Cryptography for Developers — Tutorials & Code Samples

Cryptography is a foundational skill for modern developers because nearly every application today needs strong security: web APIs, mobile apps, payment platforms, messaging systems, IoT devices, cloud services, and distributed systems. To apply cryptography correctly, developers must understand how data is protected, which algorithms are safe, and how to avoid common mistakes that lead to vulnerabilities. This guide provides a detailed, tutorial-style explanation of essential cryptographic concepts and includes safe, modern code samples. Everything is written without numbered lists and focuses on clarity, correctness, and real-world use. Cryptography revolves around four main goals: protecting confidentiality, ensuring integrity, verifying authenticity, and providing non-repudiation. To achieve these, developers use hashing, key derivation functions, symmetric and asymmetric encryption, digital signatures, and key exchange mechanisms. Each technique solves a different problem and must be implemented with modern best practices. Hashing is one of the simplest yet most important tools. A hash function takes any input and produces a fixed-length output. Hashes are deterministic but non-reversible, making them useful for integrity checks or password storage. Developers should never store passwords as plaintext or use general-purpose fast hashes such as MD5, SHA1, or simple SHA256. Instead, use slow, salted password hashing algorithms like Argon2id, bcrypt, scrypt, or PBKDF2. These are computationally expensive by design, protecting passwords even if the database is compromised. Where hashing protects data without needing decryption, symmetric encryption is used for concealing information that must later be recovered. Symmetric encryption relies on a single shared secret key. The most recommended algorithm today is AES in GCM mode. AES-GCM provides confidentiality and integrity via authenticated encryption. Developers must avoid outdated modes like ECB, which exposes patterns in the data. AES-GCM also requires a unique nonce for every encryption. For situations where two parties need to exchange information securely without sharing a secret in advance, asymmetric cryptography becomes essential. Asymmetric encryption uses a public key for encryption and a private key for decryption. RSA is still common, though elliptic curve cryptography (ECC) is more efficient and considered more future-proof. Asymmetric encryption is typically used for establishing secure connections, encrypting small payloads such as session keys, or verifying digital identity. Digital signatures solve a different problem. Instead of encrypting data, they allow someone with a private key to sign a message so anyone with the public key can verify authenticity. Signatures are used in software update validation, JWT signing, blockchain transactions, financial systems, and secure API authentication. A common signature algorithm today is ECDSA on curves like SECP256R1 or Ed25519, which are efficient and secure. Secure applications also need ways to derive cryptographic keys from passwords or other secrets. Keys cannot simply be raw passwords because passwords lack entropy. Key derivation functions (KDFs) like PBKDF2, scrypt, Argon2, and HKDF turn low-entropy input into strong keys. PBKDF2 is widely supported and still acceptable when configured with high iteration counts. Argon2 is the most modern KDF and includes memory-hard features that resist GPU cracking. When two parties need to generate a shared secret over an insecure channel, they rely on key exchange algorithms like ECDH. ECDH allows both sides to independently compute the same secret without transmitting it. This secret is then used to derive symmetric encryption keys. Beyond basic cryptographic primitives, developers must understand how tokens and authentication systems use cryptography. JSON Web Tokens (JWTs), OAuth systems, and API authentication all rely on cryptographic signing. JWTs must always be signed using algorithms like HS256 with a strong secret or RS256 with a private key. Tokens should have short expiration times and must be verified on every request. A crucial part of cryptography is proper key management. Secrets must never be hardcoded in source code or stored in plaintext configuration files. Developers should use environment variables, encrypted vault systems like HashiCorp Vault, or cloud-based secret managers such as AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault. Version control systems like Git must never contain keys, certificates, or passwords. Finally, developers should be aware of common cryptographic mistakes. Writing custom cryptography is extremely dangerous. Using outdated ciphers such as DES, RC4, or AES-ECB mode exposes data. Poor randomness, such as using JavaScript’s Math.random(), weakens security. Reusing nonces in AES-GCM can completely break confidentiality. Skipping certificate validation opens applications to man-in-the-middle attacks. Understanding how to avoid these mistakes is as important as knowing how to implement secure algorithms. Cryptography is a powerful tool, but only when used correctly. With the right primitives, secure libraries, and safe patterns, developers can build systems that protect data, authenticate users, and maintain trust across networks and devices. The practice of cryptography is not about inventing new algorithms but about applying proven techniques correctly, consistently, and securely using well-reviewed libraries.