Approximately 10-15 years ago, NIST, an American organisation responsible for standardising technology standards, created a document describing how to correctly implement Elliptic Curve cryptography. This document became “the standard document” for others wanting to implement EC cryptography.
Some 5 years later, a really smart guy realised there was an “error” in the document. You see, NIST had proposed example values for G and P. These are two numbers required as you create your key pair. He did a lot of research, and quickly found out that if somebody knew the distance between P and G, they effectively had a backdoor allowing them to retrieve your private key, without too much effort. The thing was later revealed by Edward Snowden to be an infiltration job conspicuously executed by the NSA and the CIA in order to make people implement Elliptic Curve such that they could read whatever was encrypted using a public key.
This story tells us two things.
- Don’t (always) do what others tells you to do
- Elliptic Curve is a very, very, very strong form of crypto
The latter we know, since if this was executed by the CIA and the NSA, we must assume they had at the time no other means to decrypt your private communication, that had been encrypted using EC. Hence, if implemented correctly, EC encrypted messages was, at least at that time, impossible for the NSA and the CIA to decrypt.
If you Google for C# and AES today, the SERP of Google will show you some few examples of how to implement AES using C#. The problem is that they’re all rubbish! Some of the examples you find at StackOverflow is so easily brute forced, they could arguably be hacked by a 14 year old kid, with his father’s pocket calculator.
The first problem, is that they’re using Microsoft’s AES libraries, which makes it impossible to implement the correct padding of blocks, making an AES message easily brute forced by people with deep pockets.
The second problem, is that some of the code examples requires the user to give a 16 character long password, and simply does Encoding.UTF8.GetBytes to generate a “key”. This reduces the entropy of AES keys from 256 to the power of 16, 24 and 32 – Down to roughly 65 to the power of 16. 65 to the power of 16 can easily be brute forced in minutes by a modern computer. 256 by the power of 32 requires the same amount of energy that’s needed to boil all the water in our galaxy to brute force.
Now of course, both Microsoft and Google being American companies, have probably been coerced by NSA and the CIA to make sure everybody whom wants to implement cryptography, does it in such a way that the NSA and the CIA can easily decrypt it. The problem of course, which was explained by Edward Snowden, is that if the CIA and the NSA can read your messages, so can probably the FSB and Chinese intelligence – In addition to the Cosa Nostra and other criminal organisations.
Hence, if you want to identify the strongest cryptography algorithms in existence today, all you need to do, is to Google your algorithm, and find the algorithms with the most “rubbish examples”, reducing the strength of the original algorithm – And you’ve highly likely identified the algos that not even the NSA or the CIA can crack. This implies the algos having the most bogus example code at StackOverflow, while hiding its most serious implementations on “page 11.554” etc …
Just make sure you DO NOT implement the algo using the rubbish example code you find at SO once you’ve decided upon an algo.
When it comes to crypto, NEVER, EVER, EVER copy code from SO