I think this article is more about rolling your own algorithms, but some people say you shouldn’t even try to implement proven algorithms on your own. The Go people rolled their own crypto. A lot of the Go stuff in the go-lang packages is in go. Like gpg, TLS, etc:
Seems to be OK. Does anyone think that stuff is insecure? Rust devs have said they wouldn’t implement any crypto code, they would use proven C
The Erlang team implemented their own SSL in the last few releases. Obviously the number of bugs in the erlang-bugs mailing list related to SSL went up. That isn’t to say that it’s different than any other new feature in terms of finding bugs. The problem I see with a lot of encryption is that it can take years to find a mistake. Which might be ok, assuming nobody figured it out significantly earlier than the good guys. But still, I’m always very skeptical of homerolled encryption. Go might be the best off since it’s so popular it probably has the yes of some respectful people on it. But meh, I dunno….
Is anyone doing anything to replace OpenSSL in C? The OpenSSL code, AFAIK, works out of brute force, not out of being done well. A new core layer would probably be appreciated, but it’s a ton of work.
The primary author on Go’s crypto/* packages is Adam Langley, who is a world-class cryptographic engineer.
Even the Go people don’t roll their own algorithms. There’s a significant level of risk in implementing standard cryptographic primitives, but you can test them extensively against other implementations, be careful about timing attacks, study the literature, and manage that risk. It’s something to worry about, but it’s not a sign you should run away screaming.
Rolling your own algorithms, though, leaves you deep in uncharted territory, and is something you probably should not do without hiring a large group of experienced, well established cryptographers to try to break your system. Even then, you should be considering running away screaming.
It seems that a lot of these articles on crypto are prefaced by the standard “I’m not an expert” or “I don’t really understand all of this” disclaimer.
Who is an expert on crypto? Not hypothetically - I guess I’m asking, who are some of the respected figures / organizations in cryptography, and where are their writings?
Take a look at So, You Want To
a pretty solid list of resources / people on the subject.