Protocols
There are a lot of areas around cryptography protocols and what one should do to accomplish various things, see the table below for a good summary of many different areas.
Area |
Percival in 2009 |
Ptacek in 2015 |
Latacora in 2018 |
Online backups |
|||
Symmetric key length |
256-bit |
256-bit |
256 bit |
Symmetric “Signatures” |
HMAC |
HMAC |
HMAC |
Random IDs |
256-bit |
256-bit |
256-bit |
Hashing algorithm |
SHA256 (SHA-2) |
SHA-2 |
SHA-2 |
Password handling |
Algorithms:
|
Algorithms:
|
Algorithms:
|
Website security |
OpenSSL |
Libraries:
|
Libraries:
|
Client-server app security |
OpenSSL |
Libraries:
|
Libraries:
|
Asymmetric encryption |
Use RSAES-OAEP with SHA256 as the hash function, MGF1+SHA256 as the mask generation function, and a public exponent of 65537. Make sure that you follow the decryption algorithm to the letter in order to avoid side channel attacks. |
NaCl/libsodium |
NaCl/libsodium |
Asymmetric signatures |
Use RSASSA-PSS with SHA256 as the hash function, MGF1+SHA256 as the mask generation function, and a public exponent of 65537. |
Algorithms:
|
Algorithms:
|
Diffie-Hellman |
2048-bit Group #14 with a generator or 2 |
Algorithms:
|
Algorithms:
|
Encrypting Data |
AES-CTR HMAC |
Algorithms:
|
Algorithms:
|
Above table idea from: https://news.ycombinator.com/item?id=16748400 (author: weinzierl) sources for the table:
Crypto Libraries
-
NACL/Libsodium is a great library to use.
-
OpenSSL is an OK library to use, it had a down-period, but it’s being maintained again now.
-
Tink is a new library with a team of cryptographers maintaining it; that team includes Daniel Bleichenbacher.