Developer Tips on Cryptography

2 minute read

The best way to use cryptography is not to do it yourself.
Do not roll your own crypto and here is a good answer why.

Cryptography is hard. There are so many things that can go wrong and even experienced security developers, like those working on OpenSSL, can make mistakes.

State of the Art

Contemporary school of thought suggests that developers shouldn’t be bothered with cryptographic functions, rather they should use libraries with high-level APIs to solve their problems. A prominent example of this philosophy is the NaCl: Networking and Cryptography library from the early 2010s by Bernstein et al.

A typical cryptographic library is a collection of many different functions and supports a plethora of parameter sets. It is left to the software developer to choose from these functions and parameters, and combine them in a way that offers the desired security. These choices come with various pitfalls, not only because most libraries still contain highly insecure functions for ‘historical’ or ‘compatibility’ reasons, but also because it is easy to combine secure functions in an insecure way. The Eindhoven researchers have found that this level of complication is unnecessary for most applications. NaCl offers an easy-to-use high-level interface for exactly what applications need: secure authenticated encryption. The underlying functions and parameters are chosen by experts in cryptography, namely the NaCl designers.

— NaCl authors for Research Plaza, 2013

It is a very successful project, which has been forked and extended into libsodium. This line of thinking has sprung off other libraries following the same principle, e.g. PASETO - security tokens library.

Rule of Thumb

Use libraries with high-level APIs to protect your data. Generally, platforms and frameworks already provide services with simple APIs to solve your problem. If that is not the case, you can use libraries like libsodium that are portable and have bindings for many programming languages and environments.

Example Libraries and Services

Libsodium is a library for encryption, decryption, signatures, password hashing that provides a simple to use API, without the need to know the algorithms or their parameters. The chance is that you will find bindings for your platform and programming language of choice.

Libhydrogen is basically libsodium for constrained environments (e.g. microcontrollers).

PASETO (Platform-Agnostic SEcurity TOkens) is a security tokens library that tries to solve the JWT’s issues.

ASP.NET Core Data Protection is an example for framework-specific service that provides a simple interface with two methods to Protect, respectively Unprotect data.

Reading Materials

Crypto 101 by lvh is the one book I’ve found that specifically targets developers. It’s an open-source project, which makes it very easy to reference in training materials and send developers to, when they want to read more about cryptography.

Cryptographic Right Answers from Latacora is a very helpful read, if you are somewhat familiar with cryptography, but you are wondering which cryptographic functions and algorithms to use.