AW: [Issue 4145] Master passphrase and encrypted credentials cache
From: Markus Schaber <m.schaber_at_3s-software.com>
Date: Tue, 27 Mar 2012 14:04:06 +0000
Von: Greg Stein [mailto:gstein_at_gmail.com]
> On Mon, Mar 26, 2012 at 11:45, Greg Hudson <ghudson_at_mit.edu> wrote:
I hope that expert really is an expert.
Playing with crypto on your own is never a good idea. And choosing the right algorithm is the least important thing to think about when using cryptography. In most cases, using a crypto algorithm directly plainly is the wrong thing to do.
In one of my former jobs, we tried to design our own crypto protocol (some kind of "lightweight" SSL for UDP and SMS), and it was more than one year of tweaking of a group of roughly a dozen bright people, and in addition several semi-public reviews in some crypto discussion groups until we were sure that we'd shaken out most of the problems.
Some nice writeup for that subject I found some months ago:
"If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong"
So we really should have good reasons to do it on our own, and then try very hard to make sure that we do it "right". :-)
> > you do need to decide whether you want to be cipher-agile. Basically,
We could use some marker-tag or header naming the algorithm, so upgrades can be done in a future-proof way, but actually implementing one single algorithm should be enough.
> > If you don't use CTR mode, you'll need to pick a reversible padding
Padding with NUL characters opens a known plaintext window at the end of the passphrase. Maybe it's better to pad with random characters.
Hmm, I remember someone saying it's not easy to get crypto right, right? :-)
If there is no existing, well-known and trusted solution we can use (copy), we should at least try to get some review from some crypto experts for the design and the implementation.
-- ___________________________ We software Automation. 3S-Smart Software Solutions GmbH Markus Schaber | Developer Memminger Str. 151 | 87439 Kempten | Germany | Tel. +49-831-54031-0 | Fax +49-831-54031-50 Email: firstname.lastname@example.org | Web: http://www.3s-software.com CoDeSys internet forum: http://forum.3s-software.com Download CoDeSys sample projects: http://www.3s-software.com/index.shtml?sample_projects Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915Received on 2012-03-27 16:11:15 CEST
This is an archived mail posted to the Subversion Dev mailing list.