[Cryptography] On the Impending Crypto Monoculture

Nemo nemo at self-evident.org
Sun Mar 27 20:42:54 EDT 2016


Andrew Donoho <awd at ddg.com> writes:

> 	Thank you for correcting me.

Thank you for being gracious even though I was not. I just get tired of
software engineers trying to design their own cryptography. How many
breaks do we have to endure because of this arrogance? The answer
appears to be "infinity".

> 	Your advice then would be to calculate the HMAC and then
> 	sign(h(m||hmac))? (Sign the SHA-256 hash of the encrypted
> 	AES-256-CBC message concatenated with the HMAC.) I can do that.

My advice is more fundamental, which is "leave the cryptography to the
cryptographers". I am not one of them. I am not even sure there are any
on this list.

If your cryptographic protocol does not come with a security proof, then
you are doing it wrong. Note that a "security proof" is not really a
proof of security, because there is no such thing. Rather, it is a
collection of provable statements of the form "if an attacker could do
Y, they could also do X", where X is something everyone agrees looks
hard, like "violate IND-CPA for AES".

If you are not comfortable reading and creating such proofs, then my
advice is to obtain your protocol (and preferably your code) from
someone who is.

Or, more briefly: The first rule of cryptography is to use someone
else's design. The second rule of cryptography is to use someone else's
implementation.

Unfortunately, in my experience, there are only two kinds of software
engineers in the world: Those who do not need to be told any of this,
and those who will not listen when told.

 - Nemo
   https://self-evident.org/


More information about the cryptography mailing list