Skip to main content

Encryption - practicum


Encryption Primer

When we specify that things need to be encrypted, it usually means we need to keep those things secret. Encryption in this sense encompasses all the ways to protect information, including public key encryption, cryptographic hashing, digital signatures as well as all the things that support it such as security certificates and key management.

Working in a React Native, NodeJS/NPM, JS/ES6 environment, there are many more things to think about than simply calling the OS encryption library and feeling pretty good that's handled.

This page is meant to list the available options, applicability to various tasks and the supporting infrastructure required when you need to encrypt meaningful data. An important criteria in evaluating a crypto library is any validation or approval from a standards body. Anybody can implement and publish a npm crypto library, implementing standard cryptographic algorithms - but there is no guarantee with most that they are correctly done.

Here is a viewpoint on that from Bruce Schneier: https://www.schneier.com/essays/archives/1999/03/cryptography_the_imp.html    

Platform
Library
Encryption
Algorithms
Cryptographic
Hash
Notes
Javascript
 Stanford Javascript Crypto Library
SJCL
AES 128, 192, 256 bit
 SHA256,
HMAC		 Published, NSF Funded, NIST Approved (?)
https://crypto.stanford.edu/sjcl/
Javascript
CryptoJS
AES
SHA256
 No papers - no published validations
https://www.npmjs.com/package/crypto-js
Apple iOS7, iOS8, iOS9
Apple iOS CoreCrypto Module
AES,
SHA256
NIST Approved
React Native React-native-crypto

sha1, sha224, sha256, sha384,
sha512, md5, rmd160		 React Native library that implements Nodejs Crypto Module
https://www.npmjs.com/package/react-native-crypto
Android
JavaX Crypto


https://developer.android.com/reference/javax/crypto/package-summary.html

Key Management


Very often the use of cryptography involves the use of secret keys of various sorts (passwords for instance). Key management is the process of keeping these secrets safe from prying eyes while using then to protect other secrets - for instance it's better to let a key-store system handle the key you use for AES encryption, rather than embedding it in your source code. 

Node-jose is a javascript, node based key management library with good activity and implements JOSE (Javascript Object Signing and Encryption) on node, with many corollary client libraries for use in React Native - https://www.npmjs.com/package/node-jose

React-Native-Keychain is a library to access the mobile device's underlying keychain infrastructure on Android and iOS - https://github.com/oblador/react-native-keychain
  

Resources:

List of JS Crypto Libraries: https://gist.github.com/jo/8619441
NIST Approved AES libraries: https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/Validation-List/AES


Labels:

Comments

Post a Comment

Popular posts from this blog

Let's Not Mess Around with Security on our Personal Systems Either!

Essential Security Practices for Your Personal Systems Ensuring a minimal level of cybersecurity, privacy, and availability on your personal systems means you need to manage the following essential practices. This is a brief overview of recommendations from sources like CISA, NSA, etc., focused on personal laptop, phone, and other systems' security. Anti-virus  I've found you'll get the best anti-virus protection and usability from a paid product - I've always had good luck with Norton labeled products. If you are looking for current vendor offerings see:  https://www.pcmag.com/picks/the-best-antivirus-protection Regardless of whether you choose to use a commercial product or open-source anti-virus tool, it is absolutely something you need to use. This is the minimally needed level of system security. Once installed, ideally, it should be invisible until there's a security problem it can't prevent or solve.   Backups You need to have at least a minimal level of ...
Post a Comment
Read more

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view The NICE framework ( NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation.  Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs. A  RACI chart  is   a project management tool used to define and clarify roles and responsibilities within a project team.   It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be c...
Post a Comment
Read more

Typescript - It might not be easier, but but it's surely different

Typescript is a statically typed language, that is a superset of JavaScript. I've had the discussions and debates about that aspect of the language. I am all for static typing. Any way my tools can help me be better is alright by me. So I avoid the ' any ' type designation and make sure I have guards on ' unknown ' types, as much as I can.  Any  does not carry any useful type information, while unknown does, and allows it to enforce type checking.  Anything can be assigned to a variable of type unknown , but an unknown value cannot be assigned to variables of other types without explicit type assertion or narrowing. Similarly, no operations are permitted on an unknown value until its type is refined. This behavior ensures type safety and prevents runtime errors. (Refined with help from google). I bring this up because I was arguing with the compiler recently because I'd assumed both made no use on any type information in any circumstance - because I haven't ...
Post a Comment
Read more