Update 12-cryptography.livemd

Ready for review

Author: hvalkerie19

modules/12-cryptography.livemd

@@ -8,7 +8,7 @@ Like many concepts/technologies in security, cryptography is not new.  Centuries
 known and trusted senders/receivers while making those messages unreadable for enemies or anyone else for whom the message is not intended.
 Secret codes, etc. 
 
-Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intentended receiptient.  The sender and receiver agree upon a code to exchange messages.  Additionally,  written notes can be stored and unless a reader has the code, won't know what the actual message is.
+Cryptography, like speaking or writing in code, is used whenever there something that needs to be kept secret in an environment where there are multiple other parties who could see or hear the secret but are not the intended recipient.  The sender and receiver agree upon a code to exchange messages.  Additionally,  written notes can be stored and unless a reader has the code, won't know what the actual message is.
 
 Cryptography is used throughout applications to protect sensitive information that while is needed for the operation of the application and it's components, is not intended to be openly shared.  This module highlights how cryptography is applied  
 
@@ -23,7 +23,7 @@ Cryptography is used throughout applications to protect sensitive information th
 
 ### Description
 
-There are two categories of cryptography, symmetric and asymmetric and within these categories, there are a variety of algorthims that are distinguished by 
+There are two categories of cryptography, symmetric and asymmetric and within these categories, there are a variety of algorithms that are distinguished by: 
 -how data gets chopped up to be encrypted
 -how many keys are involved in the encryption/decryption process 
 -how the keys get generated/used (symmetric/asymmetric)
@@ -32,7 +32,7 @@ There are two categories of cryptography, symmetric and asymmetric and within th
 
 In symmetric encryption, which is also called secret key encryption, a single key used for both encryption and decryption.  Symmetric cryptography is bested used when performance and efficiency are important to the application component using/accessing the data to be secured.
 
-In asymmetric encryption, which is also called public-key cryptography, two related but separte keys are generated and then one is used for encrypting while the other for decrpyting.  The keys include one that is meant to be shared (pubic key) and one that must always be kept secret(private) but in this public key infrastructure (PKI) system, both keys work to secure client-server interactions, secure VPN connectsion, certificates, digital signatures, and help ensure the technology and data in the system is only accessible by authenticated, and authorized entities with keys. 
+In asymmetric encryption, which is also called public-key cryptography, two related but separate keys are generated and then one is used for encrypting while the other for decrpyting.  The keys include one that is meant to be shared (pubic key) and one that must always be kept secret(private) but in this public key infrastructure (PKI) system, both keys work to secure client-server interactions, secure VPN connectsion, certificates, digital signatures, and help ensure the technology and data in the system is only accessible by authenticated, and authorized entities with keys. 
 
 When selecting an algorithm, best practice is to never build your own, and to always use established and proven algorithms, vetted and recommended by industry experts like NIST.  
 
@@ -41,35 +41,20 @@ When selecting an algorithm, best practice is to never build your own, and to al
 ### <span style="color:blue;">Example</span> / <span style="color:red;">Quiz</span>
 
 
-*TODO: Make Example or Quiz Question*
-
-```
-Older ciphers/algorithms have been proven to be insecure usually due to the weakness of the mathematics invovled in the algorithm or due to the key lenght.  Both of these can make it trivial for a malicious actor to decrypt information/data meant to be kept secret.  
-
-Newer (Resilient/proven secure by industry)
-AES - symmetric;  CBC and GCM modes most secure
-
-Diffie-Hellman key exchange
-RSA
-
-```
-
 ## Implementation in Modern Applications
 
 ### Description
 Modern applications have many components that store, process, transmit a variety of information and data. Often that information/data consists of "secrets" or is otherwise sensitive.  This includes things like personal information on customers, user credentials, of anything else application developers would like to keep secret. 
 
-API keys, tokens, passwords and other credentials to access privileged components and features, senstivitve data (PII, healthcare), private keys, signing certificates, are all examples of information that should not be available for every users and indeed, kept internal to the organization. 
-
-Much of this information is not static, however, and need sto be transmitted between client and server, stored in databases, used in source code and thus to secure this data, look to implement cryptography both at rest and in transit.   
-
-Using. cryptography to protect this information wherever it is in the application, sent between services, stored in databases, used in source code is the best way to ensure it's security and confidentiality.
+API keys, database credentials, tokens, admin passwords and other credentials to access privileged components and features, senstivitve data (PII, healthcare), private keys, signing certificates, are all examples of information that should not be available for every users and indeed, kept internal to the organization. 
 
-In-transit, dnsure all requests/responses are sent using the secure version of the HTTP protocol, HTTPS.  HTTP over TLS.  Additionally, For remote access into development environments, SSH, VPN - for access to sensitive development environment internal to an organization/remote accessover a network. 
+To secure this data, look to implement cryptography both at rest and in transit.   
 
-In elixir, https (enabled) 
+In-transit, ensure all requests/responses are sent using the secure version of the HTTP protocol, HTTPS.  HTTP over TLS.  Additionally, For remote access into development environments, SSH, VPN - for access to sensitive development environment internal to an organization/remote accessover a network. 
 
 
+### <span style="color:blue;">Example (Draft)</span> 
+```
 For elixir, ExCrypto module[ExCrypto](https://hexdocs.pm/ex_crypto/ExCrypto.html)
 
 Consider what needs to be encrypted - sensitive data or any other data that 
@@ -82,56 +67,33 @@ use HTTPS which implements encrpytion over a channel. Diffie-Hellman
 [Serving over HTTPS
 ](https://hexdocs.pm/plug/https.html)
 
-### <span style="color:blue;">Example</span> / <span style="color:red;">Quiz</span>
-
-*TODO: Make Example or Quiz Question*
-[
-](https://hexdocs.pm/plug/https.html)
 [Erlang crypto module](https://elixir-lang.org/getting-started/erlang-libraries.html#the-crypto-module) 
-```elixir
 
 ```
 
 ## Related Concepts
 
 ### Description
 
-Hash - Sometimes implemented alongside encryption but has a different purpose;
-Cryptography used for confidentiality; keeping information secret except for intended recipient/audience.  Hashes are used to ensure the 
-integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with.  
-Hashes also used as a substitute for storing data in it's original form.  A one way function that - compare starting hash from known good data, to end hash which will indicate changes.  Hashing passwords is a common application.  Comparing hashes to determine if correct password entered.
-Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from 
-
-NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions)
-
-### <span style="color:blue;">Example</span> / <span style="color:red;">Quiz</span>
-
-*TODO: Make Example or Quiz Question*
-
-```elixir
+Hashing is sometimes implemented alongside encryption but has a different purpose.  Cryptography used for confidentiality; keeping information secret except for intended recipient/audience.  
 
-```
+Hashes are used to ensure the integrity of the data, meaning ensuring from it's creation/generation to it's final state, it remains unmodified and untampered with. Hash algorithms are one way functions that - compare starting hash from known good data, to end hash which will indicate changes.  Hashing passwords is a common application.  Comparing hashes to determine if correct password entered.
+Hash Algorithms - SHA1, SHA2, MD5 (obsolete) - follow recommendations from  NIST [Approved Hash Algorithms](https://csrc.nist.gov/Projects/Hash-Functions)
 
 ## Security Concerns
 
-Cryptographic Failures are the number two most common issue on the OWASP Top 10
-A02:2021 – Cryptographic Failures
-
-Related weaknesses include
-Notable Common Weakness Enumerations (CWEs) include CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
+Cryptographic Failures are the number two most common issue on the OWASP Top 10 A02:2021 – Cryptographic Failures
 
-All amount to data being inadvertently being sent in cleartext, sensitive data, the use of old, weak or custom cryptographic algorithms or protocols that are ineffective against attacker efforts to uncover keys,  .  Best practics is to never build your own crypto mechanisms.  Use proven and secure:
-Secure Hashes:  SHA-1 has been deprecated as of 2011 with a transition plan released in 2022.  Recommenation to move towards orther families SHA256
-Secure Encryption Algorithms; AES is the current standard;  secure modes must be emplemented
-AES-GCM, AES-CTR, AES-CBC, AESCCM (128, 192, 256-bit keys)
-For authentication/TLS RSA, DSA, and ECDSA with 128-bit
-security strength (for example, RSA with
-3072-bit or larger key)
+Related weaknesses  include CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
 
-Beware of hardcoding keys, private keys, in source code where they can be discovered by malicious actors. Avoid building your own crytographic mechanisms or using outdated protocols. 
+Most of the concerns around cytography amount to data being inadvertently being sent in cleartext, sensitive data, the use of old, weak or custom cryptographic algorithms or protocols that are ineffective against attacker efforts to uncover keys,  .  Best practics is to never build your own crypto mechanisms.  Use proven and secure methods like the following:
+-Secure Hashes:  SHA-1 has been deprecated as of 2011 with a transition plan released in 2022.  Recommenation to move towards orther families SHA256
+-Secure Encryption Algorithms; AES is the current standard;  secure modes must be emplemented
 
 Follow NIST Recommendations for configuring the most secure algorithms when building your applications and securing secrets and data.
 
+Beware of hardcoding keys, private keys, in source code where they can be discovered by malicious actors. Avoid building your own crytographic mechanisms or using outdated protocols. 
+
 [Recommended algorithms
 ](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)[
 NIST](https://www.nist.gov/cryptography)
@@ -142,10 +104,14 @@ https://csrc.nist.gov/Projects/Hash-Functions
 [Use TLS](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
 ### <span style="color:blue;">Example</span> / <span style="color:red;">Quiz</span>
 
-*TODO: Make Example or Quiz Question*
+**(True or False) You should build your own encryption from scratch.**
+*Uncomment the line with your answer
 
-```elixir
+```
+# answer = True
+# answer = False
 
+IO.puts(answer)
 ```
 
 [**<- Previous Module: Secure SDLC Concepts**](./3-ssdlc.livemd) || [**Next Module: Elixir Security ->**](./5-elixir.livemd)