U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.


Use Well-Known Cryptography Appropriately and Correctly

Published: October 03, 2005 | Last revised: June 21, 2013

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation Copyright: Copyright © Carnegie Mellon University 2005-2012.


Failing to use, or inventing your own, cryptography can introduce vulnerability.


The following are frequent misuses of cryptography:

  • Poor source of random numbers for a cryptographic algorithm.

  • Not managing key material safely.

  • Attempting to hide cryptographic credentials in client software or on client systems.

  • Use of homegrown cryptographic algorithms.

  • Use of homegrown implementation of well-known cryptographic algorithms.


CitationBibliographic Entry
[Anderson 93]Ross Anderson. Why Cryptosystems Fail. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/wcf.pdf (1993).
[McArdle 01]

Lorah McArdle. Beyond Encryption. http://www.sdmagazine.com/documents/s=818/sdm0101i/ (2001).

[Menezes 96]

Menezes, Alfred J.; Van Oorschot, Paul C.; & Vanstone, Scott A. Handbook of Applied Cryptography. CRC Press, 1996.

[Morar 00]

Morar, John F. & Chess, David M. Can Cryptography Prevent Computer Viruses? http://www.research.ibm.com/antivirus/SciPapers/VB2000JFM.htm (2000).

[Schneier 96]

Schneier, Bruce. Why Cryptography Is Harder Than It Looks. http://www.schneier.com/essay-037.pdf (1996).

[Schneier 98]

Schneier, Bruce. "Cryptographic Design Vulnerabilities." Computer 31, 9 (1998): 29-33.


Back to Top