November 7, 2013

Common Rules in Cryptography

Disclaimer: I have no background in cryptography, despite writing occasional ramblings on the subject. I just know what I’ve picked up along the way, of which precious little is made available to people who don’t go searching for it.

While perusing this interesting study of Android app security I found on HN, I came across a small, digestible nugget of (apparent) wisdom about encryption that I’d never seen before, and that I thought I’d share:

  • Rule 1: Do not use ECB mode for encryption.
  • Rule 2: Do not use a non-random IV for CBC encryption.
  • Rule 3: Do not use constant encryption keys.
  • Rule 4: Do not use constant salts for PBE.
  • Rule 5: Do not use fewer than 1,000 iterations for PBE.
  • Rule 6: Do not use static seeds to seed SecureRandom()

For regular-ass devs like me, I strongly prefer having rules of thumb like this to making my own decisions about crypto. The source paper has citations and explanations for all of these, I encourage you to check it out.

Further Reading