From 70d22ac2ebe678e208935c301addf41a03f68990 Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Mon, 6 Feb 2023 15:43:47 -0700
Subject: [PATCH 1/5] Create 12-cryptography.livemd
draft template
---
modules/12-cryptography.livemd | 115 +++++++++++++++++++++++++++++++++
1 file changed, 115 insertions(+)
create mode 100644 modules/12-cryptography.livemd
diff --git a/modules/12-cryptography.livemd b/modules/12-cryptography.livemd
new file mode 100644
index 0000000..f362563
--- /dev/null
+++ b/modules/12-cryptography.livemd
@@ -0,0 +1,115 @@
+# ESCT: Part 12 - Cryptography (Draft)
+
+## Introduction
+
+> ### 🛠MODULE UNDER CONSTRUCTION - Please move to next module
+
+
+## Table of Contents
+
+* [Past and Present](#past-and-present)
+* [Types and Algorithms](#types-and-algorithms)
+* [Implementation in Modern Applications](#implementation-in-modern-applications)
+* [Related Concepts](#related-concepts)
+* [Security Concerns](#security-concerns)
+
+## Past and Present
+
+### Description
+
+Like many concepts/technologies in security, cryptography is not new. Centuries of devisings ways to send messages between and among
+known and trusted senders/receivers while making those messages unreadable for enemies or anyone else for whom the message is not intended.
+Secret codes, etc.
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Types and Algorithms
+
+### Description
+Different types depending on
+-how data gets chopped up to be encrypted
+-how many keys are involved in the encryption/decryption process
+-how the keys get generated/used (symmetric/asymmetric)
+-key size
+-number of cycles
+-for complex algorithms etc..
+
+Old (Cracked - don't use)
+DES,etc.
+
+Newer (Resilient/proven secure by industry)
+AES
+
+
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Implementation in Modern Applications
+
+### Description
+In-transit
+TLS/SSL
+SSH
+
+At rest
+Algorithms above
+
+Best practices for secure algorithms
+
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Related Concepts
+
+### Description
+
+Hash - Sometimes implemented alongside encryption but has a different purpose
+Digital Certificates - Application of cryptography/private keys
+Encoding - Can be confused because it is also a way to represent data that looks different from it's plaintext start
+
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+## Security Concerns
+
+Key Management
+Hardcoding keys in code
+Old/Cracked protocols
+
+Recommendations
+-Recommended algorithms
+-Sources for publishing notices when algorithms become cracked/obsolete and new
+
+### Example / Quiz
+
+*TODO: Make Example or Quiz Question*
+
+```elixir
+
+```
+
+[**<- Previous Module: Secure SDLC Concepts**](./3-ssdlc.livemd) || [**Next Module: Elixir Security ->**](./5-elixir.livemd)
From 3b88d2ee5e213a4fe0a4d81feaf554c8f1b332eb Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Wed, 8 Feb 2023 10:43:53 -0700
Subject: [PATCH 2/5] Update 12-cryptography.livemd
---
modules/12-cryptography.livemd | 65 +++++++++++++++++++++++++++++++---
1 file changed, 61 insertions(+), 4 deletions(-)
diff --git a/modules/12-cryptography.livemd b/modules/12-cryptography.livemd
index f362563..341fc1d 100644
--- a/modules/12-cryptography.livemd
+++ b/modules/12-cryptography.livemd
@@ -40,16 +40,26 @@ Different types depending on
-number of cycles
-for complex algorithms etc..
+symmetric encryption - secret key - one key used for encryption and decrption . Use this for performance/efficiency
+--application
+asymmetric encrytion - aka public-key cryptography - two keys, one for encrypting one for decrpyting, one shared (pubic) one kept secret(private)
+--application digital signatures
+
Old (Cracked - don't use)
-DES,etc.
Newer (Resilient/proven secure by industry)
-AES
+AES - symmetric; CBC and GCM modes most secure
+Diffie-Hellman key exchange
+RSA
+TLS cipher suites
+[symmetric cryptography](https://developer.mozilla.org/en-US/docs/Glossary/Symmetric-key_cryptography)
+[NIST](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)
### Example / Quiz
+
*TODO: Make Example or Quiz Question*
```elixir
@@ -68,10 +78,26 @@ Algorithms above
Best practices for secure algorithms
+Use those recommended by NIST -
+Progamming language frameworks have built in libraries.
+
+For elixir, ExCrypto module[ExCrypto](https://hexdocs.pm/ex_crypto/ExCrypto.html)
+
+Consider what needs to be encrypted - sensitive data or any other data that
+Data classification, regulatory implications that must be protected from unauthorized access/seeing
+
+Confidentiality
+
+For in-transit
+use HTTPS which implements encrpytion over a channel. Diffie-Hellman
+[Serving over HTTPS
+](https://hexdocs.pm/plug/https.html)
### Example / Quiz
*TODO: Make Example or Quiz Question*
+[
+](https://hexdocs.pm/plug/https.html)
```elixir
@@ -81,11 +107,20 @@ Best practices for secure algorithms
### Description
-Hash - Sometimes implemented alongside encryption but has a different purpose
+Hash - Sometimes implemented alongside encryption but has a different purpose;
+Cryptography used for confidentiality; keeping information secret except for intended receipient/audience. Hashes are used to ensure the
+integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with.
+Hashes also used as a substitute for storing data in it's original form. A one way function that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered.
+Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from
+
+NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions)
+
Digital Certificates - Application of cryptography/private keys
-Encoding - Can be confused because it is also a way to represent data that looks different from it's plaintext start
+NIST
+[Erlang crypto module](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module)
+
### Example / Quiz
*TODO: Make Example or Quiz Question*
@@ -104,6 +139,28 @@ Recommendations
-Recommended algorithms
-Sources for publishing notices when algorithms become cracked/obsolete and new
+Cryptographic Failures are the number two most common issue on the OWASP Top 10
+A02:2021 – Cryptographic Failures
+
+Related weaknesses include
+Notable Common Weakness Enumerations (CWEs) include CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
+
+All amount to data being inadvertently being sent in cleartext, sensitive data, the use of old, weak or custom cryptographic algorithms or protocols that are ineffective against attacker efforts to uncover keys, . Best practics is to never build your own crypto mechanisms. Use proven and secure:
+Secure Hashes: SHA-1 has been deprecated as of 2011 with a transition plan released in 2022. Recommenation to move towards orther families SHA256
+Secure Encryption Algorithms; AES is the current standard; secure modes must be emplemented
+AES-GCM, AES-CTR, AES-CBC, AESCCM (128, 192, 256-bit keys)
+For authentication/TLS RSA, DSA, and ECDSA with 128-bit
+security strength (for example, RSA with
+3072-bit or larger key)
+
+[
+](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)[
+NIST](https://www.nist.gov/cryptography)
+[Encryption Standard](https://csrc.nist.gov/Projects/block-cipher-techniques)
+https://csrc.nist.gov/Projects/Hash-Functions
+[Elixir encryption, hashing, etc. Modules](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module)
+[OWASP Top10](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
+[Use TLS](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
### Example / Quiz
*TODO: Make Example or Quiz Question*
From 7699ef7f50d30fdc15d86acb1be1185787a6d40a Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Thu, 9 Feb 2023 14:18:56 -0700
Subject: [PATCH 3/5] Update 12-cryptography.livemd
---
modules/12-cryptography.livemd | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/modules/12-cryptography.livemd b/modules/12-cryptography.livemd
index 341fc1d..f65970d 100644
--- a/modules/12-cryptography.livemd
+++ b/modules/12-cryptography.livemd
@@ -40,9 +40,9 @@ Different types depending on
-number of cycles
-for complex algorithms etc..
-symmetric encryption - secret key - one key used for encryption and decrption . Use this for performance/efficiency
+symmetric encryption - secret key - one key used for encryption and decryption . Use this for performance/efficiency
--application
-asymmetric encrytion - aka public-key cryptography - two keys, one for encrypting one for decrpyting, one shared (pubic) one kept secret(private)
+asymmetric encryption - aka public-key cryptography - two keys, one for encrypting one for decrpyting, one shared (pubic) one kept secret(private)
--application digital signatures
Old (Cracked - don't use)
@@ -79,7 +79,7 @@ Algorithms above
Best practices for secure algorithms
Use those recommended by NIST -
-Progamming language frameworks have built in libraries.
+Programming language frameworks have built in libraries.
For elixir, ExCrypto module[ExCrypto](https://hexdocs.pm/ex_crypto/ExCrypto.html)
@@ -108,7 +108,7 @@ use HTTPS which implements encrpytion over a channel. Diffie-Hellman
### Description
Hash - Sometimes implemented alongside encryption but has a different purpose;
-Cryptography used for confidentiality; keeping information secret except for intended receipient/audience. Hashes are used to ensure the
+Cryptography used for confidentiality; keeping information secret except for intended recipient/audience. Hashes are used to ensure the
integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with.
Hashes also used as a substitute for storing data in it's original form. A one way function that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered.
Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from
From 29edf8d3dd31d19d6884318295b2f3836ccc1a14 Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Fri, 10 Feb 2023 08:31:14 -0700
Subject: [PATCH 4/5] Update 12-cryptography.livemd
---
modules/12-cryptography.livemd | 95 +++++++++++++---------------------
1 file changed, 37 insertions(+), 58 deletions(-)
diff --git a/modules/12-cryptography.livemd b/modules/12-cryptography.livemd
index f65970d..6eff482 100644
--- a/modules/12-cryptography.livemd
+++ b/modules/12-cryptography.livemd
@@ -1,59 +1,40 @@
-# ESCT: Part 12 - Cryptography (Draft)
+# ESCT: Part 12 - Cryptography
## Introduction
-> ### 🛠MODULE UNDER CONSTRUCTION - Please move to next module
-
-
-## Table of Contents
-
-* [Past and Present](#past-and-present)
-* [Types and Algorithms](#types-and-algorithms)
-* [Implementation in Modern Applications](#implementation-in-modern-applications)
-* [Related Concepts](#related-concepts)
-* [Security Concerns](#security-concerns)
-
-## Past and Present
-
-### Description
+Cryptography is the process of transforming information or data from it's original form into one that is unreadable by systems, tools, or people unless they have a key. The part of the process that converts source data/information into the unreadable version is called encryption. Reversing that process is called decryption.
Like many concepts/technologies in security, cryptography is not new. Centuries of devisings ways to send messages between and among
known and trusted senders/receivers while making those messages unreadable for enemies or anyone else for whom the message is not intended.
Secret codes, etc.
-### Example / Quiz
+Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intentended receiptient. The sender and receiver agree upon a code to exchange messages. Additionally, written notes can be stored and unless a reader has the code, won't know what the actual message is.
-*TODO: Make Example or Quiz Question*
+Cryptography is used throughout applications to protect sensitive information that while is needed for the operation of the application and it's components, is not intended to be openly shared. This module highlights how cryptography is applied
-```elixir
+## Table of Contents
-```
+* [Types and Algorithms](#types-and-algorithms)
+* [Implementation in Modern Applications](#implementation-in-modern-applications)
+* [Related Concepts](#related-concepts)
+* [Security Concerns](#security-concerns)
## Types and Algorithms
### Description
-Different types depending on
+
+There are two categories of cryptography, symmetric and asymmetric and within these categories, there are a variety of algorthims that are distinguished by
-how data gets chopped up to be encrypted
-how many keys are involved in the encryption/decryption process
-how the keys get generated/used (symmetric/asymmetric)
-key size
-number of cycles
--for complex algorithms etc..
-symmetric encryption - secret key - one key used for encryption and decryption . Use this for performance/efficiency
---application
-asymmetric encryption - aka public-key cryptography - two keys, one for encrypting one for decrpyting, one shared (pubic) one kept secret(private)
---application digital signatures
+In symmetric encryption, which is also called secret key encryption, a single key used for both encryption and decryption. Symmetric cryptography is bested used when performance and efficiency are important to the application component using/accessing the data to be secured.
-Old (Cracked - don't use)
+In asymmetric encryption, which is also called public-key cryptography, two related but separte keys are generated and then one is used for encrypting while the other for decrpyting. The keys include one that is meant to be shared (pubic key) and one that must always be kept secret(private) but in this public key infrastructure (PKI) system, both keys work to secure client-server interactions, secure VPN connectsion, certificates, digital signatures, and help ensure the technology and data in the system is only accessible by authenticated, and authorized entities with keys.
-Newer (Resilient/proven secure by industry)
-AES - symmetric; CBC and GCM modes most secure
-
-Diffie-Hellman key exchange
-RSA
-
-TLS cipher suites
+When selecting an algorithm, best practice is to never build your own, and to always use established and proven algorithms, vetted and recommended by industry experts like NIST.
[symmetric cryptography](https://developer.mozilla.org/en-US/docs/Glossary/Symmetric-key_cryptography)
[NIST](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)
@@ -62,24 +43,32 @@ TLS cipher suites
*TODO: Make Example or Quiz Question*
-```elixir
+```
+Older ciphers/algorithms have been proven to be insecure usually due to the weakness of the mathematics invovled in the algorithm or due to the key lenght. Both of these can make it trivial for a malicious actor to decrypt information/data meant to be kept secret.
+
+Newer (Resilient/proven secure by industry)
+AES - symmetric; CBC and GCM modes most secure
+
+Diffie-Hellman key exchange
+RSA
```
## Implementation in Modern Applications
### Description
-In-transit
-TLS/SSL
-SSH
+Modern applications have many components that store, process, transmit a variety of information and data. Often that information/data consists of "secrets" or is otherwise sensitive. This includes things like personal information on customers, user credentials, of anything else application developers would like to keep secret.
+
+API keys, tokens, passwords and other credentials to access privileged components and features, senstivitve data (PII, healthcare), private keys, signing certificates, are all examples of information that should not be available for every users and indeed, kept internal to the organization.
+
+Much of this information is not static, however, and need sto be transmitted between client and server, stored in databases, used in source code and thus to secure this data, look to implement cryptography both at rest and in transit.
-At rest
-Algorithms above
+Using. cryptography to protect this information wherever it is in the application, sent between services, stored in databases, used in source code is the best way to ensure it's security and confidentiality.
-Best practices for secure algorithms
+In-transit, dnsure all requests/responses are sent using the secure version of the HTTP protocol, HTTPS. HTTP over TLS. Additionally, For remote access into development environments, SSH, VPN - for access to sensitive development environment internal to an organization/remote accessover a network.
+
+In elixir, https (enabled)
-Use those recommended by NIST -
-Programming language frameworks have built in libraries.
For elixir, ExCrypto module[ExCrypto](https://hexdocs.pm/ex_crypto/ExCrypto.html)
@@ -98,7 +87,7 @@ use HTTPS which implements encrpytion over a channel. Diffie-Hellman
*TODO: Make Example or Quiz Question*
[
](https://hexdocs.pm/plug/https.html)
-
+[Erlang crypto module](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module)
```elixir
```
@@ -115,12 +104,6 @@ Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from
NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions)
-Digital Certificates - Application of cryptography/private keys
-
-
-NIST
-[Erlang crypto module](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module)
-
### Example / Quiz
*TODO: Make Example or Quiz Question*
@@ -131,14 +114,6 @@ NIST
## Security Concerns
-Key Management
-Hardcoding keys in code
-Old/Cracked protocols
-
-Recommendations
--Recommended algorithms
--Sources for publishing notices when algorithms become cracked/obsolete and new
-
Cryptographic Failures are the number two most common issue on the OWASP Top 10
A02:2021 – Cryptographic Failures
@@ -153,7 +128,11 @@ For authentication/TLS RSA, DSA, and ECDSA with 128-bit
security strength (for example, RSA with
3072-bit or larger key)
-[
+Beware of hardcoding keys, private keys, in source code where they can be discovered by malicious actors. Avoid building your own crytographic mechanisms or using outdated protocols.
+
+Follow NIST Recommendations for configuring the most secure algorithms when building your applications and securing secrets and data.
+
+[Recommended algorithms
](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)[
NIST](https://www.nist.gov/cryptography)
[Encryption Standard](https://csrc.nist.gov/Projects/block-cipher-techniques)
From 4670dfff95fddd54cf0a801796a45eae2276f8d9 Mon Sep 17 00:00:00 2001
From: hvalkerie19 <61711715+hvalkerie19@users.noreply.github.com>
Date: Fri, 10 Feb 2023 16:36:30 -0700
Subject: [PATCH 5/5] Update 12-cryptography.livemd
Ready for review
---
modules/12-cryptography.livemd | 82 ++++++++++------------------------
1 file changed, 24 insertions(+), 58 deletions(-)
diff --git a/modules/12-cryptography.livemd b/modules/12-cryptography.livemd
index 6eff482..c6d29c8 100644
--- a/modules/12-cryptography.livemd
+++ b/modules/12-cryptography.livemd
@@ -8,7 +8,7 @@ Like many concepts/technologies in security, cryptography is not new. Centuries
known and trusted senders/receivers while making those messages unreadable for enemies or anyone else for whom the message is not intended.
Secret codes, etc.
-Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intentended receiptient. The sender and receiver agree upon a code to exchange messages. Additionally, written notes can be stored and unless a reader has the code, won't know what the actual message is.
+Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intended recipient. The sender and receiver agree upon a code to exchange messages. Additionally, written notes can be stored and unless a reader has the code, won't know what the actual message is.
Cryptography is used throughout applications to protect sensitive information that while is needed for the operation of the application and it's components, is not intended to be openly shared. This module highlights how cryptography is applied
@@ -23,7 +23,7 @@ Cryptography is used throughout applications to protect sensitive information th
### Description
-There are two categories of cryptography, symmetric and asymmetric and within these categories, there are a variety of algorthims that are distinguished by
+There are two categories of cryptography, symmetric and asymmetric and within these categories, there are a variety of algorithms that are distinguished by:
-how data gets chopped up to be encrypted
-how many keys are involved in the encryption/decryption process
-how the keys get generated/used (symmetric/asymmetric)
@@ -32,7 +32,7 @@ There are two categories of cryptography, symmetric and asymmetric and within th
In symmetric encryption, which is also called secret key encryption, a single key used for both encryption and decryption. Symmetric cryptography is bested used when performance and efficiency are important to the application component using/accessing the data to be secured.
-In asymmetric encryption, which is also called public-key cryptography, two related but separte keys are generated and then one is used for encrypting while the other for decrpyting. The keys include one that is meant to be shared (pubic key) and one that must always be kept secret(private) but in this public key infrastructure (PKI) system, both keys work to secure client-server interactions, secure VPN connectsion, certificates, digital signatures, and help ensure the technology and data in the system is only accessible by authenticated, and authorized entities with keys.
+In asymmetric encryption, which is also called public-key cryptography, two related but separate keys are generated and then one is used for encrypting while the other for decrpyting. The keys include one that is meant to be shared (pubic key) and one that must always be kept secret(private) but in this public key infrastructure (PKI) system, both keys work to secure client-server interactions, secure VPN connectsion, certificates, digital signatures, and help ensure the technology and data in the system is only accessible by authenticated, and authorized entities with keys.
When selecting an algorithm, best practice is to never build your own, and to always use established and proven algorithms, vetted and recommended by industry experts like NIST.
@@ -41,35 +41,20 @@ When selecting an algorithm, best practice is to never build your own, and to al
### Example / Quiz
-*TODO: Make Example or Quiz Question*
-
-```
-Older ciphers/algorithms have been proven to be insecure usually due to the weakness of the mathematics invovled in the algorithm or due to the key lenght. Both of these can make it trivial for a malicious actor to decrypt information/data meant to be kept secret.
-
-Newer (Resilient/proven secure by industry)
-AES - symmetric; CBC and GCM modes most secure
-
-Diffie-Hellman key exchange
-RSA
-
-```
-
## Implementation in Modern Applications
### Description
Modern applications have many components that store, process, transmit a variety of information and data. Often that information/data consists of "secrets" or is otherwise sensitive. This includes things like personal information on customers, user credentials, of anything else application developers would like to keep secret.
-API keys, tokens, passwords and other credentials to access privileged components and features, senstivitve data (PII, healthcare), private keys, signing certificates, are all examples of information that should not be available for every users and indeed, kept internal to the organization.
-
-Much of this information is not static, however, and need sto be transmitted between client and server, stored in databases, used in source code and thus to secure this data, look to implement cryptography both at rest and in transit.
-
-Using. cryptography to protect this information wherever it is in the application, sent between services, stored in databases, used in source code is the best way to ensure it's security and confidentiality.
+API keys, database credentials, tokens, admin passwords and other credentials to access privileged components and features, senstivitve data (PII, healthcare), private keys, signing certificates, are all examples of information that should not be available for every users and indeed, kept internal to the organization.
-In-transit, dnsure all requests/responses are sent using the secure version of the HTTP protocol, HTTPS. HTTP over TLS. Additionally, For remote access into development environments, SSH, VPN - for access to sensitive development environment internal to an organization/remote accessover a network.
+To secure this data, look to implement cryptography both at rest and in transit.
-In elixir, https (enabled)
+In-transit, ensure all requests/responses are sent using the secure version of the HTTP protocol, HTTPS. HTTP over TLS. Additionally, For remote access into development environments, SSH, VPN - for access to sensitive development environment internal to an organization/remote accessover a network.
+### Example (Draft)
+```
For elixir, ExCrypto module[ExCrypto](https://hexdocs.pm/ex_crypto/ExCrypto.html)
Consider what needs to be encrypted - sensitive data or any other data that
@@ -82,13 +67,7 @@ use HTTPS which implements encrpytion over a channel. Diffie-Hellman
[Serving over HTTPS
](https://hexdocs.pm/plug/https.html)
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-[
-](https://hexdocs.pm/plug/https.html)
[Erlang crypto module](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module)
-```elixir
```
@@ -96,42 +75,25 @@ use HTTPS which implements encrpytion over a channel. Diffie-Hellman
### Description
-Hash - Sometimes implemented alongside encryption but has a different purpose;
-Cryptography used for confidentiality; keeping information secret except for intended recipient/audience. Hashes are used to ensure the
-integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with.
-Hashes also used as a substitute for storing data in it's original form. A one way function that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered.
-Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from
-
-NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions)
-
-### Example / Quiz
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
+Hashing is sometimes implemented alongside encryption but has a different purpose. Cryptography used for confidentiality; keeping information secret except for intended recipient/audience.
-```
+Hashes are used to ensure the integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with. Hash algorithms are one way functions that - compare starting hash from known good data, to end hash which will indicate changes. Hashing passwords is a common application. Comparing hashes to determine if correct password entered.
+Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions)
## Security Concerns
-Cryptographic Failures are the number two most common issue on the OWASP Top 10
-A02:2021 – Cryptographic Failures
-
-Related weaknesses include
-Notable Common Weakness Enumerations (CWEs) include CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
+Cryptographic Failures are the number two most common issue on the OWASP Top 10 A02:2021 – Cryptographic Failures
-All amount to data being inadvertently being sent in cleartext, sensitive data, the use of old, weak or custom cryptographic algorithms or protocols that are ineffective against attacker efforts to uncover keys, . Best practics is to never build your own crypto mechanisms. Use proven and secure:
-Secure Hashes: SHA-1 has been deprecated as of 2011 with a transition plan released in 2022. Recommenation to move towards orther families SHA256
-Secure Encryption Algorithms; AES is the current standard; secure modes must be emplemented
-AES-GCM, AES-CTR, AES-CBC, AESCCM (128, 192, 256-bit keys)
-For authentication/TLS RSA, DSA, and ECDSA with 128-bit
-security strength (for example, RSA with
-3072-bit or larger key)
+Related weaknesses include CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
-Beware of hardcoding keys, private keys, in source code where they can be discovered by malicious actors. Avoid building your own crytographic mechanisms or using outdated protocols.
+Most of the concerns around cytography amount to data being inadvertently being sent in cleartext, sensitive data, the use of old, weak or custom cryptographic algorithms or protocols that are ineffective against attacker efforts to uncover keys, . Best practics is to never build your own crypto mechanisms. Use proven and secure methods like the following:
+-Secure Hashes: SHA-1 has been deprecated as of 2011 with a transition plan released in 2022. Recommenation to move towards orther families SHA256
+-Secure Encryption Algorithms; AES is the current standard; secure modes must be emplemented
Follow NIST Recommendations for configuring the most secure algorithms when building your applications and securing secrets and data.
+Beware of hardcoding keys, private keys, in source code where they can be discovered by malicious actors. Avoid building your own crytographic mechanisms or using outdated protocols.
+
[Recommended algorithms
](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)[
NIST](https://www.nist.gov/cryptography)
@@ -142,10 +104,14 @@ https://csrc.nist.gov/Projects/Hash-Functions
[Use TLS](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
### Example / Quiz
-*TODO: Make Example or Quiz Question*
+**(True or False) You should build your own encryption from scratch.**
+*Uncomment the line with your answer
-```elixir
+```
+# answer = True
+# answer = False
+IO.puts(answer)
```
[**<- Previous Module: Secure SDLC Concepts**](./3-ssdlc.livemd) || [**Next Module: Elixir Security ->**](./5-elixir.livemd)