Cryptography: just do not!

Software developers regularly attempt to create new encryption and hashing algorithms, usually to speed up things. There is only one answer one can give in this respect:

Here is a short summary of reasons why you should never meddle in cryptography.

1. Cryptography is mathematics, very advanced mathematics
2. There are only a few good cryptographers and cryptanalysts and even they get it wrong most of the time
3. If you are not one of them, never, ever, ever try to write your own cryptographic routines
4. Cryptography is a very delicate matter, worse than bomb defusing
5. Consequently you must know that most usual “cryptographic” functions are not
6. Even when it is good, cryptography is too easy to abuse without knowing it
7. Bad cryptography looks the same as good cryptography. You will not know whether cryptography is broken until it is too late

So, I hope you are sufficiently convinced not to create your own cryptographic algorithms and functions. But we still have to use the cryptographic functions and that is no picknick either. What can mere mortals do to keep themselves on the safe side?

• If you can get away without using cryptography, do so
• If you must use cryptography, use well-known implementations of well-known algorithms and
• Understand exactly what it claims to do and what – not and
• Follow the usage and user guidance precisely to the letter!
• There are usually many subtle points so whenever things are not completely straightforward do not be shy to seek advice about consequences
• And then, think how it will be abused… because it will be.

Additional information:

• faqs.org FAQ on cryptography
• OWASP guide to cryptography
• CWE for cryptography