If I come to a point where I need to implement cryptography in some form, what should I do? I certainly don't have the money to hire someone who knows what they're doing. It seems strange that skills in other aspects of development (protection from sql injection, UI design, etc.) can be cultivated in the wild with so much greater consistency than cryptography skills.
I'll be giving a talk at Yahoo Security Week in June entitled "When Crypto Attacks!" I hope to post slides afterward.
If you find yourself needing to implement crypto, it's likely you can avoid it by thinking about the situation differently. For example, many web developers get seduced into designing their own crypto as a way to push state to the client instead of managing it on the server. This opens up a much wider attack surface on the server application since now every part of that blob needs to be considered malicious. As the saying goes, "... now you have two problems."
The reason all this is so hard is that crypto is fundamentally unsafe. People hear that crypto is strong and confuse that with safe. Crypto can indeed be very strong but is extremely unsafe.
Have you ever tried to clean up from a root private key compromise? I wrote previously (http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-tha...) about how a one-line change in the PRNG had compromised every DSA private key used on Debian/Ubuntu. Not generated, used. The properties of DSA make it such that your private key is directly revealed to any attacker who knows some bits of your PRNG output. I hope that emphasizes how dangerous crypto is, because it is so sensitive to its prerequisites.
I shouldn't be the one answering your question. It's a tough one. If the stakes are low and you can follow standard practices and get somebody who knows what he is doing to just check your work, you might get away with it. If the stakes are high, hire a professional. I wish I knew why it is so hard.
