On 18/05/14 12:06, Matthew Toseland wrote: > On 16/05/14 06:34, Charles wrote: >> Hi all, >> This summer I'm going to be working on creating a High-Level crypto >> API for Freenet. My mentor is Florent Daigniere. I will be >> benchmarking JCA and BouncyCastle against Freenet's current crypto >> implementation to find out which is better in terms of performance and >> security for each algorithm. Then I will use the benchmarks to create >> a high-level crypto API. I'll also create a benchmark that will run >> when Freenet starts to decide if native code is faster vs the java >> implementation on that architecture and adjust the API to use the >> faster one. Once the API is finished I will help merge it into the >> code base. >> If you have any questions or suggestions please let me know. >> I am unixninja92 on IRC. >> -Charles Teese > Actually we already do the benchmark-and-choice-on-startup for many > algorithms, thanks to Eleriseth's patches. > > However, a coherent crypto API at an appropriate level is definitely a > good thing. > > I thought nextgens was in favour of using some form of TLS though? Note > that using TLS correctly is nontrivial (e.g. the defaults don't have PFS > and so are far less secure than our current code on at least one > measure), although there are UDP versions we could use... He's also in > favour of using "consistent" keylengths, i.e. reducing the key length > for symmetric crypto because the keys generated aren't large enough to > justify it anyway, and there may be difficulties with making connection > setup generate bigger keys... > > More generally, is the plan to keep the existing protocols and key > lengths, but refactor to make them clearer and less risky, or will you > be changing any algorithms or parameters? The other problem is some of the algorithms we rely on may be going away in the newer versions of Bouncycastle. I mentioned this earlier. You and nextgens should look into this. Backwards compatibility for content is crucial; backwards compatibility for connections only needs to be maintained for 6 months or so.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
