Gribouillis dans les marges

Les outils de chiffrement sont trop critiques pour être codés sans de solides connaissances

Utile rappel en conclusion d’un article sur une faiblesse d’un module permettant aux utilisateurs et utilisatrices d’un logiciel grand public de chiffrer leurs données :

Citation(s) extraite(s) de «  » par Hanno Böck

When people without a strong cryptographic background create ad-hoc designs of cryptographic protocols it will almost always go wrong. It is widely known that designing your own crypto algorithms is a bad idea and that you should use standardized and well tested algorithms like AES. But using secure algorithms doesn’t automatically create a secure protocol. One has to know the interactions and limitations of crypto primitives and this is far from trivial. There is a worrying trend – especially since the Snowden revelations – that new crypto products that never saw any professional review get developed and advertised in masses. A lot of these products are probably extremely insecure and shouldn’t be trusted at all. If you do crypto you should either do it right (which may mean paying someone to review your design or to create it in the first place) or you better don’t do it at all. People trust your crypto, and if that trust isn’t justified you shouldn’t ship a product that creates the impression it contains secure cryptography.