1. 15

    I’ve already commented on the /r/crypto submission, but just wanted to make sure I also mention here: these are absolutely great points that any crypto library should, at least, take into consideration.

    1. 6

      I think one big resource that’s pretty popular is cryptopals. I’ve only done the first few sets but the exercises are a lot of fun and teach you real attacks

      1. 2

        I stumbled upon it this morning as I wrote my post :). I’m going to sprinkle these in, seems like a great way to get my feet wet.

        1. 2

          In terms of hands-on things, I’ve seen https://cryptohack.org/ be mentioned once or twice. Haven’t tried it myself, so I can’t really say anything about.

        1. 2

          Serious Cryptography by Jean-Philippe Aumasson is one of my favorites.

          1. 1

            I would definitely also recommend this one.

          1. 3

            Most real-world books are pretty outdated at this point, I’ve been writing the book I wish I had when I got into applied cryptography. I spent more than 2 years writing it and it’s going to print soon, but you can read it online here: https://www.manning.com/books/real-world-cryptography?a_aid=Realworldcrypto&a_bid=ad500e09

            It’s an introduction to cryptography concepts that are used in applications (encryption, authentication, etc.) with more in-depth explanations on how some of the actual algorithms work (for example, AES) and how they can be used in different types of applications (SSL/TLS, secure messaging like the signal protocol, etc.) The second part of the book also covers extra topics like hardware cryptography, post-quantum cryptography, cryptocurrencies, and even some advanced topics like zero-knowledge proofs.

            I also wrote a post here on why I’m writing another book on cryptography: https://cryptologie.net/article/504/why-im-writing-a-book-on-cryptography/ which should give you more background about what kind of book it is.

            1. 2

              Wait, is the full book available online? I’ve been waiting for this book, perhaps I’ve missed an announcement? Regardless, thanks for your hard work. I really enjoy your posts on cryptologie.net, and I’ve been looking forward to “Real-World Cryptography”.

              1. 3

                I think it is slated for print release in a few months, and it seems like 15 / 16 chapters are available online. I grabbed a copy because this was almost exactly what I was looking for (judging by the preview).

            1. 3

              Some unmentioned theorem provers/frameworks:

              Isabelle, a powerful prover with support for code generation in (mostly functional) languages. The sel4 project is a notable user of Isabelle. There is also a new framework called Igloo, which aims to provide language agnostic end-to-end proofs from protocol to implementation.

              Then there is Event-B, of which I know less about, but which powers the autonomous Paris metro line, an impressive feat.

              1. 2

                There’s also Verifpal.

              1. 4

                I’m a big fan of “rolling your own crypto” and here I’m talking about implementing known algorithms.

                Isn’t this article a great example of why NOT to roll your own crypto?

                1. 4

                  When I read the full two paragraphs around that sentence, I get the feeling it’s for educational purposes, not for real security use, which is why they encourage a security disclaimer.

                  I might be projecting my own views though because I think “rolling your own crypto” is a fantastic way of learning how the system works and how things can fall apart. I’ve learned how easy it is to make mistakes and I’ve never read papers and documentation more thoroughly than with cryptography and compression algorithms since both are so incredibly hard to debug. I’ve also learned a lot about tooling to mitigate these issues.

                  I’m a big fan of “rolling your own crypto” and here I’m talking about implementing known algorithms. I do it myself. I even think making it available on GitHub or similar, to ask for feedback, is good (if users are warned that no security can be expected).

                  However, a problem arises when projects that don’t even uphold the bare minimum of testing test vectors, are published with no warnings at all. Had there been used test vectors in this case, it wouldn’t have left IdentityModel completely broken.

                  1. 2

                    When I read the full two paragraphs around that sentence, I get the feeling it’s for educational purposes, not for real security use, which is why they encourage a security disclaimer.

                    Yes, this is exactly what I mean. And I totally agree with your benefits, that come from exploring it for educational purposes.

                  2. 2

                    Isn’t this article a great example of why NOT to roll your own crypto?

                    Not why. How. Avoiding most mistakes only requires following a few rules. Those rules aren’t easy to follow, but they are pretty easy to know about.

                    1. 1

                      Exactly, I was going to post the same thing.

                      One reason it’s not a good idea: After showing a snippet of code that calls some XChaCha20-Poly1305 crypto functions, the author notes:

                      This is not a XChaCha20-Poly1305 construction.

                      In other words, the APIs exposed by low-level libraries are like bags of loose components. They have to be wired up correctly in order to work right, and it’s not always obvious how to do so. Even if you know about padding and nonces, a specific cipher can have its own limitations you also need to be aware of.

                      That’s why I’m a fan of the higher-level libraries stemming from and inspired by Daniel Bernstein’s NaCl (libSodium, Monocypher, CryptoKit, etc) which give you bigger building blocks like “cryptoBox” that do a specific thing and do it right, and choose appropriate algorithms under the hood. That makes it a lot easier to successfully implement a crypto construction, and in a way that’s compatible with other programs that use the same construction.

                      1. 3

                        That’s why I’m a fan of the higher-level libraries stemming from and inspired by Daniel Bernstein’s NaCl (libSodium, Monocypher, CryptoKit, etc) which give you bigger building blocks like “cryptoBox” that do a specific thing and do it right, and choose appropriate algorithms under the hood.

                        Thanks for citing my work, appreciated. :-)

                        Working on Monocypher had me realise that the NaCl family ((Tweet)NaCl, Libsodium, Monocypher) is actually fairly low level. Yes, providing authenticated encryption and clean key exchange out of the box was a huge improvement. But my work on authenticated key exchange told me that high-level protocols are often fairly delicate, and require significant effort for untrained people to get them right. (Implementing an existing protocol like Noise isn’t too bad, though.) That’s in my opinion a big reason why Latacora’s Cryptographic Right Answers still recommends freaking TLS for client/server security.

                        I’d say the NaCl family of APIs is a good start. More work is needed to provide even higher-level facilities: full authenticated key exchange, PAKE, encrypted file formats (I’m leering at PURB), certificates… On top of those, we should then provide fully fledged network libraries, that actually handle the I/O (so far I’ve limited myself to manipulating buffers, to minimise dependencies and maximise portability). My, I’m afraid I still have a couple years of work ahead of me…

                    1. 8

                      This is why it’s important to ‘salt‘ your hash with a secret key

                      It’s important to use a password hash function (~= key derivation function) like argon2, scrypt or bcrypt. It handles salt and iteration (it’s important too, regular hash functions are way too fast and don’t require much memory!) and everything. You should not think about salts yourself.

                      1. 1

                        I follow this guide as well:

                        https://crackstation.net/hashing-security.htm

                        (It seems legit)

                        1. 3

                          That article also mentions the use of password hashing algorithms, as @myfreeweb pointed out. The only thing to note is that PBKDF2 is quite outdated and better alternatives, such as Argon2, exist and should be preferred.

                          Another good resource for recommendations on this is Cryptographic Right Answers.

                          1. 1

                            Argon2 is mentioned as well. Thanks for the link!