Difficulties in choosing a crypto library

Incorrect choice of cryptographic primitives

Poor usage of cryptographic primitives

Insufficient design and analysis leads to security holes.

Worldwide shortage of suitably qualified cryptographers

Financially costly and time consuming to develop and maintain systems that properly implement cryptography.

Libraries built into the user's OS may be old and contain vulnerabilities. Software updates can introduce bugs and new vulnerabilities.

Libraries on different platforms (including mobiles) implement primitives differently, making consistency in security difficult.

Using primitives that are no longer considered secure. Generally no notice is provided in the documentation of crypto libraries.

Using primitives that are not future-proof, such as those vulnerable to attack by quantum computers.

Incorrect usage of secure primitives will result in insecure systems. Numerous examples exist, including:

- Failing to securely derive encryption keys from passwords.

- Encrypting too much data with a single key.

- Encrypting data without using MACs on untrusted storage media.

- Failing to salt hashes, seed random number generators, etc.

Implementing encryption without proper consideration as to the requirements for confidentiality and integrity can lead to information leakage, security holes and exploits that compromise the effectiveness of the system.

Due to the limited availability of experts, many crypto systems are implemented by developers who lack the required specialist crypto expertise, leading to vulnerabilities that are exceptionally difficult to detect and expensive to fix.

Insufficient budget is given to cryptography. Encryption is most often a non-revenue generating requirement of a software project, not core functionality for customers. Thus, it is often allocated little budget, resulting in poor implementation that is easily attacked.

Conversely, if cryptography were allocated the appropriate amount of budget for proper implementation, it would cost so much it would compromise the profitability of software development projects.

Compile a modern, trusted and well reviewed crypto library into your application to ensure the same crypto library is used on all deployments.

This is the approach taken in the development of ScramFS.

Use modern primitives such as those chosen in ScramFS. Ensure only the primitives offering the highest security are used. Use only primitives that are resistant to attack from quantum computers.

This is the approach taken in the development of ScramFS.

Using the right primitives in the wrong way will result in a system that is easily compromised.

Design your encryption system using the right primitives in the right way, and with careful consideration as to the overall design. This requires world class expertise in the field.

Ensure that cryptographic designs are peer reviewed by other world experts.

These are the approaches taken in the development of ScramFS.

Perform careful security analysis of the system design and attack model to ensure the design is resilient to all attacks in the chosen application.

Peer review the design and security analysis.

These are the approaches taken in the development of ScramFS.

Find an existing reliable and complete cryptographic data storage system such as ScramFS to enable non-crypto developers to implement secure encrypted storage without writing crypto code.

Avoid developing your own encryption and data security systems.

Instead, license an existing system like ScramFS.

Scram has already invested hundreds of thousands of dollars and years of time in developing solutions like ScramFS.

Scram also provides ongoing support, maintenance and development of ScramFS, saving developers time and money now and in the future.