This math blog has begun a series of articles on cryptography. While that blog had some good articles on mathematics, it was pretty clear the cryptography series would have some issues. Whenever I read articles about engineers picking up cryptography, warning sirens go off in my head.
When the first article on block ciphers stated incorrectly that the DES initial/final permutations were to prevent brute force attacks, I posted a correction. I also noted that if he’s going to write about how to do cryptography, it would be good to provide a disclaimer.
I like your blog overall, but this series on crypto is a bit dangerous for amateurs. The devil is in the details, and it’s very easy to make a critical mistake. So while it’s good to give people an intro, I suggest a big warning letting them know that there are some dangerous assumptions lurking below the surface, and that they should always use well-reviewed implementations and protocols (i.e. SSL) rather than rolling their own for pure ego reasons.
The next article on modes of operation for block ciphers had a completely incorrect description of counter mode. John Kelsey pointed out other issues with this article. I again requested that Mark use this as a good example how it is hard to get crypto right.
I am not picking on Mark. He’s a smart person. However, it’s important that we pay attention to how hard it is to get cryptography right. I write about crypto here as well, often getting friends to review articles to be sure there aren’t issues with my description. I hope my articles have never given the idea that crypto is easy. When someone focuses on the primitives, like block ciphers, even a correct description can give the reader the false impression that using block ciphers is straightforward. The book Applied Cryptography, with its nice but simple descriptions, created a generation of engineers with this misconception.
The articles and comments on them are vaguely reminiscent of the “rainbow tables” fiasco. Even a well-written, detailed description of password hashing with a big disclaimer attached still resulted in dozens of engineers proposing flawed solutions of their own. When will we learn?