Why You Don't Roll Your Own Crypto

The golden rule of encryption.

If you're going to make an app for encrypted chat, or perhaps your own computer program for communicating securely, there is one golden rule.

Don't roll your own crypto, bro.

In other words, don't try to write the encryption scheme used by your product to lock down files, conversations or anything else from the ground up, or even attempt to wildly customize an existing solution. Homemade cryptography is generally considered to be more prone to bugs, and likely hasn't been scrutinised by many other researchers or tested in the wild.

"Asking why you should not roll your own crypto is a bit like asking why you should not design your own aircraft engine," Runa Sandvik, a privacy and security researcher, told Motherboard in a Twitter message.

"The answer, in both cases, is that well-studied and secure options exist. Crypto is hard and I would rather rely on encryption schemes that have been studied and debated than schemes that are either secret or have yet to receive much, if any, attention."

Those established encryption solutions may include off-the-record messaging, which is perhaps most popularly used as a plug-in for chat clients such as Adium or Pidgin.

On Tuesday, researchers Jakob Jakobsen and Claudio Orlandi from Aarhus University, Denmark, published a paper summarising the findings of a Spring 2015 audit of the popular messaging app Telegram. The app uses "a unique custom data protocol," according to the company's website. A.k.a home-brewed encryption.

Telegram is available for iOS, Android, and desktops. The app has a 'Secret Chat' function, that enables end-to-end encryption for messages, meaning that only the intended recipients can read them. The researchers found that Telegram's encryption may be susceptible to attack.

"Our main discovery is that the symmetric encryption scheme used in Telegram—known as MTProto—is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message," the researchers write. Although the attack was purely theoretical, "we see no reason why one should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist."

Other examples of home-brewed crypto include Mojhadieen Secrets, an encryption program developed by jihadis, and which was highlighted by Al Qaeda in the Arabian Peninsula's quarterly magazine, Inspire.

Jihadis may get a propaganda boost from using their own encryption products, because some messages are plastered with the name of the tool. But, all things considered, Mojhadieen Secrets, and other programs like it, are perhaps less secure than systems that have been rigorously tested and used widely by the general public instead of a select few.

Even Phillip Zimmerman, the creator of Pretty Good Privacy—one of the most famous, albeit notoriously hard to use encryption programs—has had his own embarrassing run-ins with his crypto.

"When I was in college in the early 70s, I devised what I believed was a brilliant encryption scheme," he wrote in An Introduction to Cryptography. Years later, he found the scheme he had developed was "presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. So much for my brilliant scheme."

When custom or esoteric forms of encryption are used, the company involved may think they're making a bold statement. Instead, they are more likely jeopardizing the security of their product and users.

"The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g., authenticated-encryption) are to be preferred to home-brewed encryption schemes," write Jakobsen and Orlandi.

So, even if you think you've come across the next best thing in cryptography, please, remember the golden rule.