Focus on the concepts and design principles, not the cryptographic details. You should understand why these mechanisms exist in distributed systems and what goes wrong when they are misapplied, not whether you can recall algorithm parameters, protocol steps, or product names.
What you don’t need to study
-
Algorithm internals, key sizes, or mode variants. You do need to know which category each named algorithm belongs to: AES and ChaCha20 are symmetric ciphers; RSA, ECDH, and ECDSA are public-key algorithms; SHA-256 is a hash function and HMAC is a MAC construction.
-
OAuth authorization code flow in detail: redirects, authorization codes, or back-channel requests. Know that OAuth delegates access and produces an access token; you do not need to know how the protocol achieves it.
-
The OIDC protocol steps. Know that OIDC adds user identity on top of OAuth and produces an ID token.
-
The JWT format: the three-part structure, base64url encoding, or standard claim names (sub, iss, exp, iat, aud). Know that JWTs are a compact, signed token format used to carry claims (such as user identiy information or service authorizations).
-
Anything about how SPIRE operates or how any SPIFFE implementation works internally. Know what SPIFFE is and what problem it solves.
-
The SPIFFE URI format.
-
Service mesh proxy internals or configuration, or the differences between Istio and Linkerd.
-
What north-south vs. east-west traffic refers to.
-
Specific products: which company makes which secret manager, which identity provider is most widely deployed, or how TLS versions differ at the protocol level.
-
Mechanisms used to revoke certificates.
-
The evolution of the OAuth protocol to its current version.
Security goals
Know these five goals and be able to explain what each one means.
Confidentiality means keeping data secret from parties who are not authorized to see it. Encryption is the primary mechanism.
Integrity means detecting unauthorized modification. A message has integrity if the receiver can confirm it has not been altered in transit.
Authentication means establishing who is on the other end of a connection or who created a message. A service needs to know whether it is really talking to the orders service or to an attacker pretending to be it.
Authorization means deciding what an authenticated party is allowed to do. A principal is any entity that can be identified and granted access: a user, a service, a device, or a background process.
Non-repudiation means being able to prove that a specific party created or approved some data. Digital signatures and audit logs are the typical mechanisms.
These are distinct properties. Encrypting a message does not prevent it from being modified in transit if there is no integrity check. A message can arrive unmodified but fully visible to an attacker. Authentication can succeed while authorization fails. Getting one right does not mean you have the others.
Why distributed systems change the security problem
In a monolithic application, many trust decisions are implicit. The OS enforces boundaries. There is one identity model and one administrator. Distributed systems remove those guarantees.
Several properties define where the problem gets harder:
-
There is no single trust boundary. Data may cross services, clouds, and organizations.
-
Identity is not just about users. Services, containers, batch jobs, and background processes all need identities.
-
Authorization is not a one-time check at the edge. Every service in a call chain needs to make its own decision.
-
Secrets are distributed across many machines, creating problems of provisioning, rotation, revocation, and blast radius (how far the damage spreads when a credential leaks).
-
Partial compromise is the realistic threat. One leaked credential can enable lateral movement through the rest of the system.
The cryptographic building blocks
Understand the conceptual role of each mechanism, not the math.
Symmetric encryption uses the same key on both sides. It is fast and suited for bulk data, but it requires both parties to already share a key. It cannot establish a secure channel between strangers on its own.
Asymmetric cryptography uses a key pair. The public key can be shared openly. The private key stays secret. It makes key establishment practical without pre-shared secrets: two parties who have never shared a secret can establish a shared key. It also enables digital signatures.
Hashes, MACs, and digital signatures serve different purposes. A hash function maps data of any length to a fixed-size digest. The same input always produces the same digest, and it is computationally infeasible to reverse the process or find two inputs with the same digest. A plain hash provides no protection against an active attacker because anyone can modify a message and recompute the hash. It is useful for detecting accidental corruption, but it proves nothing about who sent the message.
MACs and digital signatures both extend the hash concept to provide authentication as well as integrity.
A MAC (message authentication code) computes a hash of the message combined with a shared secret key. A receiver with the same key can verify the hash, confirming both that the message was not modified and that it came from someone who knows the key.
A digital signature also operates on a hash of the message, but instead of a shared secret, the sender computes the signature using their private key. Any party with the corresponding public key can verify the signature, confirming the message’s origin and integrity without a pre-shared secret. Signatures also support non-repudiation.
The following table summarizes the key differences:
| Mechanism | Protects against active attacker | Provides origin authentication | Requires pre-shared secret |
|---|---|---|---|
| Hash | No | No | No |
| MAC | Yes | Yes, to parties with the shared secret | Yes |
| Digital signature | Yes | Yes, verifiable via public key | No |
Replay attacks are easy to miss. Integrity checks tell you a message was not modified. They tell you nothing about whether it is a copy of an older message. A valid signed request captured and retransmitted later will still pass an integrity check. Distributed protocols add freshness mechanisms: nonces, timestamps, sequence numbers, or expiration times.
Transport Layer Security (TLS) combines asymmetric key exchange, symmetric bulk encryption, and integrity checks into a secure channel. It provides confidentiality, integrity, and server authentication. With mutual configuration, it also authenticates the client. Know what TLS provides, not the handshake state machine.
Certificates bind a public key to an identity. A certificate authority (CA) signs the binding. Trust is organized as a chain from a root CA through intermediate CAs to the certificates issued to specific services, workloads, or users. In distributed systems, the identity in a certificate may be a service name or workload identifier rather than a domain name. Certificate lifecycle (expiration, rotation, revocation) is a security design constraint, not just an operational concern.
Mutual TLS (mTLS)
Mutual TLS (mTLS) authenticates both sides of a connection. Standard TLS authenticates only the server. With mTLS, each side presents a certificate and verifies the other’s. The result is a cryptographically verified identity for both caller and receiver, not just an IP address.
In microservice systems, mTLS turns “inside the cluster” from a passive trust assumption into a verifiable property of each connection. Once both sides have cryptographically verified identities, authorization decisions can be based on who is calling rather than where the call came from.
Authentication and authorization
Know this distinction cold. Authentication asks who you are. Authorization asks what you are allowed to do.
A system can authenticate correctly but authorize incorrectly. The most common failure pattern is broken object-level authorization (BOLA): a service checks the token but does not verify that the caller is allowed to access the specific resource. An attacker with any valid token can read any object by changing an ID in the request.
In distributed systems, authorization must happen at multiple layers independently. The API gateway can check whether a client is allowed to call the API at all. A backend service must check whether the caller is allowed to invoke this specific operation. A data service must check whether this caller can access this specific record. None of these can be fully delegated to the layer above.
OAuth, OIDC, and JWTs
These three are not interchangeable.
OAuth is an authorization framework. It produces an access token that a service validates to determine what access to grant. It answers “what access is being delegated?” not “who is this user?”
OpenID Connect (OIDC) is an identity layer on top of OAuth. It produces an ID token that describes who the authenticated user is. It answers the authentication question that OAuth does not.
A JWT (JSON Web Token) is a compact token format, not a protocol. A JWT carries claims: key-value assertions about the subject, such as user identity, expiration time, issuer, and granted scopes. OAuth access tokens and OIDC ID tokens are often encoded as JWTs, but a JWT by itself has no security meaning without knowing the protocol context.
Signed JWTs can be validated locally without contacting the issuer, which reduces latency but makes revocation hard. The tradeoff is between local validation and centralized revocation control: local validation is fast and requires no runtime dependency on the issuer, but enforcing revocation globally requires coordination with the issuer. The most widely used response is short-lived access tokens paired with a refresh token, a longer-lived credential the client uses to obtain a new access token at renewal; revocation takes effect when the client next tries to renew.
Workload identity
Users are not the only principals. Services, containers, and batch jobs also need identities. Workload identity lets services prove which workload they are cryptographically rather than by network location. SPIFFE (Secure Production Identity Framework for Everyone) is a widely adopted standard for workload identity credentials. The key concept is that workload identities should be short-lived and automatically rotated, just like access tokens.
Cloud IAM
Cloud identity and access management (IAM) policies bind identities to permissions on cloud resources. Least privilege means granting each service only the permissions it actually needs and no more.
Over-privileged service accounts and roles are a major escalation path: a microservice with broad permissions becomes a much larger incident when compromised than one with least-privilege access. Short-lived credentials issued via workload identity federation are preferred over long-lived service account keys embedded in container images.
Zero Trust
Zero Trust is an architectural principle: network location does not imply trust. A request from inside the cluster still needs to be authenticated and authorized. The slogan “never trust, always verify” is a shorthand for the principle that trust must be earned by presenting verified credentials, not assumed based on where a connection originates.
Micro-segmentation
Micro-segmentation divides a system into fine-grained trust domains and explicitly controls which services can communicate with which others. It limits the blast radius of a compromise: if the orders service cannot connect directly to the database, compromising the orders service does not automatically give an attacker database access.
Service meshes and API gateways
Know the difference in scope.
An API gateway handles external traffic entering or leaving the system (called north-south traffic). It centralizes TLS termination (often decrypting incoming HTTPS connections at the boundary so internal services communicate over separate connections), token validation, rate limiting, and coarse-grained authorization at the edge.
A service mesh handles internal service-to-service calls (called east-west traffic). It provides mTLS, workload identity, and authorization enforcement consistently across all internal calls without requiring each service to reimplement those mechanisms. A sidecar proxy running alongside each service intercepts its network traffic to enforce these policies transparently.
A gateway protects the front door. A service mesh protects what happens inside.
Secret management
Secrets (API keys, database passwords, TLS private keys) must be distributed, rotated, revoked, and audited. Baking secrets into container images or source repositories is one of the most common and damaging mistakes. A well-designed system issues short-lived credentials to authenticated workloads at runtime rather than using long-lived static secrets.
Base64 encoding is not encryption. A base64-encoded secret is fully readable to anyone who can see the string.
Key and certificate rotation should be routine and automated. A system that requires manual edits or downtime to rotate a certificate is brittle by design.
Common design mistakes
Each of these reflects a trust assumption that was wrong from the start, not just a coding mistake.
-
Assuming the internal network is trusted.
-
Authenticating users but not services.
-
Using long-lived shared secrets everywhere instead of short-lived credentials.
-
Relying on the API gateway for all security and ignoring authorization inside the system.
-
Checking authentication but not authorization on individual resources and operations.
-
Over-privileging service accounts and cloud roles.
-
Storing secrets in source code, container images, or environment variable dumps.
-
Treating JWTs as an architecture rather than a token format.
-
Failing to plan for credential revocation, rotation, and resistance against replay attacks.
Understanding why each one is wrong is understanding the security design principles covered in these notes.