One of my friends was talking to me:
Hey you see that guy? He is a very good programmer and he knows a lot of stuff.
I asked him whether he knew anything about this encryption algorithm. He told me that he knows a lot about encryption algorithms. In fact he writes his own encryption algorithms. He told me that it is always better to write your own algorithms.
Yeah.
Now I know how knowledgeable he is.
I have small request to make to all of the self proclaimed cryptographic experts out there:
Cryptography is hard. It is hard because there are always smarter people out there who can break your home-made super-duper encryption algorithm. If you are so confident in your abilities, use your own encryption algorithms in your own applications. Please don’t give it to the public. If are sharing your application with us, specify that you are using your own encryption algorithm so that we’ll understand how awesome you are and how awesome your products will be (and probably avoid using your awful application).
I know what you will be thinking right now:
But, nobody ever cracked my encryption algorithm!
That is because nobody cares. People have their own work to do rather than trying to crack your pet algorithm. If you really want to test the strength of your algorithm, try announcing a million dollar prize for the guy who breaks it.
And please don’t spread messages like “it is always better to write our own algorithms” among us mortals. May be you can do good security on your own; we can’t.
hey, that is true, if the guy is a beginner then it is difficult to write the secure encryption code. But there are people (human only) out there who write encryption algos for the best of all the tools and services that we use. So there can be one doing it for the very first time and who could be better than all, who knows!
Tejaswini,
It is true that there are people who are capable of writing good algorithms, but they too can make mistakes. So what do you do to make a new encryption algorithm?
Publish the details of the algorithm and let the mathematicians and cryptographers around the world analyze your algorithm and try to find flaws in it. If they fail to do so, you can say your algorithm is a good one.
Read the Advanced Encryption Standard process to know how they took 3 years to select a winner for the AES process!!! For that 3 full years the cryptographers in the whole world were trying to break the algorithms. If you stand that test, then you know that you have a pretty good algorithm.
Ha… this guy’s smoking crack. You don’t just “become” a good encryption algorithm writer, it takes years of training. And that training would initiate with some fairly sophisticated mathematics. I’ve taken encryption courses in graduate school and I can tell you that the most sophisticated encryption algorithms are based on number theory and advanced mathematics. It’s not just in rearranging letters!
If the guy in question were truly writing innovative stuff he would have been scooped up by the NSA years ago…
Globe,
Yup.
If he is a good programmer, then he probably meant he implements encryption algorithms on his own. I just can’t imagine anyone with common sense to say that it is a good idea to design a brand new encryption algorithm.
There is a forgotten point here. It is much easier (compute hours + man hours)to attack something that is made with a well known encryption algorithm than it is to attack a black box.
The often repeated line is “you need to stick with the major algorithms because they’ve been proven.” Most have accepted it.
An untested encryption method could easily have a simple flaw that allows for a quick solution. The downside is the number of human hours required to analyze and find the flaw to exploit.
Want a tough compute hour + man hour encryption? Layer them.
Forgotten,
It has been shown that layering encryption algorithm does not lead to a better security always and sometimes they even lead to a worse security that any of the individual algorithms.
“…layering encryption algorithms does not lead to better security… and sometimes even leads to worse security”
I don’t understand how that’s possible- Can you explain or provide a link? I’m curious to see how that would work-
I know that other algorithms are like this- For instance, if you shuffle a deck of cards enough times, the ordering can become predictable. Not sure why that would be the case with encryption, though.
Alex,
Instead of double encryption, it is always better to use one algorithm with double the key length.
Here are some links on the topic:
double encryption
Double Encryption Is Not A Good Idea
What is Multiple Encryption
Double encryption(Blowfish->Rijndael) Stronger? Or dumb?
Alex and Forgotten, here’s your link:
http://www.amazon.com/Introduction-Cryptography-Discrete-Mathematical-Applications/dp/1584881275/ref=sr_11_1?ie=UTF8&qid=1234372088&sr=11-1
It’s a really solid introductory text and will answer your questions and (in the case of Mr. Forgotten) clear up your terrible misconceptions about encryption.
Y’know, Cory Doctorow talks about this in quite some detail in Little Brother, and it’s actually somewhat to do with the plot.
Make your algorithms public and safeguard your encryption keys. Security by obscurity is not security at all.
Even if you had the necessary math background as a programmer/developer one doesn’t have enough time come up with a good algorithm that will stand the test of time. That said, there are a few algorithms that were thought to be secure are no longer secure with today’s increased processing power.
GB
> And please don’t spread messages like “it is always better to write our own algorithms” among us mortals.
You are so WRONG about this. I don’t know about your guy, but what I know is that if people I admire contented themselves with existing algorithms (Dijkstra, Wirth, Hoare just to name few), there wouldn’t be any progress at all.
Victor,
If you know the rules, you can break them.
Theoretically, yes. Real-world, I just don’t buy it, Al. Say you’re the first human being who just made up ROT13. Layering that around an encrypted session does not actually reduce the strength of the encryption within.
Hey, if you want to keep on using vanilla implementations of standard published crypto methods to secure your data, be my guest. Your encryption will be easily identified for the type it is, and then easily broken, either through mathematical flaws or brute force.
If you don’t want to add human engineering hours to the cost of decrypting your data, hey, you’re doing someone a big favor. Keep everything standard, willyah?
Hey, hey, hey. HEY!
I’ll have you know that I have authored several forward-only encryption systems that perform their function with great expediency and efficiency.
Sadly, my boss didn’t really approve since I was supposedly writing a “billing system” for “the accounting department”.
No-one appreciates my work.
Once you’ve mastered writing your own encryption algorithms, key distribution is a piece of cake. PIECE OF CAKE!
-PaladinZ06
>Your encryption will be easily identified for the type it is, and then easily broken,
>either through mathematical flaws or brute force.
Easily? Only if by “brute force” you mean “kick ass of man who encrypted data with until he decrypts everything”.
s/with unti/< favorite encryption method >
Instead of double encryption, it is always better to use one algorithm with double the key length.
No one’s ever broken by double ROT13 encryption
It actually _is_ better to have custom encryption algorithms. But nobody with a gram of brainmatter would hand the matter to anyone other than a cryptologist.