🟡 Update with information related to Crypto

[its-a-lisa-at-work]

This is a really good example from @mgwalker on an implementation he did for crypto https://github.com/CMSgov/eAPD/pull/1514/files#diff-fa6796d6a6e8c4c9fc59e6f2b82f1b6cdec0a58af443f16beb73ecb567e9af9a

I found it because I'm going through a similar experience where I'm examining some code's crypto https://gsa-tts.slack.com/archives/C02DYG8UK6E/p1634836139002600 and searching I saw another instance where bcrypt was mentioned https://gsa-tts.slack.com/archives/C8E5EJK9V/p1558377372059400 and reached out to Greg to chat about it and he let me know that the repo had moved Enterprise-CMCS/eAPD#1514 and pointed out the good example above!

User Story:
As a developer that is new to government engineering, I would like to know up front that bcrypt shouldn't be used and pbkdf2 should be used instead so that I can create code that is FIPS-140 compliant.

[echappen]

@its-a-lisa-at-work Thanks for bringing this up. It seems like this topic could warrant its own new page under the Security section called "Cryptography Approaches" (or something like that). Unless you see a current page in the guide that it could be added to.

As someone new to government engineering myself, I think a page like this could help me think through all the factors to consider when I'm faced with a need for a cryptographic solution. Like: what is FIPS-140? Why should I follow it? What other standards should I consider, if any? What would be must-haves vs nice-to-haves in a crypto solution in a government context? I'm sure there are other questions that could be answered here too that I'm not thinking of.

Would you or @mgwalker be able/willing to draft a page like that? And if not, could you point me in the direction of good people to ask?