Indirectly at least, it is also concerned with human protocols for
using these techniques (e.g. "don't make your password less than X characters", "don't just
use letters in your password" etc).
When used appropriately, cryptography brings developers some very powerful tools,
allowing us to do things like transmit login information securely across an untrusted
Java is an excellent choice for building secure applications from the point of
view that it has various standard cryptographical functions built in to the standard runtime
But just as the existence of the Swing library doesn't automatically give your application
a fantastic user interface, a cryptography library does not bring automatic security.
There are still various challenges that we need to address beyond the simple "how do I
perform such-and-such a function", for example:
- we need to understand which tool/algorithm we need when;
- where there's a choice, we need to assess the strengths and weaknesses of each;
- some algorithms have various parameters that we need to understand;
- using some algorithms correctly can be tricky and requires a little understanding
of what is going on (e.g. using "128-bit encryption" with a key generated
by java.util.Random doesn't give anything like 128 bits of security...);
- even issues such as "what data should we encrypt when" can be a problem;
- we need to take account of the security risks and needs, vs other needs, of
different parts of our application and system as a whole.
On the following pages, we therefore discuss various topics: