Skip to main content

Encryption - practicum


Encryption Primer

When we specify that things need to be encrypted, it usually means we need to keep those things secret. Encryption in this sense encompasses all the ways to protect information, including public key encryption, cryptographic hashing, digital signatures as well as all the things that support it such as security certificates and key management.

Working in a React Native, NodeJS/NPM, JS/ES6 environment, there are many more things to think about than simply calling the OS encryption library and feeling pretty good that's handled.

This page is meant to list the available options, applicability to various tasks and the supporting infrastructure required when you need to encrypt meaningful data. An important criteria in evaluating a crypto library is any validation or approval from a standards body. Anybody can implement and publish a npm crypto library, implementing standard cryptographic algorithms - but there is no guarantee with most that they are correctly done.

Here is a viewpoint on that from Bruce Schneier: https://www.schneier.com/essays/archives/1999/03/cryptography_the_imp.html    

Platform
Library
Encryption
Algorithms
Cryptographic
Hash
Notes
Javascript
 Stanford Javascript Crypto Library
SJCL
AES 128, 192, 256 bit
 SHA256,
HMAC		 Published, NSF Funded, NIST Approved (?)
https://crypto.stanford.edu/sjcl/
Javascript
CryptoJS
AES
SHA256
 No papers - no published validations
https://www.npmjs.com/package/crypto-js
Apple iOS7, iOS8, iOS9
Apple iOS CoreCrypto Module
AES,
SHA256
NIST Approved
React Native React-native-crypto

sha1, sha224, sha256, sha384,
sha512, md5, rmd160		 React Native library that implements Nodejs Crypto Module
https://www.npmjs.com/package/react-native-crypto
Android
JavaX Crypto


https://developer.android.com/reference/javax/crypto/package-summary.html

Key Management


Very often the use of cryptography involves the use of secret keys of various sorts (passwords for instance). Key management is the process of keeping these secrets safe from prying eyes while using then to protect other secrets - for instance it's better to let a key-store system handle the key you use for AES encryption, rather than embedding it in your source code. 

Node-jose is a javascript, node based key management library with good activity and implements JOSE (Javascript Object Signing and Encryption) on node, with many corollary client libraries for use in React Native - https://www.npmjs.com/package/node-jose

React-Native-Keychain is a library to access the mobile device's underlying keychain infrastructure on Android and iOS - https://github.com/oblador/react-native-keychain
  

Resources:

List of JS Crypto Libraries: https://gist.github.com/jo/8619441
NIST Approved AES libraries: https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/Validation-List/AES


Labels:

Comments

Post a Comment

Popular posts from this blog

Unit Testing - What to Test

This I wrote to answer a question that came up when we were discussing our software process and I was training developers on how to unit test. It seems a simple enough question, but I kept pondering it and delving deeper until I realized I needed to write this monograph. What unit tests should we write? How do we know what to test? Ideally, unit tests should cover every path through the code. It should be your chance to see every path through your code works as expected and as needed. If you are practicing Test Driven Development then it's implied everything gets a test. In the real world, you might not be allowed to test everything - for instance, if the testing suite ends up taking a week to run, then the world will have changed by the time it finishes and the test results will be obsolete. Unit testing at it's basic is testing an object, a method - the smallest unit of your code that it can test independently. It should test the inputs "goes into" an
Post a Comment
Read more

Healthcare and Health Informatics Glossary

Here is a glossary of terms useful in Healthcare and Health Informatics ACO (Accountable Care Organization) MEDICARE’s outcomes-based contracting approach Arden Syntax an approach to specifying medical knowledge and clinical decision support rules in a form that is independent of any EHR and thus sharable across hospitals ARRA (American Recovery and Reconstruction Act) the Obama administration’s 2009 economic stimulus bill Blue Button an ASCII text based standard for heath information sharing first introduced by the Veteran’s Administration to facilitate access to records stored in VistA by their patients. The newer Blue Button + format provides both human and machine readable formats. CCD (Continuity of Care Document) an XML-based patient summary based on the CDA architecture CCOW (Clinical Context Object Workshop) an HL7 standard for synchronizing and coordinating applications to automatically follow the patient, user (and other) contexts to allow the clinical u
2 comments
Read more

Files as UI

Files as UI vs API  -  compares attributes of iCloud vs Dropbox. It starts on an interesting note - the model of a file system in the UI is dying, and should be let go. Beyond that it looks at mappings of each system to a file system from an API point of view and compares the successes of each. I find the initial thread the most interesting. Drop the mental model of a file system - which maps virtual concepts of files and directories to a physical model of papers, folders and file cabinets - and replace it with...what? This is a paradigm shift for me. I have to admit, I loath, hate, nay, despise looking for things. If I can't find something easily, it's only about a minute before I start growling and muttering things my mother would disapprove of. On this basis, I like the idea that I can save myself from thinking about where to put things or, where I have already put them. But how do we do this? It's non-trivial, since humans think of "things" and once they
2 comments
Read more