> In Peter Gutmann's godzilla cryptography tutorial, he has some really > good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal. > I learned a few no-nos, such as not sending the same message to 3 > seperate users in RSA (if using 3 as an encryption exponent).
> My question is, what is the layperson supposed to do, if they must use > crypto and can't use an off-the-shelf product? Check the standards. The RSA PKCS#1 standard, which are free, describe how to do RSA securely and summarize known security results. http://www.rsasecurity.com/rsalabs/node.asp?id=2124. Don't use PKCS#3-style Diffie Hellman; it's been superseded by the versions in ASC X9.42 and IEEE Std 1363-2000. The Standards for Efficient Cryptography Group (www.secg.org) publishes SEC1, which describes how to do Elliptic curve algorithms securely. The standard is free to download, but note that some techniques in it have licensing requirements. NIST, in its series of FIPS standards and Special Publications, has defined federal standards for digital signatures and modes of operation for symmetric ciphers, and is moving towards standardizing key exchange mechanisms based on public key algorithms. Those standards are also free, though they sometimes reference non-free standards. Other standards groups, such as the IEEE P1363 Working Group (which I chair -- http://grouper.ieee.org/groups/1363/) and the ASC X9F1 working group for cryptographic techniques for the financial services industry, publish (for purchase) standards for secure use of other public-key algorithms. 1363 is currently working on - Lattice-based cryptography, such as NTRU (who I work for) - Password-based public key techniques such as SPEKE, SRP, etc - A revision of the 1363-2000 standard. A lot of the documents relevant to these projects are available for free off the site. X9 is working on a wider range of projects, but your company has to be an X9 member for you to access them. > Is there any site > tracking such gotchas as they show up in the literature? Rather than tracking gotchas minute-by-minute it's probably best to use existing standards. Cheers, William --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]