自制密码学 [英] Home-Made Cryptography
问题描述
您可以告诉这位开发人员,诸如AES的现有算法已经被无数专家分析了,这些专家在密码分析中(这必然涉及对数字和计算机科学的高级理解),并在竞争中进行了测试,那里有真正的激励用于创建安全算法。
您还可以告诉这位开发人员,只是因为算法很受欢迎,并不意味着它是不安全的(如果这是开发者的理由) 。只是因为很多人知道门锁如何工作不会使门锁不安全,也不是人们创建自己的门锁的好理由。
对于真实世界的例子,看到这篇关于任天堂Wii安全功能的错误的TDWTF文章。 a>任天堂(一个拥有大量程序员的大型知名公司)试图实施一种现有的算法,并设法克服这一点。这个开发人员认为他/她有能力编写一个新的安全算法?
I know you should never make your own cryptography, whether it is a cipher or hashing algorithm or even a secure pseudo random number generator these things I developed over a long standardisation process. However what I'm looking for quotes or good point in order to quickly describe/argue this to the occasional developer that decides to write their own cryptographic algorithm.
You can tell this developer that existing algorithms such as AES have been analyzed by countless experts in cryptanalysis (which would certainly involve an advanced understanding of numbers and computer science) and tested in competitions, where there's a real incentive for creating secure algorithms.
You can also tell this developer that just because an algorithm is popular, it doesn't mean that it's insecure (if that was this developer's rationale). Just because lots of people know how door locks work doesn't make door locks insecure, nor is it a good justification for people to create their own door locks.
For a real world example, see this TDWTF article about Nintendo's bug in the Wii's security functions. Nintendo (a big, well-known company with plenty of programmers) tried to implement an existing algorithm and managed to screw that up. What makes this developer think that he/she has the l33t h4x0r skills to write a new, secure algorithm?
这篇关于自制密码学的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
