In the context of putting crypto into applications, in a secure manner, could it
ID: 652932 • Letter: I
Question
In the context of putting crypto into applications, in a secure manner, could it be argued to achieve this (securely implementing a crypto system) you would require a thorough and rigorous understanding of the mathematics behind the crypto system?
Or, could it be said that this is more a matter of understanding how to code securely, as the cryptographic primitives themselves can already be securely implemented via libraries such as NaCl?
Edit: I realized the obvious, and in fact necessary, extension to this question. Reversing the goal, what level of mathematics would be required to break a crypto-system? On the one hand, heartbleed seemed to be a break in a crytpo-system but was in fact entirely based in (poor) code. On the other, the BREACH and CRIME compression side-channel attacks were very much discovered in the literature first. Am i answering my own question there?
Explanation / Answer
I would say there are three general areas of necessary expertise for most crypto-related jobs:
+ Knowledge of primitives and their use cases.
+ Knowledge of protocols and understanding how to reason about their security.
+ Deep and abiding understanding of how incredibly stupid people are, including oneself.
The most that knowing the math is going to do for you practically, unless you are in academia/the NSA designing algorithms, is tell you "time to stop using RSA" on the day that you hear that there is a polynomial time factoring algorithm.