Rolling your own crypto: Everything you need to build AES from scratch

• githublog

  24 352 2.6 TypeScript

  I'm sick of complex blogging solutions, so markdown files in a git repo it is

• crypto-numbers

  1 5 0.0 Haskell

  Discontinued DEPRECATED - use cryptonite - Cryptographic number related function and algorithms

But you're approaching it from the wrong perspective: the idea isn't to use the crypto you implement yourself, the idea is to gain a better understanding of how the "magic" works. Of course my hand-rolled RSA/AES crypto is breakable, I know that because that's the default assumption.

It's akin to saying, "you're not allowed to build your own smoke detector because it will be unsafe!". Of course I know that, I want to understand the differences between a photoelectric and ionization smoke detector, how they work in practice, because reading some PDF schematics just doesn't cut it for me.

I honestly don't understand the line of reasoning of all this crypto gatekeeping.

Fun fact: while I was doing my crypto deep dive in 2015, my language of choice being Haskell, I found issues in several libraries, specifically around entropy, and even one library with modulo bias [1]. They were acknowledged and addressed. It was a super fun learning exercise, and seeing all these comments how it's supposedly almost illegal to do this misses the point of people exploring and learning in their own ways.

https://github.com/vincenthz/hs-crypto-numbers/commit/bceb54...

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• aes-playground

  1 14 10.0 Python

  My experiments in understanding AES, Whitebox AES, and related attacks

I also made a 1:1 implementation of the spec. The finite field math did cause a bit of head-scratching, but in the end I mostly made sense of things:

https://github.com/DavidBuchanan314/aes-playground/blob/mast...

(I left comments quoting the spec as much as possible, so it should be possible to map it back onto the spec, for anyone interested)

• python-bitsliced-aes

  1 15 3.8 Python

  An experimental implementation of bitsliced aes in pure python. Quite possibly the fastest pure-python AES implementation on the planet.

Further, you can compute the whole block transform as a giant boolean circuit (aka bitslicing). This has various advantages, sidechannel resistence being one, but surprisingly it outperforms a more traditional implementation in many circumstances (e.g. in pure-python implementations: https://github.com/DavidBuchanan314/python-bitsliced-aes )

• skipjack.rs

  1 10 3.8 Rust

  A straight-line implementation of the Skipjack cipher in Rust

I think you've misunderstood.

There are at least two separate things are stake here: there's professional software engineering, and then there's hobbyist programming.

Software engineering has been undergoing professionalization (in terms of processes and safety standards) for the last 70 years. It's one of the few ways in which software really is an engineering practice: our standards are written in blood (or fraud), just like every other engineering discipline. In this context, DRYAC and "don't write it in C" are excellent principles: we've successfully professionalized and compartmentalized beyond the need for the bad old ways, except in limited cases (corresponding to domain expertise or specific, legacy requirements).

Then there's hobbyist programming, where you can do whatever you please. I write C for fun. I implement hilariously outdated block ciphers for fun[1]. I couldn't write a web app if my life depended on it. The key understanding with hobbyist programming is that it's (1) adequately disclaimed as not usable in professional contexts, or (2) adheres to the same standards as professional, potentially critical, software engineering.

Open source started as case (1) above, and is slowly turning towards case (2) where it matters. And where it matters is cryptography and, increasingly, memory unsafe code.

In other words: you're more than welcome to build a model train set (I do it), but it doesn't qualify either of us to run a railroad. What qualifies us is learning and performing everything else involved in the safe and normal operation of a modern railroad, including knowing not to build steam engines anymore.

[1]: https://github.com/woodruffw/skipjack.rs

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

Suggest a related project