Using cryptography in your application

[Xenonym]

Rationale: The current introduction to cryptography provides a good overview of cryptography from a theorectical perspective. However, I feel that an equally important topic is how should we go about implementing cryptography in our applications, because incorrect implementation choices can lead to vulnerabilities in your application.

Could be an extension, but feel like the below is enough content for its own chapter.

Outline:

• why encrypt your data
  • sensitive in plaintext, in case of breach
• how to encrypt data in your application?
  • language libraries: JCE, System.Security.Cryptography
  • open source libraries: OpenSSL, NaCl, BouncyCastle, PyCrypto
• how to choose good cryptographic primitives
  • RNGs, CSPRNGs
  • encryption algorithms
    • public key: RSA, ECC
    • secret key: AES, ChaCha20
  • authentication modes: MACs, AE crypto modes
  • key generation: PBKDF

[damithc]

See if you can revise the current article to include these content too. Assume the reader is an SE student who has not yet learned cryptography. The article should give the reader an appreciation of how cryptography is relevant to a Software Engineer and point to where to go learn more. We should be able to achieve that from one article? Feel free to delete existing content. I don't mind having two articles but I feel like it's a bigger achievement if we can reach the same objective from just one.

[Xenonym]

Understood @damithc! I will try and extend the current article then. Here's my current outline for how it might go:

• what is cryptography?
• why use cryptography in your application?
  • secret data: passwords, sensitive business information
  • legal implications: GDPR, PDPA, and reasonable protection for customer data under the law
  • resilience from breaches: encrypted data is hard to read by unauthorised parties
  • integrity: ensuring that data has not been modified by unauthorised parties
• how do you use cryptography in your application?
  • language libraries: JCE, System.Security.Cryptography
  • open source libraries: OpenSSL, NaCl, BouncyCastle, PyCrypto
  • how to choose good cryptographic primitives [1]
    • RNGs, CSPRNGs
    • encryption algorithms
      • public key: RSA, ECC
      • secret key: AES, ChaCha20
    • authentication modes: MACs, AE crypto modes
    • key generation: PBKDF
• other resources
  • Practical Cryptography for Developers
  • Security Engineering

[1]: I suspect most of the current content will be subsumed under this section, but I have extended it beyond just algorithms to also other components that are important to implementing cryptography eg. RNGs, authentication modes.

[damithc]

Sounds good 👍