0

Everybody knows making your own cipher really sucks.

Everybody also knows using existing cryptosystems, such as TLS, totally doesn't suck.

But when is the line drawn? For example, would I be rolling my own if I use established algorithms, but design my own TLS-like protocol? How about if I reimplement popular protocols?

ithisa
  • 566
  • 4
  • 11
  • Creating your own protocols is risky. Even making modifications to existing protocols requires great care. Look at attacks like CRIME and BREACH, which were novel attacks against very well established protocols. Attackers don't follow the same rules as regular participants in a protocol, nor do they have the same goals. It's very hard to predict every mode of attack. – John Deters Oct 21 '13 at 03:22

1 Answers1

1

For typical apps, you should use a library like TLS. These do a lot more than a cipher like AES. TLS takes care of the block cipher mode, padding, integrity, key scheduling, and more. All these considerations have significant subtleties and gotchas.

Now, if you're writing something like TrueCrypt or PGP then you have very particular needs and a library will not meet these. In this case, you would need expert cryptographers on the team to have credibility - and you should still use standard algorithms, and as far as possible, standard usage patterns.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • I would be implementing an algorithm very similar to TLS but avoiding some of its known pitfalls (which cannot be changed mostly due to compatibility), such as it's love of CBC, and MAC-then-encrypt. My usage case is also going to leave the PKI part of SSL unused. – ithisa Oct 20 '13 at 14:34
  • So you're actually writing a cryptographic library? In that case it's certainly acceptable to use the algorithms directly. But to be credible you will need to show significant crypto expertise on your team. A StackExchange post won't cut it :-) If you're not writing a library, and it's just for your own app, do not do this. You will introduce worse weaknesses than TLS already has. – paj28 Oct 20 '13 at 14:43
  • I am more "reimplementing TLS plus some breaking incompatibilities" than designing a system from scratch. The thing is that using TLS seems to be a pain to do correctly, considering many OS TLS libraries are seriously outdated, etc. – ithisa Oct 20 '13 at 14:44
  • I'd say that counts as creating your own crypto library. Although the changes may be minor, in crypto these can have major consequences. – paj28 Oct 20 '13 at 16:51