http://matasanochargen.disqus.com/enThu, 03 Aug 2006 00:13:55 -0000http://www.matasano.com/log/384/oh-the-bad-crypto-youll-see-an-open-letter/#comment-2320028ISVs should assume they are doing something wrong the moment they start contemplating "interesting" cryptography. Like Nate says, if you're encrypting files, use PGP. If you're encrypting traffic, use TLS. In both cases, they should<br>actively tend to the most popular implementations (OpenSSL, GPG), because those are the ones that receive scrutiny.Thomas PtacekThu, 03 Aug 2006 00:13:55 -0000http://www.matasano.com/log/384/oh-the-bad-crypto-youll-see-an-open-letter/#comment-2320027Sure it's easy to rant, you've made all good points, now would you like to recommend any companies or schools where ISVs can hire people to fix these problems? The issue here is two fold 1) ISVs can't do crypto properly themselves 2) They don't know where to go to get it done properly when they acknowledge the need.ErikCWed, 02 Aug 2006 08:40:48 -0000http://www.matasano.com/log/384/oh-the-bad-crypto-youll-see-an-open-letter/#comment-2320026A very good post indeed, highlighting the problems faced with teams implementing their own cryptography. <br><br>'you are going to use TLS, with a peer-reviewed library, meaning, the same one everyone else uses.'<br><br>That's most definitely a key point to get across which in most cases gets brushed under the carpet and as Nate posts above, there's only a small fraction of people who shouldn't be doing this, the reality however is unsurprisingly common.KalThu, 27 Jul 2006 03:50:27 -0000http://www.matasano.com/log/384/oh-the-bad-crypto-youll-see-an-open-letter/#comment-2320025Excellent post. A key point that I think should be emphasized is that there are only 2 categories of manufacturers.<br><br>You're Not Special (98%):<br>Separate your marketing department's claims about your product's <b>external</b> view from the <b>internal</b> design. Nearly all problems boil down to ones already solved by existing protocols and libraries. Encrypting a file? GPG. Sending anything over the wire? TLS/SSL. Your special sauce is in how you glue all these things together to make some product. Don't reimplement these, and still get review of how you've glued them together.<br><br>You Are Special (2%):<br>You are <a href="http://www.voltage.com/" rel="nofollow">Voltage</a> and you were founded by Dan Boneh. Or your business is cryptanalyzing products in concert with Adi Shamir. Note the most important part here -- if you're special, you are willing to plunk down $400/hour for a full-time cryptographer for at least 6 months.NateWed, 26 Jul 2006 02:48:00 -0000