Crypto in Practice & Common Mistakes¶

Most cryptographic failures aren't broken algorithms — they're misuse. Here are the mistakes you'll actually encounter.

Top Cryptographic Mistakes¶

1. Rolling Your Own¶

Custom encryption schemes are nearly always broken. Use vetted libraries.

2. Hardcoded / Committed Secrets¶

API keys and private keys in source code or Git history are a leading breach cause.

bash

3 lines

1# Scan your repo and history for secrets
2git log -p | grep -i "api_key\|secret\|password"   # quick smell test
3# Better: use automated scanners (gitleaks, trufflehog) in CI

If a secret is ever committed, rotate it — removing it from history isn't enough; assume it's compromised.

3. Weak Randomness¶

Using Math.random() or a predictable seed for keys, tokens, or IVs. Always use a cryptographically secure RNG (crypto.randomBytes, /dev/urandom, secrets module).

4. Reusing IVs / Nonces¶

In modes like AES-GCM, reusing a nonce with the same key is catastrophic — it can leak the key stream. Generate a fresh random nonce per message.

5. ECB Mode¶

Encrypts identical plaintext blocks to identical ciphertext — patterns leak. Use authenticated modes (GCM, ChaCha20-Poly1305).

6. Not Authenticating Ciphertext¶

Encryption alone doesn't prevent tampering. Use authenticated encryption (AEAD) so modified ciphertext is rejected.

Data States — Encrypt All Three¶

State	Protection
In transit	TLS 1.3
At rest	Disk/database encryption (AES-256), KMS-managed keys
In use	Hardest; emerging confidential-computing / enclaves

Key Management Is Everything¶

The hardest part of crypto isn't encrypting — it's managing keys:

Store keys in a KMS or HSM, never next to the data they protect.
Enforce least privilege on key access and log every use.
Rotate keys on a schedule and after any suspected exposure.
Separate key-encryption keys from data-encryption keys (envelope encryption).

Practical Checklist¶

TLS 1.3 in transit, AES-256 at rest.
Passwords hashed with Argon2id/bcrypt + unique salt.
Secrets in a vault/KMS, never in code.
CSPRNG for all keys, tokens, IVs.
Authenticated encryption (AEAD) everywhere.
Automated cert renewal and secret scanning in CI.

Top Cryptographic Mistakes¶

1. Rolling Your Own¶

Custom encryption schemes are nearly always broken. Use vetted libraries.

2. Hardcoded / Committed Secrets¶

API keys and private keys in source code or Git history are a leading breach cause.

bash

3 lines

1# Scan your repo and history for secrets
2git log -p | grep -i "api_key\|secret\|password"   # quick smell test
3# Better: use automated scanners (gitleaks, trufflehog) in CI

If a secret is ever committed, rotate it — removing it from history isn't enough; assume it's compromised.

3. Weak Randomness¶

Using Math.random() or a predictable seed for keys, tokens, or IVs. Always use a cryptographically secure RNG (crypto.randomBytes, /dev/urandom, secrets module).

4. Reusing IVs / Nonces¶

In modes like AES-GCM, reusing a nonce with the same key is catastrophic — it can leak the key stream. Generate a fresh random nonce per message.

5. ECB Mode¶

Encrypts identical plaintext blocks to identical ciphertext — patterns leak. Use authenticated modes (GCM, ChaCha20-Poly1305).

6. Not Authenticating Ciphertext¶

Encryption alone doesn't prevent tampering. Use authenticated encryption (AEAD) so modified ciphertext is rejected.

State

Protection

In transit

TLS 1.3

At rest

Disk/database encryption (AES-256), KMS-managed keys

In use

Hardest; emerging confidential-computing / enclaves

Key Management Is Everything¶

The hardest part of crypto isn't encrypting — it's managing keys:

Store keys in a KMS or HSM, never next to the data they protect.

Enforce least privilege on key access and log every use.

Rotate keys on a schedule and after any suspected exposure.

Separate key-encryption keys from data-encryption keys (envelope encryption).