Skip to main content

Encryption - practicum


Encryption Primer

When we specify that things need to be encrypted, it usually means we need to keep those things secret. Encryption in this sense encompasses all the ways to protect information, including public key encryption, cryptographic hashing, digital signatures as well as all the things that support it such as security certificates and key management.

Working in a React Native, NodeJS/NPM, JS/ES6 environment, there are many more things to think about than simply calling the OS encryption library and feeling pretty good that's handled.

This page is meant to list the available options, applicability to various tasks and the supporting infrastructure required when you need to encrypt meaningful data. An important criteria in evaluating a crypto library is any validation or approval from a standards body. Anybody can implement and publish a npm crypto library, implementing standard cryptographic algorithms - but there is no guarantee with most that they are correctly done.

Here is a viewpoint on that from Bruce Schneier: https://www.schneier.com/essays/archives/1999/03/cryptography_the_imp.html    

Platform
Library
Encryption
Algorithms
Cryptographic
Hash
Notes
Javascript
 Stanford Javascript Crypto Library
SJCL
AES 128, 192, 256 bit
 SHA256,
HMAC		 Published, NSF Funded, NIST Approved (?)
https://crypto.stanford.edu/sjcl/
Javascript
CryptoJS
AES
SHA256
 No papers - no published validations
https://www.npmjs.com/package/crypto-js
Apple iOS7, iOS8, iOS9
Apple iOS CoreCrypto Module
AES,
SHA256
NIST Approved
React Native React-native-crypto

sha1, sha224, sha256, sha384,
sha512, md5, rmd160		 React Native library that implements Nodejs Crypto Module
https://www.npmjs.com/package/react-native-crypto
Android
JavaX Crypto


https://developer.android.com/reference/javax/crypto/package-summary.html

Key Management


Very often the use of cryptography involves the use of secret keys of various sorts (passwords for instance). Key management is the process of keeping these secrets safe from prying eyes while using then to protect other secrets - for instance it's better to let a key-store system handle the key you use for AES encryption, rather than embedding it in your source code. 

Node-jose is a javascript, node based key management library with good activity and implements JOSE (Javascript Object Signing and Encryption) on node, with many corollary client libraries for use in React Native - https://www.npmjs.com/package/node-jose

React-Native-Keychain is a library to access the mobile device's underlying keychain infrastructure on Android and iOS - https://github.com/oblador/react-native-keychain
  

Resources:

List of JS Crypto Libraries: https://gist.github.com/jo/8619441
NIST Approved AES libraries: https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/Validation-List/AES


Labels:

Comments

Post a Comment

Popular posts from this blog

You don't really know who you're talking to online...

The following is a story that I think highlights the assumptions that get you into trouble online... https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media This is particularly scary since we found so much utility in online connections during the pandemic and out of necessity, started trusting more online. Please note the timeline for this breach - it was a long, slow process, a key factor in many 'cons'. "Build trust" is a key first step, once someone has identified you as a party. You think...you're convinced you know who your talking to, but if you don't triangulate the identity with some non-online, ideally in-person information, you shouldn't trust. And even if you do get what seems like real-life confirmations of identity, you must look at questioning motives, needs, and keeping danger at arms-length. Online includes email, texting (sms), application chatbots, voice communicati...
Post a Comment
Read more

Threat Modeling Manifesto

Secure Your Code with Threat Modeling As a software developer, security should be a top priority. By proactively identifying and addressing potential vulnerabilities, you can significantly reduce the risk of breaches and data loss. What is Threat Modeling?   Threat modeling is a systematic approach to identifying, assessing, and mitigating security threats. It involves looking at your system from a hacker's perspective to uncover weaknesses and devise strategies to protect against attacks. See the  OWASP Cheat Sheet   Why is Threat Modeling Important? Proactive Security: By anticipating potential threats, you can take steps to prevent them. Risk Mitigation: Identify and address vulnerabilities before they can be exploited. Regulatory Compliance: Adhere to industry standards and regulations. Enhanced Security Posture: Strengthen your overall security posture. How to Get Started with Threat Modeling   The Threat Modeling Manifesto provides a valuable framewor...
Post a Comment
Read more

Where threat modeling can shine - an example from the EU MDCG-2019

From the  EU  MDCG 2019-16 Guidance on Cybersecurity for medical devices, December 2019 , this is the guidance on foreseeable risks.  Medical device manufacturers should ensure that a medical device is designed and manufactured in a way that ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimised. This may include the infield monitoring of the software’s vulnerabilities and the possibility to perform a device update (outside the context of a field safety corrective action) through, for example delivering patches to ensure the continued security of the device. During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those vulnerabilities that may be a result of reasonably foreseeable misuse. This, however, may depend on the specific situation. For example, using an unsecured memory-stick to enter data into a medical IT system can be considered “reasonably foreseeabl...
Post a Comment
Read more