Don't Roll Your Own ...

Among computer programmers, and especially among those who work on security-sensitive systems, there is a well-known maxim: Don't roll your own crypto. Of course, you can roll your own crypto for learning purposes. But if you are going to use cryptography in software or services that serve others, you must never implement the cryptographic primitives yourself, or, worse, develop your own cryptographic algorithms and use them in your software. I have seen several flawed home-grown RC4 implementations early in my career, with issues like improper initialisation vectors, predictable keystreams and partial leakage of plaintext into ciphertext, putting users' sensitive data at risk. If you are considering cryptography for software with actual users, the advice 'don't roll your own crypto' is sound. You must always use an established, vetted software package or tool to do the cryptography for you. Fortunately, most of the industry does take the 'don't roll your own crypto' advice quite…