There are a few rules every developer should follow when applying encryption:
- don't invent your own algorithm
Cryptography is a difficult topic, best left to the experts. Implementing encryption algorithms is difficult and there are many traps waiting. Many times, you can get away with a broken custom algorithm, but only because nobody challenges the implementation. If you are happy coding unimportant websites nobody needs, then your time is probably cheap enough where you don't mind wasting a few hours implementing your own broken algorithm.
It is best to stick with standard algorithms. Currently, AES (American Advanced Encryption Standard) is the standard encryption algorithm. The advantage of using a standard like AES is that you will find support in various programming languages and that future support is likely as well.
- use the strongest algorithm you can find
Cryptography is a constant battle against the ever increasing abilities to break encryption. Not only do researchers use better and better hardware to brute force encryption keys, but they also come up with more efficient algorithms to search for the key.
It is important to "over design" encryption. The goal should not be to find a "sufficient" algorithm, but the best you can find/afford. It is very hard to predict how de-ciphering techniques will evolve in the next 5 or 10 years.
- RTFM
Even if you use a strong encryption algorithm, understanding the details of implementing the particular algorithm is important. Whenever encryption is implemented, it is important to read any instructions that accompany the related libraries.
