A Roadmap For Safer Cryptographic Code

Presented at THOTCON 0xB (2021) Rescheduled, Oct. 9, 2021, noon (50 minutes).

The world keeps making the same decades-old cryptographic mistakes over and over again, from small one-person dev teams to software giants. While developers have mostly learned not to invent their own encryption algorithms, most of the mistakes being made have nothing to do with the choice of algorithm. By now, shouldn't we have figured out how to eliminate these problems? Why is it so hard to get it right? There's a series of problems that make it hard for developers (even security-conscious ones) to avoid even basic, well-known mistakes when writing cryptographic code. It's currently so hard that cryptographers' main advice to developers is to avoid touching cryptography at all. However, sometimes developers really do need to handle cryptography and when they do, they need more substantial guidance than "Just Say No To Cryptography". In this talk I will discuss a number of factors that make it hard for developers to write strong cryptographic code today and give a number of suggestions for what academics, educators, security practitioners, and library maintainers can do to make things better for the future.


Presenters:

  • Daniel Crowley / unicornFurnace as Daniel "unicornFurnace" Crowley
    Daniel directs research at X-Force Red, has been working in infosec since 2004, makes his own beer, and is a baron in Sealand.

Similar Presentations: