Hacker News new | past | comments | ask | show | jobs | submit login

Indeed. If you're not a cryptographer then you shouldn't be rolling your own crypto. That includes selecting low level libraries, etc. You want a whole crypto system that's made by experts. Preferably one that's open to auditing.

This exactly. I wish the original article had this conclusion instead of trying to tell people how to "do it right", especially when the problem is people not understanding cryptography to a sufficient level in the first place.

How does one become a cryptographer then?

Do the people who perpetuate this meme with no basis not realise the clear and present danger it presents to humanity?

Yes certainly don't use homerolled crypto in production.

More importantly do not dissuade human beings with talent to roll their own, play with others codebases, and in general have a good fucking time with cryptography.

Straight out of the counter-intel handbook is how it looks when people repeat this bullshit ad nauseum.

Everyone on Earth should roll their own crypto. Don't listen to this nonsense, the real world needs you.

> Everyone on Earth should roll their own crypto. Don't listen to this nonsense, the real world needs you.

This is an interesting exercise to help understand cryptography, but if you think cryptography is subtle or magical, you haven’t started looking at cryptanalysis. There are nearly countless possible side channel attacks. This is why we don’t roll our own practically speaking. It can take advanced degrees in mathematics to merely give ourselves some sense of assurance that our home rolled system is safe.

A friend of mine did roll his own security. A decade ago he invented a new homomorphic encryption algorithm (type of encryption that allows meaningful operations on cypertext without revealing secrets). His first step? Getting advanced degrees in mathematics and at least a year of peer review to test against possible attacks. Only years later did he found a company on it. Unfortunately while the system was believed secure, a zero-trust system took too long and too much battery to generate keys on phones.

I'm using the phrase in the sense of create or implement your own, play with it, not actually using it for critical applications.

The world badly needs more cryptographers and their eyes on code whether from a purely academic background or digital tinkerer background. People should be encouraged everywhere to frolick in the ciphers.

Is there a link to the paper? As far as I'm aware, there is no practical FHE scheme in existence.

Any reference to their work?

> > If you're not a cryptographer then you shouldn't be rolling your own crypto.

> How does one become a cryptographer then?

> Yes certainly don't use homerolled crypto in production.

That is the point. When the glib phrase is repeated it is to people who are working on production, or something that might be in danger of one day soon being in production (we've all seen things go from proof of concept to production with insufficient reworking, it happens far too often). In that context it is correct to be constantly restated.

If you are explicitly trying to understand cryptography, then hopefully you are aware of the higher level dangers while you are poking around the lower level details and until you are ready for prime-time you are able to keep your exploratory code from going anywhere near production, at least not without proper scrutiny.

It is like the first two rules of optimisation:

Rule 1: Don't.

Rule 2 (for advanced programmers only): Don't yet.

> How does one become a cryptographer then?

Basically: studying it in depth (especially the mathematics part). Focus on cryptanalysis for a while, and find some flaws in existing implementations.

The moment you really start to fix those flaws, you probably know enough to implement a cryptosystem in a reasonably safe manner.

Even then, there likely will be many flaws in your implementation. So, you need other cryptographers to review it, several sets of eyes looking for flaws. Oh, and don't forget to make sure someone reviews for side channel attacks. (and some other things that I am probably forgetting right now)

In the end, the cryptographers that implement cryptosystems are a rare breed. These generally include people that are good at both the hard mathematics involved and the low-level programming knowledge that it requires to prevent timing attacks and the like, and even some hardware knowledge.

Who am I to say this? I have studied information security with some focus on crypto, including cryptanalysis and implementation of cryptosystems. Followed some MSc-level courses on implementation specifically, would not touch implementing a cryptosystem myself for production.

Quality reply, thankyou.

> So, you need other cryptographers to review it, several sets of eyes looking for flaws.

That's a real problem with no easy solution, for every "new" cryptographer trying to implement a cryptosystem you need a dozen half-capable eyes on what they are doing. For anything used widely you need hundreds.

Creating more half-capable eyes is a good thing.

> How does one become a cryptographer then?

Get an advanced maths degree. Minor in cryptosystems. Spend a few years looking at old cryptosystems. Understand how they were designed, what their weaknesses were, and how new systems are designed. Read a lot of papers. Try to write your own system and ask peers to point out the glaringly obvious holes you didn't notice.

> More importantly do not dissuade human beings with talent to roll their own, play with others codebases, and in general have a good fucking time with cryptography.

The consequences of lots of people using shit crypto is that a lot of people become less secure, and won't have any idea about it. At the same time, us saying "don't roll your own" won't actually stop anyone who has a burning desire to play with crypto. So we're definitely going to keep dissuading people from rolling their own.

While I want to commemd this comment, it all seems to have lit a bonfire of programmer-tier anger, so will still retaliate:

People aren't using shit crypto, virtually no one is using anything other than what is highly vetted or otherwise google/apple/ms/etc is telling them to.

What is the actual argument here? That some $randompeople play around with new cryptosystems and then share them with friends? The sheer derision that my original comment has directed at it is astounding, let the kids play with cryptography, who the fuck cares, I hope they roll all of the crypto themselves, the world will be a better place, who exactly is saying it should replace current elliptical curves decided so wholesomely for us all by NIST?

The simple clear fact is that Western countries do not like and are actively campaigning against modern cryptography. Lets pretend we have some dignity left please as human beings. The West used to represent something, now it feels like we are taking notes from oppressive regimes and playing catch-up.

> People aren't using shit crypto

From Why You Should Stop Using Telegram Right Now (2016) (https://gizmodo.com/why-you-should-stop-using-telegram-right...):

  According to interviews with leading encryption and security experts,
  Telegram has a wide range of security issues and doesn’t live up to its
  proclamations as a safe and secure messaging application. [...] 

  Telegram did what’s known as “rolling their own encryption,” which is
  widely considered to be a fatal flaw when developing encrypted messaging apps.

Every time there's debate over Telegram's encryption the shill argument "it hasn't been broken in the wild now has it" pops up. This is fundamentally flawed thinking. The end-to-end-encryption is most likely reasonably safe (no glaring holes were pointed by experts except the IND-CCA problem). The real problem is Telegram uses their secret chats as a poor excuse for justifying the lack of E2EE for practically everything: "Just use secret chats if you need end-to-end encryption"

1. Telegram's E2EE is not on by default, therefore 99% of users don't use it.

2. Telegram's E2EE is not advertising authentication, therefore ~90% of the people using it don't check for MITM attacks, therefore majority of E2EE is useless against active attackers.

3. Telegram's E2EE does not work across devices, therefore majority people who use secret chats also use non-secret chats because desktop client don't support it.

4. 100% of Telegram's group conversations can be eavesdropped by the server, because Telegram doesn't have E2EE for group chats.

Complaining about possible cribs in how Telegram implemented the protocol from cryptographic primitives is an insignificant problem compared to the fact the entire protocol is fundamentally FUBAR, how it's so glaringly obvious you can't even fill out a CVE form.

If Signal had vulnerability where 100% of group conversations were not properly end-to-end encrypted, every newspaper in the world would publish something about it. However, with Telegram it has been spun as a "feature".

Another big problem is Telegram has been mentioned by hundreds of publications as "Secure apps like Signal, WhatsApp and Telegram".

To experts it's like hearing news spout "Great writers like Leo Tolstoy, Paulo Coelho, and Stephanie Meyer", or "Great bunker materials like reinforced concrete, steel, and MDF".

Repeatedly claimed, anyone would make mental associations between the three, but when you actually find out what they're about you can't believe your ears.

Additionally, Telegram uses MTProto instead of TLS. What they should be doing is MTProto in addition to TLS. But, no.

Actually lots of people _are_ using shit crypto. The reason the message keeps being repeated is that it hasn't been effective enough yet. Believe me all of us have enough better things to do with our time to stop saying this if it was all actually fixed.

My previous employer was encrypting customer data (in a project I didn't work on) with RSA. Yes, they were actually using RSA itself to encrypt the user data. If you're thinking "Oh, and that's bad because RSA right?" then "No", that's not actually why - again, I direct you to our main thesis: Stop hand-rolling crypto, this is dangerous and you are going to hurt yourself.

But even if we restrict "people" to just my mother and sister, ordinary users with common hardware and software then that's often still people using shit crypto.

Popular libraries like OpenSSL are full of garbage fire shit crypto. Lots of it is "optional" but did you turn off that option? Does my sister know where the option is? No. Some of it is because people are trying to do very hard things and there's no margin for error, but as this article suggests you can solve that by not doing the very hard things any more. Doing RSA Key Ex with TLS _safely_ is very, very hard. Not doing it at all is easy. So just don't do it.

Cryptography is not like folk dancing or pottery, where it's OK to be fairly bad at it so long as you had a good time.

This is like heart surgery. We don't encourage everybody to "have a go" at heart surgery and hope maybe some of them will do a good job, that would be crazy. People spend years acquiring enough skills to even _find out_ whether they'd actually be any good as a heart surgeon, and some don't make the cut.

What does that look like? Cryptanalysis. Probably starting with a Mathematics degree, but it is possible to get there from another numerate background and a LOT of study.

That's where anybody at all serious - certainly this century and arguably going back to the middle of the twentieth century - starts. They analyse existing crypto systems and they find new problems. They start out a bit shy, hey, did anybody notice that X is actually a member of a Boze-Lechstein inverted group here? Doesn't that mean we could use the Stross-Baxter formula to find X in O(n) time? And after a few successess (and maybe one or two setbacks where they made an embarrassing mistake) they get a reputation so that others in the field show them exciting new things. Hey, you're the guy who first saw Stross-Baxter-Watts, take a look at our SHA-4 contender which relies on a related approach, see any problems?

After you've got a few years in cryptanalysis, maybe, if you feel up to it, you can start to propose new ideas. Your colleagues will respect you enough to take a look, and the first few will definitely get shot down. Ha, you forgot that the Benford-Barnes hypothesis doesn't apply to correlated members, so your new cipher has vast swathes of hard-to-detect weak keys. Not good, better luck next time. But maybe, if you're good, you will eventually make something good enough that people remember it when it doesn't make the cut for a competition. You are now "famous".

Notice how none of this was just some random guy in his bedroom having an idea and inventing a brand new cryptosystem? That's because that doesn't work. It did two centuries ago. If your adversaries are from the late 18th century, you should definitely go try that approach. But the adversaries got a lot better.

The answer is the same as when this always comes up: mentally append "for realsies". The advice is meant to suggest that people not publish code or run services with incompetent crypto.

Nobody is saying not to learn and play. They're saying don't set off a rocket while staring down the engine. The reason why it has to be said is that the consequences of doing so when writing crypto are not so impressively immediate or dramatic, but just as devastating to the outcome (and maybe cryptographer, depending on adversary).

> Straight out of the CIA handbook is how you look when you repeat this bullshit ad nauseum.

The CIA does not care if you play with libsodium.

> The CIA does not care if you play with libsodium.

Cryptographers are easy meat for lions.

Care to place a long-standing bet on that? 20yrs or so? We can find a solid reasonable middleman here surely?

They very much do care. I'm willing to bet on it becoming public knowledge within that timeframe. Keen?

How is the CIA going to stop you from downloading libsodium and doing whatever you want with it?

That was most certainly not the point made here.

Go contribute to libsodium, go contribute to any reasonably well used crypto library, you've now got a big red dot on your back from an assortment of governments in perpetual conflict.

I truly worry for anyone participating in these open source codebases and not being aware of how much they are targets.

Take care of yourselves friends. Please.

> I truly worry for anyone participating in these open source codebases and not being aware of how much they are targets.

So when you extorted people to play with other's crypto codebases in the previous post, were you trying to make them into targets?

Exhorted, you probably meant!

Yeah, thanks.

This reminds me of the Niemöller's poem. IIRC it went something like

First they came for the A2017U1s, or they would have, except he never opposed the wrongdoing.


Nobody is telling you that you can’t play around with crypto in your personal projects; you’re attacking a strawman. What they mean is this:

> Yes certainly don't use homerolled crypto in production.

Even don't prototype with homerolled encryption.

You should know how easy prototypes enter production!

No, either you want to become a cryptographer and you’ll need to learn, implement toy algorithm, toy with libraries, etc. But you’ll need some level of proficiency before putting anything to production.

The real code contribution of cryptographers anyways tend to add some very specific details to libraries (like adding their latest invention).

Now the general advice is that if you want to skip the 15 years it take to become a cryptographer and you want to send a message, there are ways.

I think the track record of novel cryptography created by people inexperienced in the field indicates it’s something intelligence services would like people to do more of if possible. Are you sure you’re not working for the CIA?

First, start with a site that will teach you some surprising things about crypto that you may have not thought possible: http://cryptopals.com/. That is a good start.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact