The 2026 baseline TLS 1.2 + TLS 1.3 only Disable TLS 1.0, 1.1 entirely Forward-secret ciphers only (ECDHE-*) AEAD ciphers (GCM or ChaCha20-Poly1305) Strong elliptic curves (X25519, P-256, P-384) HSTS enabled Sample nginx config ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; ssl_ecdh_curve […]

Intermediate 15 →

Key Management at Scale

Crypto without good key management is decoration. Every breach has a “where did the keys live” question. The hierarchy of safety HSM (FIPS 140-3 Level 2-4) — most secure; keys never leave hardware Cloud KMS — managed; keys logically scoped; audit trails HashiCorp Vault — flexible; software-based; supports HSM backend Application-level keystore — least secure […]

Advanced 20 →

M10

Quantum-Safe Cryptography Readiness

Quantum computers will break RSA and elliptic curve crypto. NIST published post-quantum standards in 2024. Migration is a multi-year project. The NIST winners ML-KEM (Kyber) — key encapsulation; replaces RSA-KEM and ECDH ML-DSA (Dilithium) — digital signatures; replaces RSA-PSS, ECDSA SLH-DSA (SPHINCS+) — alternative signature; stateless hash-based FN-DSA (Falcon) — compact lattice signatures “Harvest now, […]

Advanced 15 →

M11

Secret Management Platforms

Module 7 (DevSecOps track) covered secret-leak prevention. This is the platform comparison. Comparison Platform Strengths Weaknesses HashiCorp Vault Open source; flexible; rich auth methods; dynamic secrets Operational complexity AWS Secrets Manager AWS-native; rotation built-in; KMS integration AWS-only; per-secret cost Azure Key Vault Azure-native Azure-only GCP Secret Manager GCP-native; simple GCP-only; fewer features Doppler Modern UX; […]

Intermediate 15 →

M12

Hashing — Passwords & Integrity

“How do we hash passwords?” is the most-asked question. The answer evolved. 2026 password-hashing recommendations Argon2id — first choice; OWASP recommended bcrypt — second choice; widely supported scrypt — third; less library support PBKDF2 — only when FIPS 140 compliance forced NEVER — MD5, SHA-1, SHA-256/512 alone, plain hashing without salt Argon2id parameters (OWASP 2026) […]

Intermediate 15 →

M13

TLS/PKI Incidents — What Happens When Crypto Breaks

Crypto breaks rarely; when it does, it’s catastrophic. Notable incidents DigiNotar 2011 — CA compromised; rogue certs for Google. Browser distrust = company death. Heartbleed 2014 — OpenSSL bug exposed memory to attacker. Remediation involved rotating every cert. POODLE 2014 — SSL 3.0 padding-oracle. End of SSL 3.0. Logjam 2015 — DH key-exchange weakness. End […]

Intermediate 15 →

M14

Crypto Compliance Mapping

Auditors ask “is your encryption FIPS 140-2/3 compliant?” Industry answers vary by sector. FIPS 140 levels Level 1 — software-only crypto module; algorithms tested Level 2 — physical tamper-evidence (HSM with seal) Level 3 — physical tamper-resistance (HSM strong enclosure) Level 4 — full environmental protection (HSM with auto-zeroize) Indian sectoral requirements Sector Requirement RBI […]

Intermediate 15 →

Common questions about this track

How long will this track take me? +

Most learners finish in 4-8 weeks at a sustainable 4-5 hours per week. Modules are self-paced so you can move faster or slower as life allows.

Do I need prior experience? +

Module 1 sets the entry baseline. The first module is always free; if it feels approachable, the track is for you.

Will this prepare me for industry certifications? +

Most modules align with the body of knowledge tested by senior security certifications. The Academy is not a cert-prep course but produces working knowledge that transfers to any cert exam in the same domain.

Ready to start?

Begin with Module 1. Work through at your own pace. Free modules require no signup — everything else unlocks with a free RingSafe Academy account.

Start Module 1 → View pricing tiers 🗺️ Explore Skill Map