Rolling your own crypto
Published 11:40, 05 March 10
I have been advising clients for many years on the use of cryptography to protect sensitive information. From keeping highly sensitive personal data secure to ensuring the integrity of financial transactions, cryptography plays a vital and central role as part of an overall solution to these problems.
Cryptography provides scientifically proven and computationally intractable (nearly impossible to break) protection against eavesdropping, tampering, impersonation, etc.
However, this can only happen when tried and tested algorithms are used and key management is implemented properly. Let’s explore the first point in a bit more detail:
Tried and tested algorithms may sound more basic than they initially seem. I have come across numerous organisations that have endeavoured to create their own algorithms by one of their “most senior security analysts in the company”.
This is almost never a good idea! The amount of academic and industrial research that goes into developing a new algorithm is very significant. Also, any new algorithms must withstand the test of time and extensive peer review in order to confirm they are effective.
The algorithms themselves are never secret (no security through obscurity here) as they must be open to extensive scrutiny and review. The secret is in the key and the way the key is managed - it is almost never in the algorithm.
Many ad hoc algorithm developments rely on keeping the algorithm secret. I believe this is a non-starter from a security perspective due to the fact that if you need to use the algorithm across a number of different applications / systems, it will need to be distributed, therefore it is no longer secret.
These kind of “secret” crypto algorithms open themselves up to reverse engineering, code walkthrough analysis, black box testing and other cryptoanalytic techniques, that can eventually “break” them. Another fallacy is the concept of opening up the algorithm to analysis without divulging the original source code.
You often see crypto challenges with a “million dollar prize” for breaking the code. These are seldom taken seriously therefore, not attracting the right level of attention and scrutiny required. Just because no one has tried to break it, doesn’t mean that it can’t be broken!
It is never recommended to roll your own crypto algorithms. Use tried and tested algorithms developed by folks who do this professionally. Look for industry or government certification of the algorithms, and if possible, use professional crypto libraries that have coded and tested the algorithm software code. Use test vectors to verify that the algorithm generates the expected results and ensure that the key management is implemented properly.
To all those that I have crossed paths with and have developed their own crypto (you know who you are), you are commended for taking an active interest in cryptography, but please leave this to the professionals! Channel your energies into ensuring the algorithms have been implemented and deployed correctly instead of developing your own.