Authenticated encryption: why encryption alone is never enough

Encrypting a message makes it unreadable, not tamper-proof. This applied cryptography course builds intuition for authenticated encryption: confidentiality versus integrity, AEAD and its tag, the pitfalls of nonces, associated data and domain separation, versioned formats, and the art of designing a failure that leaks nothing. Four chapters, two interactive components, real-world attacks at every step. No programming language required.

1. 01
   Encryption is not enough

   Confidentiality versus integrity: why an adversary who cannot read can still break everything, and how authenticated encryption responds.
   20 min
2. 02
   The nonce: the detail that breaks everything

   Vital uniqueness, random versus counter, birthday bound and constant time: why the least secret number in the system is also the most dangerous.
   22 min
3. 03
   Binding ciphertext to its context

   Associated data, domain separation, authenticated headers and versioned formats: why a perfectly valid ciphertext can still be a vulnerability if replayed outside its context.
   19 min
4. 04
   Designing for failure

   Authenticate before parsing, opaque errors, trust boundaries: how the way a system fails determines its security.
   19 min