[Shish2k]

Slightly tangential, but can people please stop naming their software "salt"? This is like the 4th or 5th relatively high profile project I've seen with that name recently :/

More on topic - does anyone have any good reference guides for how to not suck at cryptography, preferably more "API guide for programmers in a hurry" than "maths textbook for people who want to learn the inner details of algorithms for their own sake"?

(I know that knowing the internals will make you a better programmer, but it seems there are a lot of people who don't know the internals or externals of cryptography, and having a step-by-step cookbook which can be followed blindly would make this situation slightly less bad. Sure it might give people a false sense of security - but they already have a false sense of security from rolling their own crypto, so a cookbook couldn't be worse :P)

[ams6110]

I think if you are a "programmer in a hurry" you should stay away from crypto.

[orclev]

The problem is really that doing crypto "right" has a lot of very subtle very complicated corner cases that are very easy to get wrong if you don't fully understand the internals. I'm not an expert on crypto, but I know enough to know I wouldn't ever dream of rolling my own. Your best bet is to get one of the well established (and well regarded) crypto libraries, pick a suitably large key length (if in doubt, go larger), and follow the documentation exactly.

Even using a good crypto library won't save you if you don't follow the docs or try to get creative with the API. For instance, using multiple passes of different encryption algorithms won't necessarily improve the strength of the encryption. Due to subtle mathematical interactions it can often lead to exploits that wouldn't have existed in the individual algorithms, but do exist in the combined algorithm. Similarly doing encryption quickly might seem like an important goal, but often consistency is more important lest you inadvertently create a potential timing attack.

TL;DR; Use a good crypto library, a large key size, a good source of entropy, and follow the documentation exactly, don't try to get creative with it.

[chrismsnz]

Short answer: Use PGP, TLS/SSL or KeyCzar.

[lukashed]

Maybe it's due to the name, but the "other" salt, saltstack, apparently had a serious problem with cryptography: https://github.com/saltstack/salt/commit/5dd304276ba5745ec21...