Ask HN: Current Crypto Best Practices

198 点作者 msingle大约 8 年前

For a run-of-the-mill programmer, where are some places that I can look for crypto best practices? Eg. For storing passwords, Coda Hale's https://codahale.com/how-to-safely-store-a-password/ looks like it is still relevant, but how do I know that? I know that cperciva and tptacek are some go-to people on HN, but where can I point other non-HN readers?

17 条评论

jjperezaguinaga大约 8 年前

If you come from a computer science/math background, and want an intro to cryptography in general, I can strongly recommend the Coursera course from Stanford University by professor Dan Boneh - <a href="https://www.coursera.org/learn/crypto" rel="nofollow">https://www.coursera.org/learn/crypto</a>. To really understand the implementations of security libraries and tools, one should be at least familiar with the fundamentals and terminology of crypto. Otherwise you are blindly encrypting things without being aware of whether you are actually securing things.The course is free and takes 6 weeks long, and is very interesting if you had never dwelled too deep into security or crypto. There's also a new cryptography class that will be available in September of 2017 - <a href="https://www.coursera.org/learn/crypto2" rel="nofollow">https://www.coursera.org/learn/crypto2</a>.

评论 #14044008 未加载

评论 #14042427 未加载

mlaretallack大约 8 年前

Cryptographic Right Answers is a good place to start<a href="https://gist.github.com/TheZ3ro/fb521a3cde0c91fcb350" rel="nofollow">https://gist.github.com/TheZ3ro/fb521a3cde0c91fcb350</a>

评论 #14042449 未加载

cvwright大约 8 年前

I'm surprised to see so few recommendations for libsodium. <a href="https://download.libsodium.org/doc/" rel="nofollow">https://download.libsodium.org/doc/</a>For pretty much any crypto task that a "run-of-the-mill programmer" is likely to run into, they've got you covered.Secret key encryption: <a href="https://download.libsodium.org/doc/secret-key_cryptography/authenticated_encryption.html" rel="nofollow">https://download.libsodium.org/doc/secret-key_cryptography/a...</a>Password hashing: <a href="https://download.libsodium.org/doc/password_hashing/" rel="nofollow">https://download.libsodium.org/doc/password_hashing/</a>

评论 #14045593 未加载

garrettr_大约 8 年前

Cryptography Engineering [0] is a great book that covers key topics in cryptography with a focus on best practices for implementors and system/protocol designers.Matthew Green's blog, A Few Thoughts on Cryptographic Engineering [1], has a wealth of interesting posts that are often aimed at explaining cryptography to a "technical but non-cryptographer" audience, and tend to be motivated by recent events in security/cryptography news.[0]: <a href="https://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246" rel="nofollow">https://www.amazon.com/Cryptography-Engineering-Principles-P...</a> [1]: <a href="https://blog.cryptographyengineering.com/" rel="nofollow">https://blog.cryptographyengineering.com/</a>

lucb1e大约 8 年前

The IT Security StackExchange website contains lots of information which is generally kept reasonably up to date. For example a TLS answer might be a bit old and not list last week's attack, but if something turns incorrect it will often be edited.<a href="https://security.stackexchange.com" rel="nofollow">https://security.stackexchange.com</a>

Tepix大约 8 年前

OWASP has some nice guidelines on a lot of topics, including storing passwords.Start at <a href="https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet" rel="nofollow">https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet</a>

评论 #14042864 未加载

评论 #14042192 未加载

tptacek大约 8 年前

The answers for this depend on what you're trying to do. Can you be more specific? Coda's password storage advice is still the best advice for people who don't know what they'd do otherwise.

lothiraldan大约 8 年前

I'm currently building a community website for these kind of questions (storing password, constant-time token comparison), the design is pretty raw for the moment: <a href="https://sqreen.github.io/DevelopersSecurityBestPractices/safe-password-storage/python" rel="nofollow">https://sqreen.github.io/DevelopersSecurityBestPractices/saf...</a>The code examples are in Python, but I plan to add pages in other languages.

mistat大约 8 年前

The golden rule about storing a password is to not store a password... I can't wait till SQRL takes off

评论 #14042097 未加载

评论 #14042090 未加载

评论 #14042239 未加载

评论 #14042490 未加载

cshep大约 8 年前

Dan Boneh's Coursera course is ideal for any beginner. Cryptography Engineering by Schneier et al. is good, as is Ross Anderson's Security Engineering, but both are fairly dated.The OWASP guidance is OK for a quick access to best practices, but insufficient for rigorous learning.Cryptography takes time to digest the fundamentals and recognise how new concepts are both beneficial and, vitally, disadvantageous; sadly, there is no cheat sheet or quick fix.Source: computer security PhD student.

yeukhon大约 8 年前

Quick sites:* PyCon Crypto 101 - <a href="https://www.crypto101.io/" rel="nofollow">https://www.crypto101.io/</a> (and if you use Python, please use Cryptography library for encryption/decryption please, Python built-in provides sha and hmac already though, and please adopt your framework's security implementation whenever possible).* Mozilla Web Security Guidelines - <a href="https://wiki.mozilla.org/Security/Guidelines/Web_Security" rel="nofollow">https://wiki.mozilla.org/Security/Guidelines/Web_Security</a>* Mozilla Secure Coding Guideline - <a href="https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines" rel="nofollow">https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines</a>* Mozilla Server Side TLS - <a href="https://wiki.mozilla.org/Security/Server_Side_TLS" rel="nofollow">https://wiki.mozilla.org/Security/Server_Side_TLS</a>* Mozilla Intro to Cryptography (slide: <a href="https://april.github.io/crypto-presentation" rel="nofollow">https://april.github.io/crypto-presentation</a> video: <a href="https://www.youtube.com/watch?v=bg32spD2mB0" rel="nofollow">https://www.youtube.com/watch?v=bg32spD2mB0</a>)* Mozilla Web wiki - <a href="https://developer.mozilla.org/en-US/docs/Web" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web</a> (understand CORS, Cookies, CSP, etc)* Google's course on security - <a href="https://google-gruyere.appspot.com/" rel="nofollow">https://google-gruyere.appspot.com/</a> (original course page has been taken down by Google already)Book recommendations:* The Web Application Hacker's Handbook* The Tangled Web: A Guide to Securing Modern Web Applications (written by the famous Michał Zalewski working at Google, and lately known for developing the American Fuzzy Loop AFL which has been used for uncovering many new CVE bugs).* Hacking: The Next Generation* Securing DevOps (to be released soon)Publications:* USENIX - <a href="https://www.usenix.org/" rel="nofollow">https://www.usenix.org/</a> (tons of free high quality conference talks, I like USENIX over ACM)* Real World CryptoGetting real* Go find bug bounty program out there, many well-written posts how one discovered bugs* Follow a bunch of security engineers / security-minded folks on Twitter (e.g. @matthew_d_green would be a good start)OWASP is a great reference, you read it as an index page. But like others have pointed out, the Wiki is often outdated, but concepts almost always remain the same. Use multiple resources before implementing a solution, and never just copy and paste solution posted by others on Stackoverflow. Sorry for so many Mozilla stuff definitely there's some bias from me but I trust folks running the sec team there.

zitterbewegung大约 8 年前

A good guide for password hashing is <a href="https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016" rel="nofollow">https://paragonie.com/blog/2016/02/how-safely-store-password...</a> . I think your codehale link is out of date since it's from 2010.

评论 #14042250 未加载

jeremymcanally大约 8 年前

I made this a while ago: <a href="http://howtostoreapassword.com" rel="nofollow">http://howtostoreapassword.com</a>. Still relevant I think. :)I should probably update it to use one of the more modern algos, but the availability of good bcrypt libraries makes it solid advice still.

评论 #14045649 未加载

alinajaf大约 8 年前

Not necessarily best practices, but I recommend the Matasano Crypto Challenges to basically everyone. I make all of the developers on our team do them too:<a href="http://cryptopals.com" rel="nofollow">http://cryptopals.com</a>

评论 #14042507 未加载

bsder大约 8 年前

So, what's the recommendation for an Authenticated Key Exchange?I see a lot of "don't use" but I don't see any "do use" for that case.

jasdeepsingh大约 8 年前

May be on a tangent and a shameless plug, but I just posted <a href="https://news.ycombinator.com/item?id=14042150" rel="nofollow">https://news.ycombinator.com/item?id=14042150</a> this morning.Underlock is a small Ruby library that helps with Encrypting/Decrypting of files and other data.

评论 #14043429 未加载

nommm-nommm大约 8 年前

OWASP (non-profit)<a href="https://www.owasp.org/" rel="nofollow">https://www.owasp.org/</a>NIST (government)<a href="https://www.nist.gov/publications/" rel="nofollow">https://www.nist.gov/publications/</a>

评论 #14042441 未加载