Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Use Well-Known Cryptography Appropriately and Correctly

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation  Copyright: Copyright © Carnegie Mellon University 2005-2012.


Failing to use, or inventing your own, cryptography can introduce vulnerability.


The following are frequent misuses of cryptography:

  • Poor source of random numbers for a cryptographic algorithm.

  • Not managing key material safely.

  • Attempting to hide cryptographic credentials in client software or on client systems.

  • Use of homegrown cryptographic algorithms.

  • Use of homegrown implementation of well-known cryptographic algorithms.


CitationBibliographic Entry
[Anderson 93]Ross Anderson. Why Cryptosystems Fail. (1993).
[McArdle 01]

Lorah McArdle. Beyond Encryption. (2001).

[Menezes 96]

Menezes, Alfred J.; Van Oorschot, Paul C.; & Vanstone, Scott A. Handbook of Applied Cryptography. CRC Press, 1996.

[Morar 00]

Morar, John F. & Chess, David M. Can Cryptography Prevent Computer Viruses? (2000).

[Schneier 96]

Schneier, Bruce. Why Cryptography Is Harder Than It Looks. (1996).

[Schneier 98]

Schneier, Bruce. "Cryptographic Design Vulnerabilities." Computer 31, 9 (1998): 29-33.