Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using cryptography in your application #69

Open
Xenonym opened this issue Feb 9, 2019 · 3 comments
Open

Using cryptography in your application #69

Xenonym opened this issue Feb 9, 2019 · 3 comments

Comments

@Xenonym
Copy link

Xenonym commented Feb 9, 2019

Rationale: The current introduction to cryptography provides a good overview of cryptography from a theorectical perspective. However, I feel that an equally important topic is how should we go about implementing cryptography in our applications, because incorrect implementation choices can lead to vulnerabilities in your application.

Could be an extension, but feel like the below is enough content for its own chapter.

Outline:

  • why encrypt your data
    • sensitive in plaintext, in case of breach
  • how to encrypt data in your application?
    • language libraries: JCE, System.Security.Cryptography
    • open source libraries: OpenSSL, NaCl, BouncyCastle, PyCrypto
  • how to choose good cryptographic primitives
    • RNGs, CSPRNGs
    • encryption algorithms
      • public key: RSA, ECC
      • secret key: AES, ChaCha20
    • authentication modes: MACs, AE crypto modes
    • key generation: PBKDF
@damithc
Copy link
Contributor

damithc commented Feb 9, 2019

See if you can revise the current article to include these content too. Assume the reader is an SE student who has not yet learned cryptography. The article should give the reader an appreciation of how cryptography is relevant to a Software Engineer and point to where to go learn more. We should be able to achieve that from one article? Feel free to delete existing content. I don't mind having two articles but I feel like it's a bigger achievement if we can reach the same objective from just one.

@Xenonym
Copy link
Author

Xenonym commented Feb 9, 2019

Understood @damithc! I will try and extend the current article then. Here's my current outline for how it might go:

  • what is cryptography?
  • why use cryptography in your application?
    • secret data: passwords, sensitive business information
    • legal implications: GDPR, PDPA, and reasonable protection for customer data under the law
    • resilience from breaches: encrypted data is hard to read by unauthorised parties
    • integrity: ensuring that data has not been modified by unauthorised parties
  • how do you use cryptography in your application?
    • language libraries: JCE, System.Security.Cryptography
    • open source libraries: OpenSSL, NaCl, BouncyCastle, PyCrypto
    • how to choose good cryptographic primitives [1]
      • RNGs, CSPRNGs
      • encryption algorithms
        • public key: RSA, ECC
        • secret key: AES, ChaCha20
      • authentication modes: MACs, AE crypto modes
      • key generation: PBKDF
  • other resources

[1]: I suspect most of the current content will be subsumed under this section, but I have extended it beyond just algorithms to also other components that are important to implementing cryptography eg. RNGs, authentication modes.

@damithc
Copy link
Contributor

damithc commented Feb 10, 2019

Sounds good 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants