Cryptography does not fail overnight.
It ages—quietly—until one day an algorithm that “worked fine for years” becomes the weakest link in your system.
The gap between what we believe is secure and what is actually secure continues to widen. To help bridge that gap, I built a cryptographic mind map that serves as a map—but a map is only useful if you understand the terrain it represents.
This post is not a textbook. It is a guide through the important areas, the safe paths, and the major transitions shaping modern cryptography.
The mind map organizes cryptography into familiar categories: the CIA triad, data states, protocols, algorithms. Most engineers already know these labels.
What matters today is not what these categories are, but which parts of them are collapsing—and which are being reinforced.
That is why some items in the map are marked with a red ❌. Those symbols are not stylistic choices; they are warning signs.
The Graveyard: Why Cryptography Gets Deprecated
Let’s start with the obvious question:
Why are MD5, SHA-1, WEP, SSL, and 3DES considered “broken”?
The answer is not fashion. It is physics and economics.
Hashes: When Collisions Stop Being Rare
MD5 and SHA-1 fail because of collision attacks. Attackers can now deliberately craft two different inputs that produce the same hash. Once collisions are cheap, integrity guarantees disappear.
This means:
- Digital signatures can be forged
- Software updates can be tampered with
- Certificates can be abused
What once required nation-state resources is now feasible with consumer-grade hardware.
Protocols: When Backward Compatibility Becomes an Attack Surface
SSL and early TLS versions failed not because encryption vanished, but because protocol complexity created exploitable edges.
Attacks like POODLE and BEAST showed that supporting weak legacy modes allowed attackers to downgrade connections into insecurity.
The lesson is simple:
Supporting old cryptography does not make systems more compatible—it makes them more vulnerable.
A Common and Dangerous Pitfall: Hashing Passwords Incorrectly
One of the most important distinctions in the mind map is subtle but critical:
SHA-256 is good for integrity—but terrible for passwords.
Why?
Because SHA-256 is fast.
Speed is an advantage when verifying file integrity. It is a disaster when storing passwords. Attackers can test billions of SHA-256 guesses per second using GPUs.
Modern password security flips the goal:
- Slow
- Memory-hard
- Expensive to parallelize
That is why modern systems use:
- Argon2 (current best practice)
- bcrypt
- PBKDF2
If your password storage still relies on general-purpose hashes, the problem is not theoretical—it is operational.
The Future Is Already Here: Post-Quantum Cryptography
For decades, RSA and ECC have formed the backbone of secure communications. Their weakness is not classical computing—it is quantum computing.
Shor’s algorithm fundamentally breaks:
- RSA
- Diffie-Hellman
- Elliptic Curve Cryptography
This is not speculation anymore. It is why NIST finalized new standards in late 2024:
- ML-KEM (FIPS 203) — formerly CRYSTALS-Kyber
- ML-DSA (FIPS 204) — formerly CRYSTALS-Dilithium
These algorithms are designed to resist both classical and quantum attacks.
The key insight:
Cryptographic migration must happen before quantum computers arrive, not after.
Data encrypted today may need to remain confidential for decades.
The Evolution of Transport and Wireless Security
Modern cryptography is not just about algorithms—it is about removing unsafe choices.
TLS 1.3
TLS 1.3 does something radical: it refuses to negotiate weak ciphers. It also:
- Enforces Perfect Forward Secrecy
- Reduces handshake complexity
- Improves performance
Security improves because options disappear.
WPA3
Similarly, WPA3 replaces password-based Wi-Fi weaknesses with SAE, eliminating offline dictionary attacks that plagued WPA2.
The pattern is consistent:
Modern security improves by narrowing the attack surface, not expanding configuration knobs.
Conclusion: Security Is a Lifecycle, Not a Checklist
Cryptography is not about memorizing algorithms.
It is about understanding why things fail, when transitions are necessary, and how long data must remain protected.
The mind map is the map.
The real work is navigating the territory—knowing which paths are safe today, which are collapsing, and which are being built for the future.
In cryptography, standing still is not neutral.
It is falling behind.
Cryptographic Principles
1. Overview
Definition: Cryptography is the foundation of modern security controls and trust mechanisms.
Importance: Essential for confidentiality, integrity, authentication, and non-repudiation.
Challenges: Overall security is constrained by the weakest cryptographic component.
Role: Security architects must understand cryptographic primitives, protocols, and lifecycle risks.
2. Core Security Objectives (CIA+)
Confidentiality
-
Protects data secrecy (e.g., personal data, credentials, financial information).
-
Methods:
-
Symmetric encryption (shared secret keys)
-
Asymmetric encryption (public/private key pairs)
-
Integrity
-
Ensures data has not been altered (accidental or malicious).
-
Modern Tools:
- SHA-256, SHA-384, SHA-3, BLAKE2
-
Broken / Legacy:
-
MD5 ❌
-
SHA-1 ❌
-
Authentication
-
Verifies identity (users, devices, services, message origin).
-
Tools:
-
Passwords, PINs
-
Hardware/software tokens
-
Digital signatures
-
PKI certificates
-
Non-Repudiation
-
Prevents denial of message origin or receipt.
-
Tools:
-
Digital signatures
-
PKI-based certificate authorities
-
3. Uses of Cryptography
Data Protection Levels
-
High Sensitivity: Financial data, PII, credentials → encryption mandatory
-
Low Sensitivity: Public or non-sensitive data → optional encryption
Data States
-
Data in Transit: TLS, IPSec, VPNs
-
Data at Rest: Disk, file, database encryption
-
Data in Use: Application-layer security, TEEs
Additional Uses
-
Business Continuity: Encrypted backups, disaster recovery
-
Physical Security: Split knowledge, M-of-N control
-
Standards:
-
NIST FIPS 140-3
-
ISO/IEC 18033
-
ISO/IEC 11770
-
4. Message and Email Encryption
Purpose: Secure electronic communication.
Standards:
-
S/MIME
-
PGP / OpenPGP
-
PEM (legacy)
5. Secure IP and Transport Communication
Protocols
-
IPSec
-
AH: Integrity, origin authentication
-
ESP: Confidentiality + integrity
-
Modes: Transport, Tunnel
-
-
TLS (formerly SSL)
-
TLS 1.2
-
TLS 1.3
-
SSL: Deprecated ❌
-
Applications
- HTTPS, secure APIs, secure email transport
6. Remote Access Security
Technologies
-
VPNs: IPSec-based or TLS-based
-
PPP:
-
PAP (weak)
-
CHAP
-
-
SSH:
-
Encrypted remote access
-
SFTP, SCP
-
Password or key-based authentication
-
Goals
-
Confidentiality
-
Integrity
-
MITM resistance
7. Secure Wireless Communication
Wi-Fi (IEEE 802.11)
-
WEP: Broken ❌
-
WPA / WPA2: Transitional
-
WPA3:
-
SAE authentication
-
Current security standard
-
Bluetooth
-
Bluetooth 5.x
-
ECDH key exchange
-
AES encryption
-
Optional integrity protection
8. Other Secure Communication Systems
Secure Voice / VoIP
-
SRTP (Secure Real-time Transport Protocol)
-
ZRTP (Key agreement for VoIP)
SANs: Fibre Channel Security Protocol (FC-SP)
RFID / Satellite Links: Constrained and short-burst encryption
9. Identification and Authentication Systems
IFF: Military encrypted transponders
RFID: Asset tracking with encryption
User Authentication:
-
Passwords, PINs
-
Kerberos
-
EAP
Password Hashing (Credential Storage):
-
Argon2 (recommended, memory-hard)
-
bcrypt
-
PBKDF2
-
Note: General-purpose hashes (e.g., SHA-256) are unsafe for password storage ❌
Hardware Tokens:
-
Smart cards
-
USB crypto tokens
-
Crypto Ignition Keys (CIK)
10. Storage Encryption
Types:
-
File-level
-
File-system-level
-
Full-disk encryption
Goals:
-
Confidentiality
-
Integrity (CAS)
Standards:
-
IEEE P1619
-
IEEE P1619.1
-
KMIP
Key Management:
- Critical for removable media
11. Electronic Commerce (E-Commerce)
Models: B2B, B2C, C2C
Security Requirements:
-
Auditing: Hash chains, digital signatures
-
Authorization: Certificates, access control
-
Privacy: Encrypted storage
Standards:
-
EDI (AS2)
-
WS-Security
12. Software Code Signing
Purpose: Ensure authenticity and integrity of software
Modern Requirement:
- SHA-256 or stronger
Legacy:
-
MD5 ❌
-
SHA-1 ❌
Standard:
- Microsoft Authenticode
13. Cryptographic Interoperability
Objective: Industry and government compliance
Current Standard:
- CNSA Suite (1.0 / 2.0)
Legacy:
- NSA Suite B ❌
14. Cryptographic Methods
Symmetric Cryptography
-
Modern:
-
AES
-
ChaCha20
-
-
AEAD Modes:
-
GCM
-
CCM
-
-
Deprecated:
-
DES ❌
-
3DES ❌
-
RC4 ❌
-
Blowfish (legacy)
-
Asymmetric Cryptography
-
RSA (≥2048-bit)
-
Diffie-Hellman
-
ECC (ECDH, ECDSA)
-
ElGamal
Hash Functions
-
Modern (Integrity):
-
SHA-256
-
SHA-3
-
BLAKE2
-
-
Password Hashing (Specialized):
-
Argon2
-
bcrypt
-
PBKDF2
-
-
Broken:
-
MD5 ❌
-
SHA-1 ❌
-
Message Authentication Codes (MAC)
-
HMAC
-
CMAC
-
CBC-MAC (restricted)
Digital Signatures
-
DSA
-
ECDSA
-
ISO/IEC 14888
-
ANSI X9.62
15. Modern & Emerging Cryptography
Post-Quantum Cryptography (PQC)
-
ML-KEM (Module-Lattice-Based KEM)
-
Formerly CRYSTALS-Kyber
-
Standard: FIPS 203
-
-
ML-DSA (Module-Lattice-Based Digital Signature Algorithm)
-
Formerly CRYSTALS-Dilithium
-
Standard: FIPS 204
-
Perfect Forward Secrecy (PFS)
-
Achieved via ephemeral key exchange
-
DHE / ECDHE
Zero-Knowledge Proofs (ZKP)
-
Privacy-preserving authentication
-
Blockchain and identity systems
Homomorphic Encryption
-
Computation on encrypted data
-
Secure cloud analytics and privacy-preserving computation