The purpose of cryptography is to keep information private, and the purpose of open-source is to make code public... So we shouldn't we open source our cryptography algorithms right? I've been asked this several times by multiple people so I figured it is a subject worth addressing. Many developers seem to be under the impression that crypto and security systems (the application-specific implementation of cryptosystems) are more secure if their details are kept private. This can't be further from the truth. According to Kerckhoffs's principle, also known as Shannon's maxim: The enemy knows the system. One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them. #security #opensource #privacy There are several reasons as to why this is a good rule to live by, let's examine each one. 1. Obfuscation Isn't Encryption If a developer is operating under the assumption that attackers won't know about the details of their code, they may be tempted to try to build in security that is dependent on that. For example, they may encode data in a confusing way instead of encrypting it, assuming that the enemy will think it is encrypted, or not be able to guess HOW it was encoded. BAD. When something needs to be kept secret, always encrypt. 2. You Probably Suck If you roll your own crypto, you are likely to overlook vulnerabilities that have been accounted for in open-source versions. By the way, I don't mean that you specifically suck at writing crypto, I mean that no one person (or organization) can reasonably be responsible for vetting all possible attack vectors. Open-source allows the worldwide developer community to help expose problems with the code. Not only are you likely to have problems in underlying mathematics and algorithms, but it is likely that your application-level implementation will also have vulnerabilities. There are no industry standard best practices to follow for your custom algorithms. 3. Get New Updates By using popular crypto libraries that are regularly updated, your code won't be vulnerable to the recently discovered attacks on the algorithms you are using. Take advantage of the community, and give back by contributing when you can! Golang:  https://golang.org/pkg/crypto/ Node:  https://nodejs.org/api/crypto.html Python:  https://pypi.org/project/cryptography/ Thanks For Reading Lane on Twitter: @wagslaneLane on Dev.to: wagslaneSubscribe to Qvault: https://qvault.io The purpose of cryptography is to keep information private, and the purpose of open-source is to make code public... So we shouldn't we open source our cryptography algorithms right? I've been asked this several times by multiple people so I figured it is a subject worth addressing. Many developers seem to be under the impression that crypto and security systems (the application-specific implementation of cryptosystems) are more secure if their details are kept private. This can't be further from the truth. This can't be further from the truth. According to Kerckhoffs's principle , also known as Shannon's maxim: Kerckhoffs's principle The enemy knows the system. One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them. #security #opensource #privacy There are several reasons as to why this is a good rule to live by, let's examine each one. 1. Obfuscation Isn't Encryption 1. Obfuscation Isn't Encryption If a developer is operating under the assumption that attackers won't know about the details of their code, they may be tempted to try to build in security that is dependent on that. For example, they may encode data in a confusing way instead of encrypting it , assuming that the enemy will think it is encrypted, or not be able to guess HOW it was encoded. encode data in a confusing way instead of encrypting it BAD. BAD. When something needs to be kept secret, always encrypt. 2. You Probably Suck 2. You Probably Suck If you roll your own crypto, you are likely to overlook vulnerabilities that have been accounted for in open-source versions. By the way, I don't mean that you specifically suck at writing crypto , I mean that no one person (or organization) can reasonably be responsible for vetting all possible attack vectors. Open-source allows the worldwide developer community to help expose problems with the code. I don't mean that you specifically suck at writing crypto Not only are you likely to have problems in underlying mathematics and algorithms, but it is likely that your application-level implementation will also have vulnerabilities. There are no industry standard best practices to follow for your custom algorithms. 3. Get New Updates By using popular crypto libraries that are regularly updated, your code won't be vulnerable to the recently discovered attacks on the algorithms you are using. Take advantage of the community, and give back by contributing when you can! Golang:  https://golang.org/pkg/crypto/ Node:  https://nodejs.org/api/crypto.html Python:  https://pypi.org/project/cryptography/ Golang: https://golang.org/pkg/crypto/ https://golang.org/pkg/crypto/ Node: https://nodejs.org/api/crypto.html https://nodejs.org/api/crypto.html Python: https://pypi.org/project/cryptography/ https://pypi.org/project/cryptography/ Thanks For Reading Lane on Twitter: @wagslane Lane on Dev.to: wagslane Subscribe to Qvault: https://qvault.io Lane on Twitter: @wagslane @wagslane Lane on Dev.to: wagslane wagslane Subscribe to Qvault: https://qvault.io https://qvault.io

Twitter

How To Cache Images in an Expo Managed React Native App 

WTF is Entropy In Cryptography?

Learn to code on Boot.dev

Nominated for 2022 - HackerNoon Contributor of the Year - Algorithms

Nominated for 2022 - HackerNoon Contributor of the Year - Mathematics

Nominated for 2022 - HackerNoon Contributor of the Year - Cryptography

Nominated for Coding Guru of 2022

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Online Education

Nominated for 2022 - HackerNoon Contributor of the Year - Job Hunting

Nominated for Super Career Strategist of 2022

Too Long; Didn't Read

Make resilience your competitive advantage

Three Reasons Why Open Source Cryptography Is More Secure

Three Reasons Why Open Source Cryptography Is More Secure

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

A Complete Overview of Cryptography

$1B Capitalization: Meme Token Launch Strategy Under the Microscope

(1/100) Crypto Countdown: Golem

06/09/2018: Biggest Stories in the Cryptosphere

07/09/2018: Biggest Stories in the Cryptosphere

A Complete Overview of Cryptography

$1B Capitalization: Meme Token Launch Strategy Under the Microscope

(1/100) Crypto Countdown: Golem

06/09/2018: Biggest Stories in the Cryptosphere

07/09/2018: Biggest Stories in the Cryptosphere

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps