European Union Agency for Network and Information Security (ENISA) has published the cryptographic guidelines “Algorithms, key size and parameters” 2014 as an update to the 2013 report. This year, the report has been extended to include a section on hardware and software side-channels, random number generation, and key life cycle management. The part of the previous report concerning protocols has been extended and converted to a separate report “Study on cryptographic protocols“.
The reports together provide a wealth of information and clear recommendations for any organization that uses cryptography. Plenty of references are served and the document is a great starting point for both design and analysis.
An excellent article by Sven Tuerpe argues that we pay excessive attention to the problems of encryption and insufficient – to the problems of system security. I wholeheartedly agree with that statement. Read the original article: Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone).
Security cannot be based solely on the encryption and encryption only. The system must be built to withstand attacks from outside and from within to be secure. There is a lot of expertise in building secure devices and creating secure software but none of that is used at all in the mobile devices of today. Whether those smartphones and tablets provide encryption or not is simply besides the point in most attack scenarios and for most kinds of usage. We have to get the devices secured in the first place before the discussion of encryption on them would begin to make sense.
Software developers regularly attempt to create new encryption and hashing algorithms, usually to speed up things. There is only one answer one can give in this respect:
Here is a short summary of reasons why you should never meddle in cryptography.
- Cryptography is mathematics, very advanced mathematics
- There are only a few good cryptographers and cryptanalysts and even they get it wrong most of the time
- If you are not one of them, never, ever, ever try to write your own cryptographic routines
- Cryptography is a very delicate matter, worse than bomb defusing
- Consequently you must know that most usual “cryptographic” functions are not
- Even when it is good, cryptography is too easy to abuse without knowing it
- Bad cryptography looks the same as good cryptography. You will not know whether cryptography is broken until it is too late
So, I hope you are sufficiently convinced not to create your own cryptographic algorithms and functions. But we still have to use the cryptographic functions and that is no picknick either. What can mere mortals do to keep themselves on the safe side?