As a developers, you’ve decided to encrypt your data, either because it’s a requirement that’s come down from management and customers, or just because it’s the right thing to do. If you’re like many developers, you’ve done some preliminary research into the encryption tools available for your language or platform and realized that the APIs are vague, the terminology is opaque, the RFPs are overly specific, and that stack overflow has a lot of really bad advice. That’s why we wrote this guide to encryption for developers.
Jump to an Article:
- Why Encrypt Data in an Application? Save money in a data breach
- Cryptographic Access Control for True Policy Enforcement
- Encryption is Hard for Developers to Get Right
- Encryption Core Concepts: Adding Crypto to your System
- Strong attackers: Planning for the Adversary
- End-to-end encryption is the gold standard: Why HTTPS is not enough
- Key Management Should Be Designed First Not Last
This guide aims to be a light in the darkness. It won’t necessarily tell you whether you’re headed in the right direction; only your specific requirements and security goals can tell you that. But at least it can illuminate the path a bit so you can see where you’re going. No matter your requirements, security goals, or compliance needs, this is an essential guide to encryption for developers.
This series covers the following areas, with more to come soon:
- Why should you use encryption in the first place? Believe it or not, this is one of the most common questions we get asked. In short, it will save you money and it will protect your users. Read more.
- We’ll discuss the challenges you’ll face when developing an encryption system, why cryptography is different and harder than a lot of other application areas, and what’s behind the well-worn admonition to “never build it yourself”? Read More.
- A strong attacker model is critical for having the right mindset when building cryptographic systems. In this article, we discuss how developers should imagine their attacker, and how access control figures into all this. Read More.
- Then we’ll move on to the core concepts of cryptography that every developer should know. Symmetric, Asymmetric, RSA, ECC, AES, and many the other Three Letter Acronyms (TLAs) that you’ll encounter. Read More.
- Why end-to-end encryption is the gold standard for security, and what challenges are you likely to encounter when you build it into your system. This is a focus area for Tozny’s work, so we’ll cover it in detail. Read More.
- Key Management is as hard or harder to get right than the core algorithms and approaches. How can we use hardware and good processes to protect our keys? Read More.
- Web browsers raise particular considerations, both for correct HTTPS implementations and how to appropriately do browser-based encryption. In this section, we’ll also cover how standard web vulnerabilities like CSRF can undermine good cryptography.
- Let’s not forget about the users. Cryptographic systems can impact the user experience in good ways, bad ways, and potentially catastrophic ways. In this section, we explore the trade-off between confidentiality and availability.
- Secure computation, whether using homomorphic methods, hardware enclaves, or encryption plus isolation.
- Using Encryption for Privacy, not just security.