Hello software developers,
Please check your code to ensure you're not making one of the following mistakes related to cryptography.
- Writing your own home-grown cryptography primitives (For example: Mifare Classic)
- Exception: For the sake of learning, but don't deploy it in production.
- Using a fast hash function (e.g. MD5, SHA256) for storing passwords. Use bcrypt instead.
- Not using a cryptographically secure random number generator
- Hashing small identifiers and hoping the hash hides the identifier (easily brute-forced)
- Not using authenticated encryption
- Not following an Encrypt then MAC construction
- Using ECB mode (ciphertext blocks will repeat, degrading confidentiality)
- Not using a random IV for CBC mode
- Ever reusing a nonce in CTR mode with the same key
- Using a human-readable password (i.e. "Password123") directly as an encryption key instead of a randomly generated string (or rather a
byte
array if appropriate to your language) - Using the same key for encryption and message authentication
- This isn't really a vulnerability, just a bad practice; use HKDF-SHA256 to split your key into one for encryption and one for authentication.
- Hard-coding an encryption key or password into your client software
- Using RSA with PKCS1v1.5 padding
- Yes, that scheme was broken in 1998. I don't give a damn what your "legacy support" concerns are. Stop using it already.
- Using an unsafe curve for ECC (e.g. many NIST curves)
If you're looking for cryptography right answers, check out the linked gist.
Thank you for your time.
Signed,
A friend who wants your application to be secure
@creshal I wouldn't. Argon2 is new and given the suite of current algorithms, relatively untested and unused. I would let Argon2 bake for at least 5 years before giving it considerable attention for production use. We need mathematicians and cryptographers analyzing Argon2 for a good long while, before it becomes an every day recommendation. In the meantime, bcrypt is a sound choice.