> Date: Thu, 2 Nov 2017 22:07:05 -0700 > From: "Arthur A. Gleckler" <[email protected]> > > I like the idea, but isn't it generally accepted that writing one's own > crypto is risky?
Merely _using_ MD5 or Blowfish in a protocol is risky! That said, I am pretty well acquainted with what goes into crypto implementation. MD5 is about as easy as it gets, short of something like Salsa20 or ChaCha. Bugs in simple implementations of functions like this are extraordinarily unlikely to pass even a single test vector, because by design any flipped bits in the computation get propagated all over the place. There's no temptation to put in timing side channels because everything is built out of 32-bit + & | ^ <<N >>N, for constant N. Blowfish invites implementations with obvious timing side channel attacks, because nobody really worried about them at the time it was designed and everyone casually accepted secret-dependent array indices. It's unlikely that there's any constant-time software implementations of Blowfish anyway -- I expect probably OpenSSL and definitely mcrypt to be vulnerable to such attacks. So if I copied code from somewhere else or wrote my own, that wouldn't make things worse than they already are. Things are much harder for, e.g., RSA, of which I'm aware of only one plausible candidate software implementation that is not vulnerable to timing side channel attacks -- and is unlikely to be very fast. (That's in BearSSL. OpenSSL's looked like it had obvious timing side channel attacks last time I looked; a year or so later, someone published a paper on exploiting them. Maybe it's improved since then, but I doubt it. And, indeed, yesterday's OpenSSL advisory would affect RSA computations.) But RSA is not relevant here. _______________________________________________ MIT-Scheme-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/mit-scheme-devel
