On 22/02/12 13:31 PM, Kevin W. Wall wrote:
So, let's bring this back to cryptography. I'm going to assume that virtually all of you are a somewhat altruistic and are not in this game just to make a boatload of money by keeping all the crypto knowledge within the secret priesthood thereby driving your own salaries up.
! idk, sounds like a challengeable assumption.
For starters, I would urge those of you who are not involved in the open source movement to step up and help out with things like OpenSSL, OpenSSH, cryptographic libraries (in languages *other* than C/C++), etc. Personally, I would *more* than welcome someone here stepping forward and volunteering to head up the crypto effort in OWASP ESAPI. Even though some people from the NSA have reviewed it, I'm paranoid enough to think that it's what they are NOT telling me that is wrong is what is worrying me. I know many of you have already contributed (I won't attempt to name names because I'd probably unintentionally leave a few of you out and offend them), but not nearly enough. Most of you who regularly post to this mailing have commented on how you've seen some of the same beginner crypto failures over and over, so how about starting with jus a simple crypto HowTo FAQ, maybe an OWASP crypto cheat sheat.
I suspect most of the people here would prefer to be paid for this. I know I would.
(One of the reasons I never coded for Mozilla was that my company would have had a conflict in time. Helping them with their policies however was not seen as a conflict.)
Just personal observations.
1) They think that key size is the paramount thing; the bigger the better.
NIST are the current baddies here.
2) The have no clue as to what cipher modes are. It's ECB by default. 3) More importantly, they don't know how to choose a cipher mode (not surprising, given #2). They need to understand the trade-offs. 4) They have no idea about how to generate keys, derived keys, IVs, 5) They don't know what padding is, or when/why to use it. 6) They have a very naive concept of entropy...where/when to use it and from where and how to obtain it.
Yes, crypto seems to be in layers. Block algorithms. Modes, and implications. The rest. The game is to push more of it back down to "algorithms".
iang _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography