Faux' blog

Repetitive crypto miscellany

HTTPS (HTTP over TLS) is the most accessible form of encryption for end users. It protects against real annoyances and attacks. I believe it's probably the most important thing to advocate, even among developers.

• Paranoid internet user? Google and DuckDuckGo will run your search results over TLS. Some websites, like Facebook, allow you to specify that you always want to use HTTPS. You should.
• Want more? HTTPS Everywhere is a Chrome/Firefox extension that tries to upgrade your connection to HTTPS on any website where it's available.
• Host a website? HTTPS (HTTP over TLS) is free, easy to set up and isn't CPU intensive any more (for typical sites). While you're there, enable HTTP STS.
• Yes, CAs sucking ruins some of this.

Cryptography, contrary to what you may have heard, is easy:

• Data at rest?GPG. Data in motion? TLS.
• You never, ever, ever want to use a "hash function" or a "cipher" directly. Ever.
• Storing details about passwords? "Oh, I'll hash them with a hash function? Lots!" No. Use PBKDF2 (with 50,000 or more iterations), bcrypt or scrypt.
• Offering any kind of integrity, oh, I'll use a hash function? No. HMAC.

Rough overview of primitive deprecation:

• MD5 has been deprecated for all uses since last century. Why do people still use it for anything? Please mock anyone who does.
• SHA-1 (from 1995) has been deprecated for most uses since 2010. Please don't use it for anything new, and start migrating away from it.
• RC4 was designed in 1987 (25 years ago!), but is still supported everywhere because Windows XP (2001 technology) doesn't support AES for TLS. It has no other advantages.
• Don't compromise security for speed. Why bother, if it's not going to be secure? Don't use old benchmarks for your decisions. My five year old computer is about twice as fast as that. Run real benchmarks, yourself. Want something actually fast? Use Salsa20/X.
• Basically: SHA-2 (or 3!), AES (in CBC or CTR mode) or, if you're desperate, Salsa20.

Rough overview of key recommendations:

• 2⁸⁰ security: 160-bit SHA-1, 1024-bit modulus on public keys (thanks, GNFS), 160-bit EC keys. Attacking 2⁸⁰ combinations could plausibly be done in a human lifespan on a supercomputer or two; not enough.
• 2¹¹² security: 2048-bit modulus on public keys, currently believed to be okay until 2020-2030.
• 2¹²⁸ security: 256-bit SHA-2, 256-bit EC keys, 3096-bit modulus on public keys, etc. are likely to be fine for the foreseeable future.
• 2²⁵⁶ security: 512-bit SHA-2, 512-bit EC keys, 15360-bit modulus on public keys. That's a big step up.
• 128-bit AES falls somewhere into the middle, i.e. use 192-bit AES after 2020.
• Note that these dates are when you expect your data to still be relevant, or your system in use; not when you plan to design or release the thing.