Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Good and Bad Crypto



On Tue, Apr 22, 2014 at 11:40:58AM +0000, Edward Ned Harvey (blu) wrote:
> > From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> > bounces+blu=nedharvey.com at blu.org] On Behalf Of Tom Metro
> > 
> > Being open source [...]. It's
> > is merely a necessary precondition for determining that crypto is
> > trustworthy.
> 
> Sorry, but this statement is simply false.

Anything involving security or encryption is rarely simply anything.

> Tell me the difference between the AesManaged class library, when I
> run it under closed-source .NET, and when I run it under open-source
> mono?  There is literally no difference.  It's a standard,
> deterministic library with literally the exact same binary output
> given the same input.  Closed or open is irrelevant, because the
> behavior is standard, published, verifiable, deterministic.

Hogwash.  The difference is interested, qualified parties can't
inspect the implementation to see if, say, using a particular key
won't make the implementation upload logs of all your transactions to
a black hat site, or download kiddie porn to your hardrive, etc..
If you can't inspect it, you can't trust it.  Period.

> > Using a proprietary library that implements an open *standard* is way
> > better than one where the developer decided to roll his own crypto
> > algorithm.
> 
> Nobody rolls his own crypto algorithm.  And I mean nobody.
> 
> Everybody, and I mean everybody, uses a standard library implementation of an open standard.

This is also utter nonsense.  

http://books.google.com/books?id=GToEAAAAMBAJ&pg=RA1-PA117&lpg=RA1-PA117&dq=insecure+proprietary+encryption+algorithm&source=bl&ots=mu7p4S2lrF&sig=o-0RjkKNIiJW8zkc0koyxz9O3o0&hl=en&sa=X&ei=b4lWU6KuMo6-sQTRiIDYBg&ved=0CG4Q6AEwCQ#v=onepage&q=insecure%20proprietary%20encryption%20algorithm&f=false

It took me ~5s to prove that statement wrong.  

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org