Don’t Use Low-Level Crypto Libraries
Understand the risks of using low-level cryptographic libraries and the common pitfalls when configuring AES encryption. Learn why high-level libraries are safer and how to avoid mistakes like ECB mode misuse to maintain secure encryption practices.
We'll cover the following...
Hopefully, we’re now in agreement that we shouldn’t roll our own crypto. It might seem that all we need to do is grab a low-level encryption library and start using it’s AES encryption and decryption functions. After all, that’s not “rolling our own crypto.”
Low-level libraries are easy to misconfigure
As we’ll see in this lesson that low-level encryption libraries present a lot of configuration choices that are easy to misuse.
For example, many low-level cryptography libraries provide support for outdated algorithms like MD5 and 3DES. And oftentimes comparisons of libraries such as Wikipedia’s show supported algorithms in a way makes it seem as though libraries with support for more algorithms are fuller featured.
Low-level libraries don’t provide guidance; instead, they force the developer to know which algorithms are safe to use. Even if the developer knows to choose a strong encryption algorithm like AES, low-level cryptography libraries still provide dangerous configuration choices. These choices include things like block mode and key size. Getting these choices wrong can result in a system that’s insecure. In contrast, a high-level encryption library is opinionated and makes these configuration choices for the developer. This makes a high-level encryption library ...