Why they say "Don't roll your own crypto."

Many of you have seen it at some point during your development career - you need to implement some security-related feature in an app and then you start ferociously searching the web for terms like "How to properly encrypt a password," "How to obfuscate a sensitive string," and so on...

You inevitably end up at a StackOverflow answer where somebody has asked how to do this and there are 65535 responses talking about how bad it is to "roll your own crypto" stating to "just leave it to libraries," "If you have to ask, you shouldn't be doing it," and so on...

I happened upon an extraordinarily thorough answer to this question recently on Security Stack Exchange . So extraordinary that I want to share it to as many curious folks as I can find. It offers a pretty insane level of detail which ends up answering the fundamental question of "Why shouldn't I roll my own crypto? What type of considerations are there that I may overlook?" It turns out, there are a ton of considerations which go down to the CPU microcode and electrical engineering levels, but it's nice to see code snippets of examples of how/why this is all the case.

Read the answer here for a ton of amazing insight

Since StackExchange is not a friendly area for extended discussion (it is not their goal), feel free to discuss your favorite parts of the post here, raise any questions or comments, etc...

No Comments Yet