Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
This post is the justification of the Cryptography Practice Question. The recommended answer is A, Task a development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
It is a proprietary cryptographic solution to develop a cryptographic module in-house or use one without public review and certification, and it is a way of “security through obscurity” which doesn’t follow the Kerckhoffs’s principle or Shannon’s maxim.
The concept of Kerckhoffs’s principle and Shannon’s maxim is widely embraced by cryptographers, as it is believed to be a more effective and secure way than “security through obscurity.”
The FIPS 140-2, Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. This standard specifies the security requirements that will be satisfied by a cryptographic module. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. It does not specify in detail what level of security is required by any particular application.
- Kerckhoffs’s principle
- Claude Shannon
- Security through obscurity
- FIPS 140-2
- OWASP Guide to Cryptography
- Proprietary encryption algorithms are not to be trusted as they typically rely on ‘security through obscurity’ and not sound mathematics. These algorithms should be avoided if possible.
- Just Say No To Proprietary Cryptographic Algorithms
- The (in)security of proprietary cryptography