In the first article of our #BSidesMunich2025 NEINth edition, we explore the idea of do-it-yourself crypto.
Let’s face it. Encryption is pretty easy to understand… Does that mean we should build it ourselves? (Security veterans are reading this now and rolling their eyes and silently screaming… NO! NO! NO!)
What could go wrong?
Let’s start with the algorithm(s). Reliable, modern algorithms are based in a deep understanding of mathematics, reviewed and improved by experts and challenged by the cleverest security testers. And, even after they are accepted, weaknesses can be identified that make them no-longer fit for use. Understanding an algorithm can be relatively easy… making a safe algorithm is extremely hard. This, coupled with the fact that our algorithms now need to be post-quantum computer resistant should be enough for most humans to avoid do-it-yourself.
Let’s move on to the cryptographic protocols. Cryptographic protocols define how to use and exchange cryptographic keys, which algorithms to use (encryption, hashing, etc.) and often recommended cryptographic key strength. Common examples include TLS and IPSec. As with encryption algorithms, cryptographic protocols tend to be easy to understand, but difficult to design. Common, trustworthy algorithms have been reviewed and tested over time. In some cases, they have been completely replaced by new and improved algorithms.
Let’s move on to cryptographic implementations. Implementing cryptographic protocols and algorithms in code may seem straightforward, but it is more challenging than expected. First and foremost, writing secure code, code that in itself is not exploitable, is not trivial. After this, the implementation must be resistant to side channel attacks. Trusted implementations use standard algorithms and protocols, and they have been reviewed, tested and refined over time by security professionals.
At this point, we have only looked at three different dimensions of cryptography and what could go wrong. If you need encryption for a specific purpose, DO NOT MAKE YOUR OWN. DO use standard, accepted protocols that are fit for the purpose with implementations that have been established and tested.
Example of an algorithm weakness:
https://pentesterlab.com/exercises/padding-oracle
Example of a protocol weakness:
https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf