djedi/security-cheatsheets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-cheatsheets/cryptography/crypto-reference.md
rpriven 89f93d0f6f
Create crypto-reference.md
2025-04-15 00:13:39 -06:00

7.4 KiB
Raw Blame History

Cryptography Cheatsheet

Category Algorithm/Method Description Example Usage Security Level
Symmetric Encryption
Block Ciphers AES-256 Advanced Encryption Standard openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin Strong (Recommended)
AES-128 AES with 128-bit key openssl enc -aes-128-cbc -in plain.txt -out encrypted.bin Adequate
3DES Triple Data Encryption Standard openssl enc -des3 -in plain.txt -out encrypted.bin Legacy (Avoid)
Stream Ciphers ChaCha20 Modern stream cipher openssl enc -chacha20 -in plain.txt -out encrypted.bin Strong
RC4 Rivest Cipher 4 openssl enc -rc4 -in plain.txt -out encrypted.bin Broken (Avoid)
Operation Modes GCM Galois/Counter Mode (authenticated) openssl enc -aes-256-gcm -in plain.txt -out encrypted.bin Strong (Recommended)
CBC Cipher Block Chaining openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin Adequate with proper IV
ECB Electronic Codebook openssl enc -aes-256-ecb -in plain.txt -out encrypted.bin Weak (Avoid)
CTR Counter Mode openssl enc -aes-256-ctr -in plain.txt -out encrypted.bin Strong with unique nonce
Asymmetric Encryption
Key Exchange RSA-2048+ Rivest-Shamir-Adleman openssl genrsa -out private.pem 4096 Strong (≥2048 bits)
ECC (P-256) Elliptic Curve Cryptography openssl ecparam -genkey -name prime256v1 -out ecc.key Strong (≥256 bits)
DH Diffie-Hellman openssl dhparam -out dhparams.pem 2048 Strong (≥2048 bits)
ECDH Elliptic Curve Diffie-Hellman Used in TLS handshakes Strong
Modern Standards X25519 Curve25519 for key exchange Used in Signal Protocol Very Strong
Ed25519 Edwards-curve for signatures ssh-keygen -t ed25519 Very Strong
Hashing Algorithms
Modern SHA-256 Secure Hash Algorithm 256-bit openssl dgst -sha256 file.txt Strong
SHA-3 Secure Hash Algorithm 3 openssl dgst -sha3-256 file.txt Very Strong
BLAKE2 Fast secure hash function b2sum file.txt Very Strong
Legacy SHA-1 Secure Hash Algorithm 1 openssl dgst -sha1 file.txt Broken (Avoid)
MD5 Message Digest 5 openssl dgst -md5 file.txt Broken (Avoid)
Password Hashing Argon2id Memory-hard function argon2 password -id -t 3 -m 16 -p 4 Strongest (Recommended)
bcrypt Blowfish-based hash htpasswd -B -C 12 passfile user Strong
PBKDF2 Key derivation function openssl pkeyutl -kdf PBKDF2 Adequate (high iterations)
Scrypt Memory-hard function scrypt password salt 16384 8 1 32 Strong
Message Authentication
HMAC HMAC-SHA256 Hash-based Message Authentication openssl dgst -sha256 -hmac "key" file.txt Strong
Authenticated Encryption AES-GCM Encryption with built-in auth openssl enc -aes-256-gcm -in file.txt Strong (Recommended)
ChaCha20-Poly1305 Authenticated stream cipher Used in TLS 1.3 Strong (Recommended)
Digital Signatures
RSA-based RSA-PSS Probabilistic Signature Scheme openssl dgst -sha256 -sign key.pem -sigopt rsa_padding_mode:pss file Strong
PKCS#1 v1.5 Traditional RSA signature openssl dgst -sha256 -sign key.pem file Adequate
EC-based ECDSA Elliptic Curve Digital Signature openssl dgst -sha256 -sign ec.key file Strong
Ed25519 Edwards-curve Digital Signature openssl dgst -sign ed.key file Very Strong (Recommended)
Key Derivation
Password-based PBKDF2 Password-Based Key Derivation openssl pkeyutl -kdf PBKDF2 -kdflen 32 Adequate (≥10k iterations)
Argon2 Memory-hard KDF argon2 password -id -t 3 -m 16 -p 4 Strong (Recommended)
scrypt Memory-hard KDF openssl kdf -kdf scrypt -password pass -key-length 32 Strong
Key-based HKDF HMAC-based Extract-and-Expand openssl kdf -kdf hkdf -salt salt -key key -out output.key Strong
Random Number Generation
Cryptographic PRNGs /dev/urandom OS random source (Unix) dd if=/dev/urandom of=rand bs=32 count=1 Strong
CryptGenRandom Windows API Used via programming languages Strong
RDRAND CPU instruction Used in newer CPUs Strong when combined
Protocols & Standards
TLS TLS 1.3 Transport Layer Security openssl s_client -tls1_3 -connect example.com:443 Strong (Recommended)
TLS 1.2 Transport Layer Security openssl s_client -tls1_2 -connect example.com:443 Adequate
SSL 3.0, TLS 1.0/1.1 Legacy protocols Disable in configurations Weak (Avoid)
SSH SSH-2 Secure Shell v2 ssh -o "Protocol 2" user@host Strong
SSH-1 Legacy Secure Shell Disable in configurations Broken (Avoid)
PGP/GPG GPG GNU Privacy Guard gpg --encrypt --recipient user@example.com file Strong

Common Cryptographic Operations

Operation OpenSSL Command Example
Generate RSA key pair openssl genrsa openssl genrsa -out private.pem 4096
Extract public key openssl rsa openssl rsa -in private.pem -pubout -out public.pem
Generate ECC key openssl ecparam openssl ecparam -genkey -name prime256v1 -out ec.key
Create CSR openssl req openssl req -new -key private.pem -out cert.csr
Sign file openssl dgst openssl dgst -sha256 -sign private.pem -out sig.bin file.txt
Verify signature openssl dgst openssl dgst -sha256 -verify public.pem -signature sig.bin file.txt
Encrypt file (symmetric) openssl enc openssl enc -aes-256-gcm -salt -in file.txt -out file.enc
Decrypt file openssl enc openssl enc -d -aes-256-gcm -in file.enc -out file.txt
Generate random bytes openssl rand openssl rand -base64 32

Key Length Recommendations (2023+)

Algorithm Type Minimum Secure Length Recommended Length Notes
AES 128 bits 256 bits No known practical attacks
RSA 2048 bits 4096 bits Increases computational cost
ECC 256 bits 384 bits NIST P-256 or Curve25519
Hash functions 256 bits 384+ bits SHA-256 or stronger
HMAC 256 bits 384+ bits Based on the underlying hash
Symmetric key 128 bits 256 bits For long-term security

Common Vulnerabilities & Mitigations

Vulnerability Description Mitigation
Padding Oracle Leaks info about padding validity Use authenticated encryption (GCM, ChaCha20-Poly1305)
Key Reuse Same key for multiple messages Use unique keys/IVs for each encryption
Weak RNG Predictable random numbers Use cryptographically secure RNGs (/dev/urandom, CryptGenRandom)
Side-Channel Attacks Timing, power analysis Use constant-time implementations
Downgrade Attacks Force use of weaker protocols Disable legacy protocols, use strict configurations
Known Plaintext Predictable plaintext locations Add randomization where possible
Insufficient Key Size Too small keys are brute-forceable Follow key length recommendations above
Certificate Issues Invalid/expired certificates Automate certificate management, use HSTS
Hash Collisions Finding two inputs with same hash Use collision-resistant algorithms (SHA-256+)