By Wolfgang Keller
Draft
Originally written 2019-07-03
Last modified 2021-02-25
You care about this if: you’re hiding information from users or the network.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: |
|
|
|
If you can get away with it: | - | - |
|
Avoid: |
|
|
You might ask why use “Encrypt-then-MAC”? Or more precisely: There exist three possible ways how one could combine encryption and MAC:
Under Encrypt-then-MAC [published 2009-06-24; visited 2021-02-25T00:03:17Z], Colin Percival gives an explanation why Encrypt-then-MAC should be used.
You care about this if: you’re using cryptography.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | 256 bit | ||
If you can get away with it: | 128 bit | - | - |
Avoid: | - |
|
You care about this if: you’re securing an API, encrypting session cookies, or are encrypting user data but, against medical advice, not using an AEAD construction.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | HMAC | ||
Avoid: |
|
|
You care about this if: you always care about this.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: |
| SHA-2 | |
If you can get away with it: | - | SHA-512/256 | |
Future prospect: | Plan update to SHA-3 within next 5-10 years | - | - |
Avoid: |
|
|
You care about this if: you always care about this.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | Use 256-bit random numbers. | Use 256-bit random numbers from /dev/urandom. | |
If you can get away with it: | Use 128-bit random numbers. | - | - |
Avoid: | - |
|
|
You care about this if: you accept passwords from users or, anywhere in your system, have human-intelligible secret keys.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: |
|
|
|
Avoid: |
|
|
|
Links:
You care about this if: you need to encrypt the same kind of message to many different people, some of them strangers, and they need to be able to accept the message asynchronously, like it was store-and-forward email, and then decrypt it offline. It’s a pretty narrow use case.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | RSAES-OAEP with
| NaCl | Nacl/libsodium (box / crypto_box) |
If you can get away with it: | - | RSA-OAEP if you have to use RSA | - |
Avoid: |
|
Systems designed after 2015 that use
|
You care about this if: you’re designing a new cryptocurrency. Or, a system to sign Ruby Gems or Vagrant images, or a DRM scheme, where the authenticity of a series of files arriving at random times needs to be checked offline against the same secret key. Or, you’re designing an encrypted message transport.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | RSASSA-PSS with
| TODO | TODO |
Avoid: | TODO | TODO | TODO |
You care about this if: you’re designing an encrypted transport or messaging system that will be used someday by a stranger, and so static AES keys won’t work.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | TODO | TODO | TODO |
Avoid: | TODO | TODO | TODO |
You care about this if: you have a website.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | TODO | TODO | TODO |
Avoid: | TODO | TODO | TODO |
You care about this if: the previous recommendations about public-key crypto were relevant to you.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | TODO | TODO | TODO |
Avoid: | TODO | TODO | TODO |
You care about this if: you bother backing things up.
Percival, 2009 | Ptacek, 2015 | Latacora, 2018 | |
---|---|---|---|
Do: | Tarsnap |
TODO