From 89f93d0f6f4f86b1150c33b99e1d69d4b586a7ab Mon Sep 17 00:00:00 2001
From: rpriven <74690648+rpriven@users.noreply.github.com>
Date: Tue, 15 Apr 2025 00:13:39 -0600
Subject: [PATCH] Create crypto-reference.md

---
 cryptography/crypto-reference.md | 95 ++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 cryptography/crypto-reference.md

diff --git a/cryptography/crypto-reference.md b/cryptography/crypto-reference.md
new file mode 100644
index 0000000..4d27806
--- /dev/null
+++ b/cryptography/crypto-reference.md
@@ -0,0 +1,95 @@
+# Cryptography Cheatsheet
+
+| Category | Algorithm/Method | Description | Example Usage | Security Level |
+|----------|------------------|-------------|--------------|----------------|
+| **Symmetric Encryption** |||||
+| Block Ciphers | AES-256 | Advanced Encryption Standard | `openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin` | Strong (Recommended) |
+| | AES-128 | AES with 128-bit key | `openssl enc -aes-128-cbc -in plain.txt -out encrypted.bin` | Adequate |
+| | 3DES | Triple Data Encryption Standard | `openssl enc -des3 -in plain.txt -out encrypted.bin` | Legacy (Avoid) |
+| Stream Ciphers | ChaCha20 | Modern stream cipher | `openssl enc -chacha20 -in plain.txt -out encrypted.bin` | Strong |
+| | RC4 | Rivest Cipher 4 | `openssl enc -rc4 -in plain.txt -out encrypted.bin` | Broken (Avoid) |
+| Operation Modes | GCM | Galois/Counter Mode (authenticated) | `openssl enc -aes-256-gcm -in plain.txt -out encrypted.bin` | Strong (Recommended) |
+| | CBC | Cipher Block Chaining | `openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin` | Adequate with proper IV |
+| | ECB | Electronic Codebook | `openssl enc -aes-256-ecb -in plain.txt -out encrypted.bin` | Weak (Avoid) |
+| | CTR | Counter Mode | `openssl enc -aes-256-ctr -in plain.txt -out encrypted.bin` | Strong with unique nonce |
+| **Asymmetric Encryption** |||||
+| Key Exchange | RSA-2048+ | Rivest-Shamir-Adleman | `openssl genrsa -out private.pem 4096` | Strong (≥2048 bits) |
+| | ECC (P-256) | Elliptic Curve Cryptography | `openssl ecparam -genkey -name prime256v1 -out ecc.key` | Strong (≥256 bits) |
+| | DH | Diffie-Hellman | `openssl dhparam -out dhparams.pem 2048` | Strong (≥2048 bits) |
+| | ECDH | Elliptic Curve Diffie-Hellman | Used in TLS handshakes | Strong |
+| Modern Standards | X25519 | Curve25519 for key exchange | Used in Signal Protocol | Very Strong |
+| | Ed25519 | Edwards-curve for signatures | `ssh-keygen -t ed25519` | Very Strong |
+| **Hashing Algorithms** |||||
+| Modern | SHA-256 | Secure Hash Algorithm 256-bit | `openssl dgst -sha256 file.txt` | Strong |
+| | SHA-3 | Secure Hash Algorithm 3 | `openssl dgst -sha3-256 file.txt` | Very Strong |
+| | BLAKE2 | Fast secure hash function | `b2sum file.txt` | Very Strong |
+| Legacy | SHA-1 | Secure Hash Algorithm 1 | `openssl dgst -sha1 file.txt` | Broken (Avoid) |
+| | MD5 | Message Digest 5 | `openssl dgst -md5 file.txt` | Broken (Avoid) |
+| Password Hashing | Argon2id | Memory-hard function | `argon2 password -id -t 3 -m 16 -p 4` | Strongest (Recommended) |
+| | bcrypt | Blowfish-based hash | `htpasswd -B -C 12 passfile user` | Strong |
+| | PBKDF2 | Key derivation function | `openssl pkeyutl -kdf PBKDF2` | Adequate (high iterations) |
+| | Scrypt | Memory-hard function | `scrypt password salt 16384 8 1 32` | Strong |
+| **Message Authentication** |||||
+| HMAC | HMAC-SHA256 | Hash-based Message Authentication | `openssl dgst -sha256 -hmac "key" file.txt` | Strong |
+| Authenticated Encryption | AES-GCM | Encryption with built-in auth | `openssl enc -aes-256-gcm -in file.txt` | Strong (Recommended) |
+| | ChaCha20-Poly1305 | Authenticated stream cipher | Used in TLS 1.3 | Strong (Recommended) |
+| **Digital Signatures** |||||
+| RSA-based | RSA-PSS | Probabilistic Signature Scheme | `openssl dgst -sha256 -sign key.pem -sigopt rsa_padding_mode:pss file` | Strong |
+| | PKCS#1 v1.5 | Traditional RSA signature | `openssl dgst -sha256 -sign key.pem file` | Adequate |
+| EC-based | ECDSA | Elliptic Curve Digital Signature | `openssl dgst -sha256 -sign ec.key file` | Strong |
+| | Ed25519 | Edwards-curve Digital Signature | `openssl dgst -sign ed.key file` | Very Strong (Recommended) |
+| **Key Derivation** |||||
+| Password-based | PBKDF2 | Password-Based Key Derivation | `openssl pkeyutl -kdf PBKDF2 -kdflen 32` | Adequate (≥10k iterations) |
+| | Argon2 | Memory-hard KDF | `argon2 password -id -t 3 -m 16 -p 4` | Strong (Recommended) |
+| | scrypt | Memory-hard KDF | `openssl kdf -kdf scrypt -password pass -key-length 32` | Strong |
+| Key-based | HKDF | HMAC-based Extract-and-Expand | `openssl kdf -kdf hkdf -salt salt -key key -out output.key` | Strong |
+| **Random Number Generation** |||||
+| Cryptographic PRNGs | /dev/urandom | OS random source (Unix) | `dd if=/dev/urandom of=rand bs=32 count=1` | Strong |
+| | CryptGenRandom | Windows API | Used via programming languages | Strong |
+| | RDRAND | CPU instruction | Used in newer CPUs | Strong when combined |
+| **Protocols & Standards** |||||
+| TLS | TLS 1.3 | Transport Layer Security | `openssl s_client -tls1_3 -connect example.com:443` | Strong (Recommended) |
+| | TLS 1.2 | Transport Layer Security | `openssl s_client -tls1_2 -connect example.com:443` | Adequate |
+| | SSL 3.0, TLS 1.0/1.1 | Legacy protocols | Disable in configurations | Weak (Avoid) |
+| SSH | SSH-2 | Secure Shell v2 | `ssh -o "Protocol 2" user@host` | Strong |
+| | SSH-1 | Legacy Secure Shell | Disable in configurations | Broken (Avoid) |
+| PGP/GPG | GPG | GNU Privacy Guard | `gpg --encrypt --recipient user@example.com file` | Strong |
+
+## Common Cryptographic Operations
+
+| Operation | OpenSSL Command | Example |
+|-----------|-----------------|---------|
+| Generate RSA key pair | `openssl genrsa` | `openssl genrsa -out private.pem 4096` |
+| Extract public key | `openssl rsa` | `openssl rsa -in private.pem -pubout -out public.pem` |
+| Generate ECC key | `openssl ecparam` | `openssl ecparam -genkey -name prime256v1 -out ec.key` |
+| Create CSR | `openssl req` | `openssl req -new -key private.pem -out cert.csr` |
+| Sign file | `openssl dgst` | `openssl dgst -sha256 -sign private.pem -out sig.bin file.txt` |
+| Verify signature | `openssl dgst` | `openssl dgst -sha256 -verify public.pem -signature sig.bin file.txt` |
+| Encrypt file (symmetric) | `openssl enc` | `openssl enc -aes-256-gcm -salt -in file.txt -out file.enc` |
+| Decrypt file | `openssl enc` | `openssl enc -d -aes-256-gcm -in file.enc -out file.txt` |
+| Generate random bytes | `openssl rand` | `openssl rand -base64 32` |
+
+## Key Length Recommendations (2023+)
+
+| Algorithm Type | Minimum Secure Length | Recommended Length | Notes |
+|----------------|------------------------|-------------------|-------|
+| AES | 128 bits | 256 bits | No known practical attacks |
+| RSA | 2048 bits | 4096 bits | Increases computational cost |
+| ECC | 256 bits | 384 bits | NIST P-256 or Curve25519 |
+| Hash functions | 256 bits | 384+ bits | SHA-256 or stronger |
+| HMAC | 256 bits | 384+ bits | Based on the underlying hash |
+| Symmetric key | 128 bits | 256 bits | For long-term security |
+
+## Common Vulnerabilities & Mitigations
+
+| Vulnerability | Description | Mitigation |
+|---------------|-------------|------------|
+| Padding Oracle | Leaks info about padding validity | Use authenticated encryption (GCM, ChaCha20-Poly1305) |
+| Key Reuse | Same key for multiple messages | Use unique keys/IVs for each encryption |
+| Weak RNG | Predictable random numbers | Use cryptographically secure RNGs (/dev/urandom, CryptGenRandom) |
+| Side-Channel Attacks | Timing, power analysis | Use constant-time implementations |
+| Downgrade Attacks | Force use of weaker protocols | Disable legacy protocols, use strict configurations |
+| Known Plaintext | Predictable plaintext locations | Add randomization where possible |
+| Insufficient Key Size | Too small keys are brute-forceable | Follow key length recommendations above |
+| Certificate Issues | Invalid/expired certificates | Automate certificate management, use HSTS |
+| Hash Collisions | Finding two inputs with same hash | Use collision-resistant algorithms (SHA-256+) |