Home-Made Cryptography

Question

I know you should never make your own cryptography, whether it is a cipher or hashing algorithm or even a secure pseudo random number generator these things I developed over a long standardisation process. However what I'm looking for quotes or good point in order to quickly describe/argue this to the occasional developer that decides to write their own cryptographic algorithm.

Answer 1

yes thats true.. but all in all encryption is scrambling and substitution. so you can make your own cipher easily.. scramble your text using basic XOR and use a dictionary for substitute.

http://en.wikipedia.org/wiki/XOR_cipher

Hope this can help

Regards.

Answer 2

Just tell them that unless they have several decades of experience in math, computer science and cryptography, and then a few years to design the algorithm, it is highly unlikely that they will be able to produce a better cryptographic encryption scheme than the ones that already are in widespread use, all of which have been worked on by a lot of people, many of which almost definitely have the background I described above.

Answer 3

Bruce Schneier might have had something to say. Maybe a link to some PDFs that describe how to break various protocols, MD5 etc. Google it!

Answer 4

You can tell this developer that existing algorithms such as AES have been analyzed by countless experts in cryptanalysis (which would certainly involve an advanced understanding of numbers and computer science) and tested in competitions, where there's a real incentive for creating secure algorithms.

You can also tell this developer that just because an algorithm is popular, it doesn't mean that it's insecure (if that was this developer's rationale). Just because lots of people know how door locks work doesn't make door locks insecure, nor is it a good justification for people to create their own door locks.

For a real world example, see this TDWTF article about Nintendo's bug in the Wii's security functions. Nintendo (a big, well-known company with plenty of programmers) tried to implement an existing algorithm and managed to screw that up. What makes this developer think that he/she has the l33t h4x0r skills to write a new, secure algorithm?

Answer 5

I don't have it in front of me, but I'm sure you can find something good in the introduction to Applied Cryptography by Bruce Schneier.

Answer 6

Point the non-believer to these URL's:

Security Pitfalls in Cryptography By Bruce Schneier
Cryptography from princeton.edu
Homebrew Cryptography
Wikipedia Article on Cryptanalysis

Answer 7

As others have mentioned, you can use just about anything that Bruce Schneier says as a quote! He frequently mentions that anyone can create a cipher that he or she cannot break. He's expounded on this in detail but I can't find the article atm, but here's some essays of his that touch on this area:

• Why the Worst Cryptography is in the Systems that Pass Initial Analysis
• So, You Want to be a Cryptographer

Answer 8

Anyone who thinks they have devised an unbreakable encryption scheme either is an incredibly rare genius or is naive and inexperienced. Unfortunately, I sometimes have to deal with would-be cryptographers who want to make "improvements" to PGP by adding encryption algorithms of their own design.

I remember a conversation in 1991 with Brian Snow, a highly placed senior cryptographer with the NSA. He said he would never trust an encryption algorithm designed by someone who had not "earned their bones" by first spending a lot of time cracking codes. That made a lot of sense. I observed that practically no one in the commercial world of cryptography qualifies under this criterion. "Yes," he said with a self-assured smile, "And that makes our job at NSA so much easier." A chilling thought. I didn't qualify either.

Philip Zimmermann, Beware of Snake Oil