[baby]

The original from tqbf: https://gist.github.com/tqbf/be58d2d39690c3b366ad

It's definitely completely relevant today. Find out what you want to do and check that list.

A few things I would update:

* password handling -> Scrypt or Argon2

* Client-server application security -> TLS or Noise

* Hashing/HMAC algorithm -> Blake2/prefix-MAC or KangarooTwelve/KMAC

* Fingerprint -> TupleHash

* key derivation -> HKDF or SHAKE or BLAKE2X

And of course for each of these items, if a NaCL/libsodium solution already exist, just use it.

[tptacek]

Why would you make those updates? I like Noise more than I like TLS, but if you look at the recommendation where it says "use TLS" and ask yourself "how would I as a Python application programmer actually use Noise", I don't see the applicability.

Similarly: I like Blake2 more than I like SHA-2, but SHA-2 is universally available and strong (in the context of those recommendations, I also didn't want to explain the difference between SHA-2's HMAC and Blake2's keyed hash MAC). And, of course, part of the point of recommending SHA-2 was to recommend against Keccak. :)

I don't think I actually made a key derivation or fingerprint recommendation. I like HKDF!

[baby]

> "how would I as a Python application programmer actually use Noise", I don't see the applicability.

Depending on who that list is for I could agree with you.

This recommendation comes from the fact that I'm seeing a LOT of companies who want to have their own secure protocol on top of whatever protocol and end up re-inventing the wheel to avoid the bloatness of TLS. Noise is a good advice for these custom made protocols. I wouldn't replace TLS in the advice, but add a note: "if you really do not want TLS, there is Noise, but that's it!

> Similarly: I like Blake2 more than I like SHA-2, but SHA-2 is universally available and strong

Agree, but if we want to move to nicer/stronger algorithms we must start recommending them at some point. I want to see a push for Argon2/Blake2/SHA-3 in general.

> part of the point of recommending SHA-2 was to recommend against Keccak

Ah well, Keccak is so interesting (not only for hashing) that I would be sad if it end up not being used in the next decades to come. If you're feeling this way because of the efficiency: that's why I recommended KangarooTwelve, if you're feeling this way because of the crappy spec: alright you win.

> I don't think I actually made a key derivation or fingerprint recommendation. I like HKDF!

What are you waiting for! :)

[tptacek]

There's more recommendations I could make; for instance, I talk about DH here but not about authenticated key exchanges. But at some point I'm no longer providing simple "right answers" and instead am writing a half-assed book on modern crypto that I'm not qualified to offer.

The more important bit here is that I was updating Colin Percival's recommendations, which didn't include a KDF or an AKE. :)