search

OWASP / Go-SCP

Golang Secure Coding Practices guide
https://owasp.org/www-project-go-secure-coding-practices-guide/
Creative Commons Attribution Share Alike 4.0 International
4.79k stars 369 forks source link

Addition of Glossary for certain terms #32

Open Jack64 opened 7 years ago

Jack64 commented 7 years ago

Hi all,

I'd like to propose the addition of a glossary for certain terms that may be misinterpreted or need additional explanations to be unambiguously interpreted by readers. This would also require a review of the complete document to ensure the uses of such words are correct according to their glossary definition. This is particularly important in some specific cases like crypto, where terms are sometimes misused and there can be confusion as to their meaning and the instances of their use across the document could be linked to the definition in the glossary for fast reference.

Here's an example of what glossary entries could look like:

encoding - function which transforms input into a different representation without the use of a key. These are reversible and do not provide real security because if the algorithm is known, their output can be reversed.

hash - may be a reference to a hashing function or its output.

hashing/hash function - cryptographically-secure function which transforms input into fixed-length output, also known as trapdoor or one-way function. Their output cannot be "reversed", in the sense of retrieving back the input information from the output, because its fixed-length property does not retain the original information, but it can be "guessed" by attempting all possible inputs until we get the same output.

encryption - process by which input data (plaintext) is transformed into encrypted data (ciphertext) via the application of a secret key. The output of an encryption process may be reversed (decrypted) using a key.

KDF (or Key Derivation Function) - In this document, when referring to a KDF, we mean a function which takes a user password as input and derives a key which can be used for storage and authentication or a high entropy key for use with symmetric encryption algorithms. This is not a hash function, but a construction around a hash function to make it more resistant to attacks such as brute-force, rainbow-tables, etc. A simple example to understand what is meant by construction is PBKDF2 which uses salting and iterations to increase the cost of breaking the hash to the attacker.

The crypto section would then be revised to use these terms appropriately.

PauloASilva commented 7 years ago

Hi @Jack64, I think that is a great idea.

We aim to do a release every two weeks:

  1. how long do you think it would take to have the document full reviewed and the first version of the Glossary?
  2. would you be interested to lead this task?

Regards, Paulo A. Silva