On Sunday, 29 June 2014 at 17:45:41 UTC, Nick Sabalausky wrote:
The crypto algorithms are very well defined and documented. You
don't need to understand the theory behind them in order to
implement them. You just need to be able to:
- Read/follow the spec accurately
- NOT invent your own variants/algorithms
- Be pedantic about avoiding the normal sets of potential
software exploits (as you would with any software that handles
sensitive data).
- Write/use sufficiently pedantic tests
- Be up-to-date on what's algos are considered outdated and
questionably secure.
This is a standard "scientist vs engineer" issue. The crypto
experts are the scientists who figured it all out. We're the
engineers who take their information and use it.
Obviously being well-versed in crypto theory *in addition* to
everything above is even better still, but it isn't essential.
The five critica above are essential.
There's so much more to securely implementing cryptography than
what you listed. I highly recommend reading about side-channel
attacks:
https://en.wikipedia.org/wiki/Side-channel_attack
https://www.schneier.com/crypto-gram-9806.html#side
Proper cryptographic libraries are written in such a way to
mitigate these types of attacks. It's a complex field of study
and something best left to the experts.
