<p>Learning to properly use the <code>crypto</code> library is not an easy task despite its implementation being simple and concise.</p>
<p>Watching the talk entitled <a href="https://www.youtube.com/watch?v=2r_KMzXB74w">Go for Crypto Developers</a> made me realize how much good information we could help new Gophers (or just new to crypto, like me) if scattered out there that we could make more easily available.</p>
<p>Knowing crypto "stuff" is a requirement to use that library correctly, and that is outside of the scope of the official documentation of the package. But would it a good idea to add a page on the official Github Wiki to explain some essential things to use <code>crypto</code> effectively?</p>
<p>EDIT: The author of the mentioned talk wrote <a href="https://github.com/gtank/cryptopasta">this</a> as a guide to properly use the library for current use cases (not legacy). Could this be leveraged in any way?</p>
<hr/>**评论:**<br/><br/>roxven: <pre><p>Someone who doesn't understand crypto is not the audience for a low level crypto toolkit. If you looked up an nlp library it wouldn't have introductory documents on nlp, either.</p>
<p>If you want to learn crypto, you'll have to look elsewhere. If you're familiar with both Go and crypto, the library's use cases are self evident.</p></pre>gabesullice: <pre><p>I hear this sentiment all the time, but unfortunately it's never accompanied by any resources for learning crypto or references to higher level toolkits. </p>
<p>Nearly every developer eventually hits a point where they would like to explore crypto for themselves in a toy project or maybe just to validate a simple token in their "real" work. Whenever they look for guidance, they're always told "crypto is for real developers, now go play outside kids." Myself included.</p>
<p>If we as a community are serious about things like "security by default" and crypto everywhere, we should be evangelizing best practices and making crypto easy to use, not treating it like a dark art that only the initiated can use for themselves.</p>
<p>Edit: spelling</p></pre>roxven: <pre><p>I understand that is alienating and it is unfortunate that it turns people away, but it is a natural attitude to develop in a field where making a mistake can cost people lots of pride and money at best and their lives at worst.</p>
<p>Cryptography is not something you learn just by doing in the way that a lot of development can be learned. The victory conditions are very different. There are no guides on how to "do" it and there's no way to tell if it is "working". When people look for information like this, that's when cryptographers react with "No. Stop going in this direction."</p>
<p>Traditional intro to cryptography curriculums look something like this:</p>
<ol>
<li>Learn about a crypto concept used in the past</li>
<li>Break it</li>
<li>Understand why it was vulnerable</li>
<li>Come up with a solution to the vulnerability</li>
<li>Learn and compare against the solution used in real life</li>
<li>Repeat onward through history</li>
</ol>
<p>You can find course content and research papers from respectable universities online, and white papers from real life projects (such as the primitives you want to learn about, from the teams that developed them) to learn deeper.</p>
<p>And if you're seriously interested in being a cryptographer, you need to surround yourself with cryptographers. Get an apprenticeship, go to grad school and find a fitting advisor, etc.</p>
<p>If you plan to <em>touch</em> a crypto primitive (e.g. AES, bcrypt) in a project available to the public you need to understand that shit at every angle known to man.</p>
<p>If you're curious still, I recommend starting with Avi Kak's lecture content offered online from Purdue University. It's a great introduction to the math and history of cryptography if you are starting from zero.</p>
<p>Edit: mobile typo</p>
<p>Edit: Also for reference, libsodium and its bindings are pretty much the industry standard higher-level toolkit.</p></pre>cderwin15: <pre><blockquote>
<p>Whenever they look for guidance, they're always told "crypto is for real developers, now go play outside kids." Myself included.</p>
</blockquote>
<p>Here's the thing: crypto isn't for developers or software engineers <em>at all</em>. It's for security engineers and academic cryptographers, the vast majority of whom won't actually be implementing crypto, and certainly not from scratch.</p>
<p>I'm not a security engineer (though I am gong back to school with that intention), but a couple good resources are the <a href="https://cryptopals.com/" rel="nofollow">Matasano challenges</a> and <a href="http://overthewire.org/wargames/" rel="nofollow">Over the Wire</a>. If you really want to "play with crypto" I would strongly suggest attempting to break something rather than attempting to build something.</p></pre>alexwhoizzle: <pre><p>If you want to learn on your own time here's a few youtube playlists that teach crypto at a university level:</p>
<ol>
<li><a href="https://www.youtube.com/playlist?list=PL71FE85723FD414D7" rel="nofollow">Computer - Cryptography and Network Security</a></li>
<li><a href="https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg/videos" rel="nofollow">Introduction to Cryptography by Christof Paar</a></li>
</ol>
<p>Christof Paar also has a <a href="http://www.crypto-textbook.com/" rel="nofollow">book</a> that you can purchase that is aimed at university students wanting to learn cryptography. </p></pre>cderwin15: <pre><p>On a related note, has there been a public audit of crypto/*?</p></pre>alexwhoizzle: <pre><p>The last I heard about an audit was from a talk by Brad Fitzpatrick where he said there hasn't been one (I'll have to hunt down the link) . But most of the crypto libraries were written/reviewed by <a href="https://www.imperialviolet.org/" rel="nofollow">Adam Langley</a> who is a security engineer for Google so there's that if it comforts you any :)</p>
<p>EDIT: link of Brad's talk <a href="https://youtu.be/rHBbqjWCGq8?t=3346" rel="nofollow">https://youtu.be/rHBbqjWCGq8?t=3346</a></p></pre>geodel: <pre><p>I think a Go crypto guide will be great. Java has something similar:</p>
<p><a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html" rel="nofollow">https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html</a></p></pre>
