Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m making a C++ back end for an application that\'ll heavily rely on AES-256 a

ID: 648782 • Letter: I

Question

I'm making a C++ back end for an application that'll heavily rely on AES-256 and DH. Should I trust third party libraries, or spend (lots of) time to learn about cryptographic implementation and write my own? Is there any reliable authority that can audit the security of a library (like Crypto++ in this case)? I hope this question doesn't come off as opinion based, but it's quite hard to find reputable data on this. I have no idea where to even start.

TL;DR: What's worse: risking vulnerabilities in a third party library, or risking novice mistakes in a custom implementation?

Explanation / Answer

Rather risk vulnerabilities of third party library than implement your own. If you feel novice on this field, only implement cryptography yourself as an learning exercise.

Why:

Mistakes, lack of know-how and maintenance.

It is very easy to make novice mistakes in custom implementation of cryptography. Even battle scarred veterans of the field do mistakes now and then. The amount of software quality assurance (including testing, reviews, ...) needed to ensure quality of cryptographic library is very significant.
When vulnerabilities are found third party cryptographic libraries are (often) updated. The user of the software may be able to update the library to newer version and (assuming API compatibility) fix the issue. If cryptographic functionality is built inside the program, all vulnerabilities always require fixes to the program itself.
Cryptographic libraries have to protect them against attacks almost no other software needs to (like timing attacks, and pretty recently, sound). New attacks are found now and then.
Even when no new attacks are not found, the cryptographic practices develop (towards safer). For instance, NIST considers 1024 bit RSA modulus fairly safe to use now, but in 1.1.2014, the minimum NIST accepts will be 2048 bit. Similarly, other parties "upgrade" minimum key length requirements from time to time.

Related Questions

I\'m looking for relatively new reviews of research work on partial evaluation.
Question #649237
I\'m looking for screen-sharing software for working in pairs. For instance, Pai
Question #661215
I\'m looking for services with API\'s that will do fee free transfers of money b
Question #658688
I\'m looking for software capable of creating a searchable database from scanned
Question #657265
I\'m looking for software similar to SolidWorks and CATIA for the Mac. I have tr
Question #660604
I\'m looking for software that a brand-new, very small nonprofit could use to ke
Question #660402
I\'m looking for software that allows me and another person to privately collabo
Question #661275
I\'m looking for software that would let me download YouTube videos as video fil
Question #661740
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m maintaining some legacy code of a physical simulation. The calculation obje
Next
I\'m making a Post-mortem analysis and I\'m drawing a blank for the lessons lear

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.