pl
en
Correct (read: safe and secure) use of cryptographic functions in your own code isn’t trivial. Here is a proof in form of short typical security issues list we come across during code audits:
- Use of insecure cryptographic functions or random function to initialize other crypto components
- Incorrect placement and handling of cryptographic components within application architecture
- Insecure handling of sensitive data in open form
One of reasons of above mistakes is lack of knowledge required to implement cryptosystems correctly. This includes deep understanding of how particular cryptosystem work. On the other hand we often stumble across idea that using functions and library delivered with certain environment (compiler for example) guarantees security. While in most cases this is better idea to use those APIs than trying to implement crypto code yourself, it still does not guarantee security. Furthermore this does not protect programmer from incorrectly using those functions.
For those who still believe that designing and implementing cryptosystems is trivial we suggest to take a look at discussion regarding collisions in Python hash function implementation: http://bugs.python.org/issue13703
In second part we will provide some tips how to avoid some of mentioned problems.