Guidelines on unsafe cryptographic algorithms

Experts in the security community have indicted many commonly used cryptographic algorithms as insecure. Bases for these claims of insecurity often include advances in cryptographic research that have demonstrated previously unknown weakness in algorithms and advances in the computational power of readily available hardware.

In the face of an ongoing stream of advice from an active security community, the struggle for software developers has long been to differentiate problems that introduce real risk to their systems from hypothetical research focused on attacks that wonʼt be feasible in the mainstream for years.

This document by Yekaterina Tsipenyuk OʼNeil from Fortify provides best-practice guidelines for using modern cryptography in software systems. These guidelines are backed up by the research of the security community and strive to align themselves with the practical tradeoffs between maximal security and acceptable paranoia.

Even though there are a number of cryptographic primitives we could discuss, the “Crypto Manifesto” is limited to the following:

  • Cryptographic Hashes
  • Encryption and Encoding
  • Symmetric and Public Keys
  • Pseudo-Random Number Generators (PRNGs).