BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Cryptography/Practical Cryptography for Developers
40 minIntermediate

Practical Cryptography for Developers

After this lesson, you will be able to: Choose the right cryptographic primitive for a task, pick a safe library (libsodium, Web Crypto, Python cryptography), and know what to never implement yourself.

The payoff lesson: turning cryptographic knowledge into safe engineering decisions. This lesson maps common tasks to the right primitive, recommends vetted libraries, and gives the hard rules about what developers must never build themselves.

Prerequisites:TLS in Depth

Which primitive for which task

Encrypt data at rest or in transit: authenticated symmetric encryption (AES-256-GCM or ChaCha20-Poly1305). Store passwords: a slow salted hash (Argon2id, bcrypt, scrypt), never a plain hash. Verify a download or detect tampering: a hash (SHA-256) or, with a shared secret, HMAC. Prove authorship: a digital signature (Ed25519, ECDSA, RSA). Agree on a shared key over an insecure channel: ECDH (ephemeral for forward secrecy). Generate tokens or keys: a cryptographically secure random generator, never Math.random.

Use vetted libraries

libsodium (NaCl) is the gold standard: it exposes a small set of hard-to-misuse, high-level functions with safe defaults, available in most languages. The Web Crypto API (crypto.subtle) is built into browsers and Node for standard primitives. Python's cryptography library provides both safe high-level recipes (Fernet) and lower-level primitives. Whatever you pick, prefer high-level, misuse-resistant APIs over assembling primitives by hand.

Generating secure randomness

Tokens, keys, and IVs must come from a cryptographically secure source, never Math.random.

python
// WRONG: Math.random is not cryptographically secure
const badToken = Math.random().toString(36); // predictable, do not use


// RIGHT (browser/Node Web Crypto)
const bytes = crypto.getRandomValues(new Uint8Array(32));
const token = Buffer.from(bytes).toString("hex");


// RIGHT (Node)
import { randomBytes } from "crypto";
const secret = randomBytes(32).toString("hex");

💡 What to never implement yourself

Never write your own cipher, mode, hash, random number generator, or protocol. Never invent a 'simple' encryption scheme. Never roll your own password hashing. Never store a key in source code. The history of cryptography is a graveyard of homegrown schemes broken by experts in minutes. Your job is to choose and correctly use vetted primitives, not to build them.

Quick Check

You need to generate a session token. Which is correct?

Pick one.

Common mistakes only experienced engineers catch

Using Math.random for anything security-relevant. Assembling low-level primitives instead of using a high-level safe API. Inventing a custom scheme. Storing keys in code or config committed to Git. Using a fast hash for passwords. Reusing nonces. Not rotating keys. Copying crypto code from a random blog without understanding it. When unsure, reach for libsodium's high-level functions.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←TLS in Depth
Back to Cryptography
Cryptography Job Readiness→