
Ask HN: Is the “don't roll your own crypto” culture making us crypto ignorants? - gioscarab
Sometimes I ask myself if this generalized crypto mono-culture is something being implanted in our brain to spare NSA money.<p>I would see how much effort ingelligence agencies would need to handle the proliferation of many privately developed ciphers by the open-source community.<p>What do you think?
======
dsacco
_> Sometimes I ask myself if this generalized crypto mono-culture is something
being implanted in our brain to spare NSA money._

I’m in the industry - I work on cryptography research and I review
cryptographic protocols for security and correctness. I can tell you when I
warn people not to roll their own crypto it’s not because I’m shilling for the
NSA.

It’s really very simple. Cryptography is an extremely complex discipline that
requires specialized training. For the most part, engaging in complex
disciplines without the requisite training results in errors somewhere. Unlike
software from many other such complex disciplines, cryptosystems are 1) safety
critical, and 2) compromised by extremely minute errors in design or
implementation.

Speaking frankly, I don’t think it’s wise for you to try and develop your own
machine learning software for a production system without training, either.
But at least if you do that you’re not (likely) compromising your users. We
admonish untrained engineers for doing the same with cryptography because it
requires either great ignorance or great hubris to believe you can pull it off
without disastrous errors along the way.

------
viraptor
They'd spend much less, because most private efforts would fail. For a real
world example, consider how many crypto locker malware examples have been
found broken in a way you can recover your files without paying. These is a
proliferation of privately developed apps just using standard ciphers, not
even creating new ones. They mostly fail at using the most basic form of
symmetric encryption.

~~~
gioscarab
Looking at the specialization of knowledge, is easy to see how much society
and experts are more and more unable to make something new by themselfs and or
study something they don't know at all, but most importantly blindly taking
for granted the crap they use every day.

Look at the recent INTEL spectre failure, you can see how extremely
complicated systems were flawed at their very bottom and few young enlighted
minds were able to shake our world.

~~~
detaro
> _Looking at the specialization of knowledge, is easy to see how much society
> and experts are more and more unable to make something new by themselfs and
> or study something they don 't know at all, but most importantly blindly
> taking for granted the crap they use every day._

Do you really think if there were no widespread recommendations of crypto
systems considered good people would suddenly start becoming expert
cryptographers (and companies would suddenly pay for them doing that)? History
suggests that they'd rather grab something random of GitHub/Stack Overflow or
make up their own without understanding it properly. Every security conference
is providing you with tons of examples of people getting it horribly wrong
_despite_ there being good free resources available providing them with the
tools to avoid their failures.

~~~
gioscarab
Not at all, what I am saying is that "Don't roll your own crypto" mono-culture
makes impossible for people to grasp the basics of crypto. I do not see many
forums experimenting in new ways to encrypt or analyze methods proposed by
others, I do see a higher number of threads discussing pseudo-scientifically
that is stupid to even try to learn something in this field.

So I am not saying that a newbe will do a better job than experienced experts.
I am saying that we will not have many experienced experts without seeing
today newbies making mistakes.

To me seems not a complicated concept.

~~~
dsacco
_> Not at all, what I am saying is that "Don't roll your own crypto" mono-
culture makes impossible for people to grasp the basics of crypto._

To be brutally frank with you: most people are not qualified to implement
their own cryptography, and you _cannot_ become qualified if you skip the
significant prerequisites. Much like computer science in general, cryptography
is not comparable to software engineering or programming.

You can learn e.g. web development in a piecemeal, circuitous fashion. You
cannot learn cryptography that way - you’d first need to understand advanced
mathematics (abstract algebra, number theory, probability theory, maybe some
game semantics) and computational complexity. Then you need to thoroughly
understand the existing algorithms before you figure out how they can be
(safely) improved.

Attempting to develop novel cryptosystems (“roll your own crypto”) without
this background is irresponsible. It’s not that it’s impossible to grasp the
basics, rather it’s that you need to be willing to work through a significant
amount of material before you can even understand what your “unknown unknowns”
might be.

To put it very succinctly, would you attempt to publish new research in
computer science or mathematics without significant training in either?

------
ecesena
I may be biased because I studied crypto for about 9 years. My focus was using
geometric properties of elliptic curves to speed up the computation, and I was
writing hand-optimized code to prove my results.

I can certainly tell you that you can do tons of mistakes at every layer.
Protocol, primitives, composition of primitive, how do you implement them in
sw or hw, how do you optimize them.

As an example you can see what happened to TLS1.2, looking after the fact
basically everything was wrong with it.

Today I work for a large Internet company. I would be absolutely terrified if
I had to see custom crypto implementations. There simply isn’t enough time to
validate all that needs to be validated.

Back to your point, though, I’m not against the “build your own crypto”,
provided that you have proven expertise. Typically, if you are really an
expert, you want to consult with other experts and create a solid team that
can verify your implementation.

------
Finnucane
Isn't that how it works for most complex systems? It can be hard enough to
learn a complex system well enough just to use it properly, let alone try to
recreate one from scratch. So, for the most part we don't.

------
detaro
That I don't believe that many of those experts spreading this message are
paid of by the NSA or similar orgs.

And that being crypto-ignorant is not connected to only using known tools for
real systems. In many cases, self-made crypto is done from an uninformed
perspective, which is why it often is so bad. Just as using well-known crypto
doesn't mean you haven't spent the time trying to understand _why_ it is
recommended and how it works internally, why alternatives are bad, or having
made your own crypto and learned from that.

~~~
gioscarab
I am not sure to agree with you, specially considering that the mainstream
algorithms now in use are generally suggested by intelligence agencies
themselfs. And looking at the recent history is easy to see how much serious
useless crap we have used for decades.

~~~
dsacco
_> I am not sure to agree with you, specially considering that the mainstream
algorithms now in use are generally suggested by intelligence agencies
themselfs._

What you’re now suggesting is very close to conspiracy territory. Most
cryptosystems are developed outside the government. Moreover, if you look at
the authors of many of the most prominent cryptographic primitives, they
aren’t exactly fans of the NSA.

Do you think that the NSA has backdoored the algorithms to the extent that the
entirety of academia is in on it? That’s what it would take for what you’re
suggesting to be true, because there’s a _huge_ incentive to catch this if
it’s occurring.

------
oldsklgdfth
If anything the "roll your own crypto" culture might be something being
implanted in our brain to spare the NSA money - and provide them with more
attack vectors. Crypto astroturfing anyone?

I studied crypto in college on the mathematical side. RSA and ECC are based on
very sound maths

