Hi David, I just want to tell you that security is not toy for my amusement. I have absolutely no security background and I am trying the best I can to secure a software in a school project.
I like security domain and this is why I decided to start studying it. Unfourtunatly, I dont have years (not even a year!) of experience in this domain. However, I have great skills in other domain and when I can, I try the best I can to help others. It is not just about you but about many people that have skills in security, but I have this feeling that those people likes to bash on newbies, thinking that they are stupid. Anyway, I appreciated some of your pertinent points/suggestions. David Schwartz wrote: > > > BiGNoRm6969: > >> Never heard about binary specification of the RSA* private key. >> Can you give >> more more information about that please. > > Okay, think about this logically. You want to take the SHA256 hash of an > RSA > private key and get the same result every time. But the SHA256 hash > function > takes in arbitrary binary data. So you need to feed it the same arbitrary > binary data every time to gt the same hash result. > > Are you with me so far? > > That means that you need some kind of specification for converting an RSA > private key (which is just a notional thing, it's some numbers) into a > binary representation. And you need one and only one true way, because > while > "3", "3.0" and "03" are the same number, if fed as binary input to a > SHA256 > hash, you will get a different result. > > So your algorithm cannot possibly work unless it specifies one and only > one > precise way to convert an RSA key (a notional thing, some numbers) into > binary data suitable for SHA256 hashing. > > The fact that you didn't even realize that this had to be done proves that > you are not even remotely competent to devise a security protocol. If you > can't even understand the logical conceptual requirements, the odds of you > getting the security right are near zero. I'm sorry to be so blunt, but > for > your own safety and those of anyone who might use any code you might have > an > influence on, please don't do what you're doing. > > Using an established and tested algorithm for its intended purpose. Or, > employ someone who is qualified to write security software. > > If this is anything other than a toy for your own amusement, you're > heading > towards creating another worthless security product that provides no > actual > security. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://www.nabble.com/Question-about-SHA256-on-a-RSA*-key-tp21093222p21134992.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
