Why You Should Totally Roll Your Own AES Crypto
Software developers are usually told to “never write their own crypto,” and there are certainly enough examples over the past few decades of where DIY crypto routines have done real damage. This is also the introduction to [Francis Stokes'] article on deploying your own encryption system. Even if you understand the math behind a cryptosystem like AES (symmetric encryption), the assumptions made by your code, along with side-channel attacks and many other types of attacks, can negate your efforts.
So why write an article about doing exactly what you're told not to do? This is contained in the oft-forgotten addendum for "don't run your own crypto", which is "for all that matters". [Francis's] tutorial on how to implement AES is incredibly informative as an introduction to symmetric key cryptography for software developers, and demonstrates a number of obvious weaknesses that users of an AES library can not be aware.
This then shows the reason why any developer who uses crypto in any way for anything should absolutely roll their own crypto: to take a peek inside this which is usually the black box of a library, and to better understand how the mathematical principles behind AES are translated into a real-world system. Plus, it can be very instructive if your goal is to become a security researcher whose daily job is to find flaws in these systems.
Basically: Definitely try this at home, just keep your DIY crypto away from production servers :)
Software developers are usually told to “never write their own crypto,” and there are certainly enough examples over the past few decades of where DIY crypto routines have done real damage. This is also the introduction to [Francis Stokes'] article on deploying your own encryption system. Even if you understand the math behind a cryptosystem like AES (symmetric encryption), the assumptions made by your code, along with side-channel attacks and many other types of attacks, can negate your efforts.
So why write an article about doing exactly what you're told not to do? This is contained in the oft-forgotten addendum for "don't run your own crypto", which is "for all that matters". [Francis's] tutorial on how to implement AES is incredibly informative as an introduction to symmetric key cryptography for software developers, and demonstrates a number of obvious weaknesses that users of an AES library can not be aware.
This then shows the reason why any developer who uses crypto in any way for anything should absolutely roll their own crypto: to take a peek inside this which is usually the black box of a library, and to better understand how the mathematical principles behind AES are translated into a real-world system. Plus, it can be very instructive if your goal is to become a security researcher whose daily job is to find flaws in these systems.
Basically: Definitely try this at home, just keep your DIY crypto away from production servers :)
What's Your Reaction?
