1. 16

  2. 19

    I always get pushback when I encourage people to try their hand at crypto for fun and to learn how it works. Just don’t deploy it into production, make sure you pass the massive test vector lists available for everything, and always assume you are leaking side-channel information, and everything’s fine. Elliptic curves are really fun to work with when you have 512-bit integer types available, and ChaCha20 is very simple in practive.

    Daniel J. Bernstein started out now knowing a thing about cryptography either. Imagine if he’d listened to everyone’s advice.

    1. 5

      “Don’t roll your own” has become one of those memes that people repeat without qualification or context :(

      1. 3

        I mean, sure you could qualify it with “unless it is never actually used” or “unless you are an expert and know how to deal with your mistakes” but the first is sort of implicit in a tree-in-the-forest kind of way and the second applies only to very few people. I think it’s a good meme.

    2. 11

      I think it will be more constructive if you go do the Matasano crypto challenges. I only skimmed your post, but if memory serves the cipher you came up with looks quite a bit like the one you build and break in set 1 there.

      It will likely be more fun and educational than having people critique what you wrote. And it will definitely be more fun than the lack of substantive response you’ll most probably see.

      1. 1

        It seems pretty much similar to SHACAL-2 in CFB mode but with SHA-512 instead of SHA-256. So I assume that all security considerations of that cipher will work there as well.

        1. 1

          Yeah, I was about to remark on the same thing; we just learned about symmetric encryption schemes in my undergraduate cryptography course. The weakness I’m seeing here is that password-based encryption is deterministic, while the strength of block cipher modes of operation like CBC/CFB is that they’re randomized. I suspect that making some guesses about the header would enable you to recover the hash of the key (since the author’s given an encrypted Netpbm image), which you could then brute-force with i.e. John.