Learn cryptographic engineering by example (opens in new tab)

This is more of a quick tour of the basic API for libsodium than a workshop for learning cryptographic engineering. Many of the exercises have no cryptographic component at all; the remainder basically exercise the most basic libsodium sign/verify/secretbox functionality. None of the exercises explain the rationale behind any of the libsodium constructions, and (because libsodium) nonce-based authenticated encryption is used without explaining any of the details of what a nonce is and what the requirements are for generating and handling them. Finally, the service model for the crypto involved doesn't make a whole lot of sense; most of the exercises build a "tamper proof log" from a simple chained hash function, and ultimately encrypts that log using a key exposed to the server anyways.

Respectfully, I don't think this is how you should learn cryptography (certainly: you shouldn't call this kind of work "cryptographic engineering").

I'm talking my own book here a little (but just a little, since it's not like I make a dime from this) when I say that the better way to learn and understand cryptography is stuff like the Matasano Cryptopals challenges:

   https://cryptopals.com/

These exercises will try to teach you crypto engineering by breaking cryptography, and without wasting much time structuring a trivial JSON interface. You'll understand what a nonce is by the end of set 3 because you'll have written exploits for otherwise sane cryptosystems that mishandle nonces. By the end of set 8 you'll have implemented invalid curve attacks and built and broken short-tag GCM AEAD encryption and, hopefully, be a little nauseous any time someone asks you to use crypto again --- which is the way it should be.

Even after you've undergone our cryptogaphic Ludovico Process, you still won't be a "cryptographic engineer". I've been testing and building exploits for random cryptosystems for over a decade and I'm nowhere close. The simple, blunt reality of it is that if you're going to build anything close to new with cryptography, you really do have to understand the math, and anyone who claims you can get to "securing a banking interface" without a detour through abstract algebra is, I think, doing you a disservice.

Another good resource for this stuff is LVH's Crypto 101: https://www.crypto101.io/

I would like more description in the main readme. Tell me a little about what kind of skills and knowledge will be gained by going through the exercises.

As I write, this article is above another on the front page titled "A security vulnerability in Git that can lead to arbitrary code execution "

Makes me wonder if the "example" is getting pwned by a Git repo and the lesson I'll learn is to keep my system updated.

That said, browsing the repo online, it looks like a pretty useful tutorial.

It would be good to have also examples of crypto over SOAP, a protocol which is vastly ignored in the wild (REST is preferred for its simplicity) but massively used in enterprise applications.