Cryptography is a complex topic that is frequently misunderstood and is the area of significant debate. The specifics mentioned in this guide are likely to change as state of the art continues to advance.
In general, you should follow some simple rules for using cryptography:
Cryptography should be used to solve a specific problem or mitigate a specific threat, such as ensuring the confidentiality of some data in transit over an un-trusted network connection. Both the cryptographic algorithm and the key strength should be appropriate for the threat you are trying to mitigate with the encryption, and the limitations of the cryptography should be understood.
For example, if encryption is applied to a network link, it will not protect the data when it is processed or stored at either end of that link. When deploying cryptography, the impact to system performance and availability must also be considered.
The Python cryptography libraries currently in OpenStack global requirements include:
Use of the following cryptographic elements is encouraged:
While for some use cases it may seem appropriate to use a weaker cryptographic element, the options listed above are generally advised.
Usage of the following is strongly discouraged:
Weak cryptographic elements may be vulnerable to various types of attack, ultimately affecting confidentiality and integrity of the associated system or dataset at risk.