开发者

Home-Made Cryptography [closed]

开发者 https://www.devze.com 2023-01-15 12:49 出处:网络
Closed. This question is off-topic. It is not currently accepting answers. 开发者_如何学JAVA Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed. This question is off-topic. It is not currently accepting answers. 开发者_如何学JAVA

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 12 years ago.

Improve this question

I know you should never make your own cryptography, whether it is a cipher or hashing algorithm or even a secure pseudo random number generator these things I developed over a long standardisation process. However what I'm looking for quotes or good point in order to quickly describe/argue this to the occasional developer that decides to write their own cryptographic algorithm.


You can tell this developer that existing algorithms such as AES have been analyzed by countless experts in cryptanalysis (which would certainly involve an advanced understanding of numbers and computer science) and tested in competitions, where there's a real incentive for creating secure algorithms.

You can also tell this developer that just because an algorithm is popular, it doesn't mean that it's insecure (if that was this developer's rationale). Just because lots of people know how door locks work doesn't make door locks insecure, nor is it a good justification for people to create their own door locks.

For a real world example, see this TDWTF article about Nintendo's bug in the Wii's security functions. Nintendo (a big, well-known company with plenty of programmers) tried to implement an existing algorithm and managed to screw that up. What makes this developer think that he/she has the l33t h4x0r skills to write a new, secure algorithm?


Anyone who thinks they have devised an unbreakable encryption scheme either is an incredibly rare genius or is naive and inexperienced. Unfortunately, I sometimes have to deal with would-be cryptographers who want to make "improvements" to PGP by adding encryption algorithms of their own design.

I remember a conversation in 1991 with Brian Snow, a highly placed senior cryptographer with the NSA. He said he would never trust an encryption algorithm designed by someone who had not "earned their bones" by first spending a lot of time cracking codes. That made a lot of sense. I observed that practically no one in the commercial world of cryptography qualifies under this criterion. "Yes," he said with a self-assured smile, "And that makes our job at NSA so much easier." A chilling thought. I didn't qualify either.

Philip Zimmermann, Beware of Snake Oil


Just tell them that unless they have several decades of experience in math, computer science and cryptography, and then a few years to design the algorithm, it is highly unlikely that they will be able to produce a better cryptographic encryption scheme than the ones that already are in widespread use, all of which have been worked on by a lot of people, many of which almost definitely have the background I described above.


Point the non-believer to these URL's:

Security Pitfalls in Cryptography By Bruce Schneier
Cryptography from princeton.edu
Homebrew Cryptography
Wikipedia Article on Cryptanalysis


As others have mentioned, you can use just about anything that Bruce Schneier says as a quote! He frequently mentions that anyone can create a cipher that he or she cannot break. He's expounded on this in detail but I can't find the article atm, but here's some essays of his that touch on this area:

  • Why the Worst Cryptography is in the Systems that Pass Initial Analysis
  • So, You Want to be a Cryptographer


yes thats true.. but all in all encryption is scrambling and substitution. so you can make your own cipher easily.. scramble your text using basic XOR and use a dictionary for substitute.

http://en.wikipedia.org/wiki/XOR_cipher

Hope this can help

Regards.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号