Introduction

Cryptography is the hottest topic in computer security. The word conjures up images of spies, adventures, and eccentric math geniuses. Move past the Hollywood take on cryptography, and you’ll find that it really is a fascinating field. It ties together math, logic, low-level bit flipping, and even hardware design.

We aren’t going to cover any of that.

Most coverage of cryptography starts with a discussion of prime numbers and the complexity of factoring composite numbers. This is done with an eye toward guiding you through implementing RSA encryption. This chapter will instead attempt to dissuade you from ever implementing any cryptography whatsoever. We’ll see by example that implementing cryptography is too full of subtle mistakes for a newcomer to safely navigate.

We’ll study practical cryptography

To learn the subtleties and beauty of cryptography is a long, painstaking journey that is not the point of this chapter. Instead, let’s stand on the shoulders of giants and use high-level crypto libraries with safe defaults.

The reader in a hurry can skip this chapter and just use NaCl, libsodium, or Tink for encryption at rest. Use TLS 1.3 (or TLS 1.2 if you have legacy constraints) in a configuration that gets an A from SSL Labs for data in transit. Use scrypt, bcrypt, PBKDF2, or Argon2 for password hashing.

In the rest of this chapter, we’ll dive into the recommendations above. We’ll also talk about safe password practices, including some precautions to take to soften the blow in case an attacker should ever get access to our credentials.

---

In the next lesson, we’ll see why you shouldn’t roll your own crypto.