Cryptography

Scan a QR code once, and your phone can generate login codes forever—no internet required. The codes change every 30 seconds, yet somehow both your phone and the server always agree on the correct value. There’s no cloud synchronization, no API calls, no real-time communication of any kind. The math just works. This isn’t magic. It’s the TOTP (Time-based One-Time Password) algorithm, defined in RFC 6238, and understanding how it works reveals one of the most elegant applications of cryptographic hash functions in everyday use. ...

A poker site once lost millions because its shuffling algorithm could be predicted. The root cause? A random number generator that wasn’t random at all. The engineers had used a predictable seed, and attackers reverse-engineered the entire deck sequence from just a few observed hands. This wasn’t an isolated incident. From lottery rigging scandals to cryptocurrency wallet thefts, the history of computing is littered with disasters caused by insufficient randomness. Yet here’s the paradox: computers are deterministic machines. They execute the same instruction, they get the same result. So where does randomness actually come from? ...

Imagine you know the answer to a puzzle, but proving it would give away the solution. Perhaps you’ve discovered a vulnerability in a system, or you possess credentials that should remain private. Traditional verification demands revelation: show your work, reveal your password, expose your evidence. But what if mathematics offered another path? In 1985, MIT researchers Shafi Goldwasser, Silvio Micali, and Charles Rackoff published a paper that would fundamentally challenge our assumptions about proof and verification. Their work introduced the concept of zero-knowledge proofs - a method for one party to convince another that a statement is true while revealing absolutely nothing beyond that truth. The paper, titled “The Knowledge Complexity of Interactive Proof Systems,” didn’t just propose a new cryptographic primitive; it opened an entirely new field of research that would eventually enable private blockchain transactions, secure identity verification, and scalable distributed systems. ...

Every day, millions of developers type ssh user@server without a second thought. The connection establishes, the shell appears, and work begins. But beneath that familiar prompt lies one of the most elegant cryptographic protocols ever designed—a multi-layered system that somehow manages to be both simple enough for daily use and sophisticated enough to withstand decades of scrutiny. The irony is striking: most people assume SSH “just uses public key cryptography.” After all, that’s what the ~/.ssh/id_rsa file is for, right? The reality is far more nuanced. SSH uses public keys for exactly one purpose—authentication—and a completely different mechanism for everything else. Understanding this distinction reveals why SSH has remained the gold standard for remote access since 1995. ...

On June 5, 2012, a Russian hacker named Yevgeniy Nikulin accessed LinkedIn’s database and exfiltrated 6.5 million password hashes. What happened next became a textbook case of what not to do with passwords. LinkedIn had stored those passwords using SHA-1—without any salt. Within hours, security researchers were cracking thousands of passwords per minute. By the time LinkedIn disclosed the breach, over 60% of the stolen hashes had already been reversed. ...

The padlock icon in your browser’s address bar suggests something simple: this connection is secure. But in the roughly 100 milliseconds between clicking a link and seeing the page, your browser and the server performed one of the most sophisticated cryptographic dances in computing history. They established a shared secret over a public network, verified each other’s identities, and set up encrypted communication—all while an attacker watching every packet could learn nothing useful. ...