Outline for the talk - State of Crypto in Node.js

crypto.md

• Goals of the crypto module
• "Why do I need crypto? I am already using TLS!"
  • Password encryption
  • User data encryption (with authentication)
  • Signing data
  • Using cryptographically-safe hashes
  • Crypto-safe random number generation
  • Interoperate with other crypto systems → WebCrypto
  • Maybe some one-slide examples
• "Why crypto isn't simple" (Plug for simple-crypto / crypt)
  • Sometimes, easy isn't what you're aiming for :P
  • Target audience of the crypto module (don't touch it if you don't know what you're playing with) [CAUTION]
  • Side-channel attacks (?)
  • safe vs. secure
  • safe vs. feature-complete (?)
• "Don't roll out your own crypto" (The beauty and pragmatism behind OpenSSL)
• Recent security fixes in the crypto and tls modules.
• What did we change? How did we make the crypto module better?
  • add scrypt support
  • AEAD: GCM, CCM, OCB
  • RSASSA-PSS
  • createCipherIV can be used instead of createCipher... always
  • Recent work on error queues.
  • (Planned for node 11:) Rework error handling across the crypto module (still no proper error codes)
  • (Planned:) Key pair generation
• "crypto in the wild" (Interesting stuff people make using crypto)
  • Unconventional applications
  • Super popular applications (so that people know that stuff they've used all along is actually implemented using/achieved with crypto)
• Interesting case studies (?)
  • JWT (link)