If you're working for a startup, or you're writing line-of-business software, and you find yourself writing your own cryptography code, you're probably making a fatal mistake. You've probably heard "don't roll your own crypto code" before (if not, let me know and I'll explain why it's a bad idea). So I'm going to give you the benefit of the doubt and assume you have a valid use case for writing your own cryptography code in addition to using TLS.
Public key cryptography is hard enough without all the landmines RSA lays for you. Let's look at some examples:
- Programmers love to write code vulnerable to Bleichenbacher's 1998 RSA Padding Oracle attack:
- This painful mistake made by SaltStack years ago.
- How many of you can say with confidence that you'd never make a similar mistake?
Even if you use the correct padding mode (RSAES-OAEP for encrypting, RSASSA-PSS for signing), the second you use one key for both purposes, you've just invalidated their security proofs.
Even if you avoid those attacks, integer factorization advancements will ensure your key sizes get longer, your crypto gets slower, and your users less safe.
See this gist by Thomas for proscriptive advice.
If you're writing PHP: start here.
If you're writing Java: start here.