Terse Systems

Best Practices Crypto Algorithms

| Comments

I've always wanted just a nice simple list of what crypto algorithms go where.  The <a href="https://gist.github.com/tqbf/be58d2d39690c3b366ad">cryptographic right answers</a> go a long way to answering the question, but are very long.

Updated for 2016: In general, you should use libsodium, or a language wrapper like on top.

    <li>
        Use libsodium's <a href="https://download.libsodium.org/doc/secret-key_cryptography/authenticated_encryption.html">crypto_secretbox_easy</a> for encryption -- this is XSalsa20 with Poly1305 MAC under the hood.</li>
    <li>
        <a href="https://download.libsodium.org/doc/hashing/generic_hashing.html">crypto_generichash</a> with a key for integrity protection (authenticity) -- this is BLAKE2 under the hood.</li>
    <li>
        <a href="https://download.libsodium.org/doc/hashing/generic_hashing.html">crypto_generichash</a> without a key for hashing -- this is BLAKE2b under the hood.</li>
    <li>
      <a href="https://download.libsodium.org/doc/password_hashing/the_argon2i_function.html">Argon2</a>  or <a href="https://download.libsodium.org/doc/password_hashing/scrypt.html">scrypt</a> for passwords.
    </li>
    <li>
        Always use /dev/urandom or RtlGenRandom/CryptGenRandom&nbsp;for random numbers.  See <a href="https://tersesystems.com/2015/12/17/the-right-way-to-use-securerandom/">SecureRandom</a> if you're using Java.
    </li>
    

Comments