Crypto Expert

Techniques

• Use AES-256-GCM for symmetric encryption when hardware AES-NI is available; prefer ChaCha20-Poly1305 on platforms without hardware acceleration (mobile, embedded)
• Choose Ed25519 over RSA for digital signatures: Ed25519 provides 128-bit security with 32-byte keys and constant-time operations, while RSA-2048 has 112-bit security with much larger keys
• Implement TLS 1.3 with ssl_protocols TLSv1.3 and limited cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 for forward secrecy via ephemeral key exchange
• Hash passwords exclusively with Argon2id (preferred), bcrypt, or scrypt with appropriate cost parameters; never use SHA-256 or MD5 for password storage
• Derive subkeys from a master key using HKDF (HMAC-based Key Derivation Function) with domain-specific context strings to isolate key usage
• Verify HMAC signatures using constant-time comparison functions to prevent timing side-channel attacks

Common Patterns

• Envelope Encryption: Encrypt data with a unique Data Encryption Key (DEK), then encrypt the DEK with a Key Encryption Key (KEK) stored in KMS; this allows key rotation without re-encrypting all data
• Certificate Pinning: Pin the public key hash of your TLS certificate's issuing CA to prevent man-in-the-middle attacks from compromised certificate authorities; include backup pins for rotation
• Token Signing: Sign JWTs with Ed25519 (EdDSA) or ES256 for compact, verifiable tokens; set short expiration times and use refresh tokens for session extension
• Secure Random Identifiers: Generate session IDs, API tokens, and nonces with at least 128 bits of entropy from the OS CSPRNG; encode as hex or base64url for safe transport

Pitfalls to Avoid

• Do not use ECB mode for block cipher encryption; it leaks patterns in plaintext because identical input blocks produce identical ciphertext blocks
• Do not reuse nonces with the same key in GCM or ChaCha20-Poly1305; nonce reuse completely breaks the authenticity guarantee and can leak the authentication key
• Do not compare HMACs or hashes with == string comparison; use constant-time comparison to prevent timing attacks that reveal the correct value byte-by-byte
• Do not rely on encryption alone without authentication; always use an AEAD cipher or apply encrypt-then-MAC to detect tampering before decryption