Hacker News new | past | comments | ask | show | jobs | submit login

"If you find yourself typing the letters A-E-S into your code, you're doing it wrong". Obviously moreso if you're typing D-E-S.

We give our clients a very simple recommendation when it comes to encrypting things:

* If you're encrypting data in motion, rely on SSL.

* If you're encrypting data at rest, rely on PGP/GPG.

There are plenty of libraries that will GPG a blob for you, and you can assume GPG got all the details right. That would have been the right call here (as opposed to figuring out CBC and --- importantly, for someone who is still fetishizing "salts" in 2009 --- how to safely set an IV).




That just isn't true.

As an obvious counter example, asymmetric encryption (gpg,et. al) is very slow. Which means that if I need to encrypt a lot of data at rest it sometimes makes sense to use a symmetric cipher.

Security (even just the subdomain of encryption) isn't that easy - there is no one-size-fits all solution.


GPG is a program. It isn't an algorithm. Consider reading it before you propose alternatives, which are likely to be broken.

Like I posted upthread, there's a laundry list of things that program is going to give you besides picking a better algorithm than "Triple DES" and a better block cipher mode. But listing them is just begging for a bunch of people to propose wack-ass alternative solutions that other people will feel obliged to waste time knocking down.


The tiny exception to tptacek's rule is

* you know specifically why SSL/GPG falls short of your requirements

* you realize that algorithms are only a single part of crypto system design

* you know the exact security ramifications of the details (not just "ecb is bad")

* the encryption capabilities are the critical aspect of your whole system (like freenet)

AND

* you accept that your implementation will be broken (at least) several times

But indeed if you know these things, you know that "use SSL/GPG" is good canonical advice.


gpg can do symmetric encryption:

http://www.gnupg.org/documentation/manuals/gnupg/Operational...

There are a few algorithms to choose from.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: