In Crypto, Always Run That Validation Test

In fact, do this for all your programs

One thing that is important in teaching cryptography is the point that you always run your validation test, before you get to any sort of evaluation. One slip-up in the conversion of bytes into characters could be costly in terms in the security of the system. So I always turn to the original research paper or the RFC to get a test vector, and check my program against that.

The testing is especially important as we often convert between bytes, strings and hexademical values, and thing might seem to work, but there’s a flaw in these conversions. For example, a hexademical value could be seen as a user string, and appear valid. The conversion between Python 2.7 and 3.8 can also be a tricky process, and where we need to watch our string conversions.

So let’s take an example of HKDF (HMAC Key Derivation Function), and where we take a password, some salt, and a hashing method, and generate an encryption key of a certain length. The great thing is that we can swap in whatever hashing method we need, and it will do the key derivation for us. Typically hashing methods are SHA-1, SHA-256 and SHA-512.

If we take an example: