Research

The number one best practice in cryptography is to avoid rolling your own. Trying to follow that rule, developers should instead use cryptography functions from the standard library of their programming language or from a well-established and trusted cryptography library. When a function has not been designed with misuse resistance in mind, it’s easy for well-intentioned developers to miss a detail hidden in an overwhelming amount of documentation.

With any function, misuse can be catastrophic, and this is especially true when dealing with cryptography. OpenSSL is used, among other things, by various programming languages to expose cryptographic functions. Many of these languages (i.e. Ruby, PHP, Node.js, Rust, Erlang, and possibly others) expose one of these functions, used to handle AEAD decryption, in an easy-to-misuse way.