Protocols

There are a lot of areas around cryptography protocols and what one should do to accomplish various things, see the table below for a good summary of many different areas.

Table 1. Summary

Area

Percival in 2009

Ptacek in 2015

Latacora in 2018

Online backups

Symmetric key length

256-bit

256-bit

256 bit

Symmetric “Signatures”

HMAC

HMAC

HMAC

Random IDs

256-bit

256-bit

256-bit

Hashing algorithm

SHA256 (SHA-2)

SHA-2

SHA-2

Password handling

Algorithms:

  • scrypt

  • PBKDF2

Algorithms:

  • scrypt

  • bcrypt

  • PBKDF2

Algorithms:

  • scrypt

  • argon2

  • bcrypt

  • PBKDF2

Website security

OpenSSL

Libraries:

  • OpenSSL

  • BoringSSL

  • AWS ALB/ELB

Libraries:

  • AWS ALB/ELB

  • OpenSSL

  • LetsEncrypt

Client-server app security

OpenSSL

Libraries:

  • OpenSSL

  • BoringSSL

  • AWS ELBs

Libraries:

  • AWS ALB/ELB

  • OpenSSL

  • LetsEncrypt

Asymmetric encryption

Use RSAES-OAEP with SHA256 as the hash function, MGF1+SHA256 as the mask generation function, and a public exponent of 65537. Make sure that you follow the decryption algorithm to the letter in order to avoid side channel attacks.

NaCl/libsodium

NaCl/libsodium

Asymmetric signatures

Use RSASSA-PSS with SHA256 as the hash function, MGF1+SHA256 as the mask generation function, and a public exponent of 65537.

Algorithms:

  • NaCl

  • Ed25519

  • RFC6979

Algorithms:

  • NaCl

  • Ed25519

Diffie-Hellman

2048-bit Group #14 with a generator or 2

Algorithms:

  • DH-2048

  • NaCl

Algorithms:

  • Nothing

  • Curve25519

Encrypting Data

AES-CTR HMAC

Algorithms:

  • NaCl/libsodium default

  • ChaCha20-Poly1305

  • AES-GCM

Algorithms:

  • Amazon KMS

  • XSalsa20+Poly1305

Above table idea from: https://news.ycombinator.com/item?id=16748400 (author: weinzierl) sources for the table:

Crypto Libraries

  • NACL/Libsodium is a great library to use.

  • OpenSSL is an OK library to use, it had a down-period, but it’s being maintained again now.

  • Tink is a new library with a team of cryptographers maintaining it; that team includes Daniel Bleichenbacher.