On 22/02/12 13:31 PM, Kevin W. Wall wrote:
So, let's bring this back to cryptography. I'm going to assume that
virtually all of you are a somewhat altruistic and are not in this game just
to make a boatload of money by keeping all the crypto knowledge
within the secret priesthood thereby driving your own salaries up.
! idk, sounds like a challengeable assumption.
For starters, I would urge those of you who are not involved in
the open source movement to step up and help out with things
like OpenSSL, OpenSSH, cryptographic libraries (in languages
*other* than C/C++), etc. Personally, I would *more* than welcome
someone here stepping forward and volunteering to head up
the crypto effort in OWASP ESAPI. Even though some
people from the NSA have reviewed it, I'm paranoid enough to
think that it's what they are NOT telling me that is wrong is what is
worrying me.
I know many of you have already contributed (I won't attempt to name
names because I'd probably unintentionally leave a few of you out and
offend them), but not nearly enough. Most of you who regularly post to
this mailing have commented on how you've seen some of the same
beginner crypto failures over and over, so how about starting with jus
a simple crypto HowTo FAQ, maybe an OWASP crypto cheat sheat.
I suspect most of the people here would prefer to be paid for this. I
know I would.
(One of the reasons I never coded for Mozilla was that my company would
have had a conflict in time. Helping them with their policies however
was not seen as a conflict.)
Just personal observations.
1) They think that key size is the paramount thing; the bigger the better.
NIST are the current baddies here.
2) The have no clue as to what cipher modes are. It's ECB by default.
3) More importantly, they don't know how to choose a cipher mode (not
surprising, given #2). They need to understand the trade-offs.
4) They have no idea about how to generate keys, derived keys, IVs,
5) They don't know what padding is, or when/why to use it.
6) They have a very naive concept of entropy...where/when to use it and
from where and how to obtain it.
Yes, crypto seems to be in layers. Block algorithms. Modes, and
implications. The rest. The game is to push more of it back down to
"algorithms".
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
