[Discuss] Good and Bad Crypto

Derek Martin invalid at pizzashack.org
Tue Apr 22 11:36:09 EDT 2014


On Tue, Apr 22, 2014 at 11:40:58AM +0000, Edward Ned Harvey (blu) wrote:
> > From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> > bounces+blu=nedharvey.com at blu.org] On Behalf Of Tom Metro
> > 
> > Being open source [...]. It's
> > is merely a necessary precondition for determining that crypto is
> > trustworthy.
> 
> Sorry, but this statement is simply false.

Anything involving security or encryption is rarely simply anything.

> Tell me the difference between the AesManaged class library, when I
> run it under closed-source .NET, and when I run it under open-source
> mono?  There is literally no difference.  It's a standard,
> deterministic library with literally the exact same binary output
> given the same input.  Closed or open is irrelevant, because the
> behavior is standard, published, verifiable, deterministic.

Hogwash.  The difference is interested, qualified parties can't
inspect the implementation to see if, say, using a particular key
won't make the implementation upload logs of all your transactions to
a black hat site, or download kiddie porn to your hardrive, etc..
If you can't inspect it, you can't trust it.  Period.

> > Using a proprietary library that implements an open *standard* is way
> > better than one where the developer decided to roll his own crypto
> > algorithm.
> 
> Nobody rolls his own crypto algorithm.  And I mean nobody.
> 
> Everybody, and I mean everybody, uses a standard library implementation of an open standard.

This is also utter nonsense.  

http://books.google.com/books?id=GToEAAAAMBAJ&pg=RA1-PA117&lpg=RA1-PA117&dq=insecure+proprietary+encryption+algorithm&source=bl&ots=mu7p4S2lrF&sig=o-0RjkKNIiJW8zkc0koyxz9O3o0&hl=en&sa=X&ei=b4lWU6KuMo6-sQTRiIDYBg&ved=0CG4Q6AEwCQ#v=onepage&q=insecure%20proprietary%20encryption%20algorithm&f=false

It took me ~5s to prove that statement wrong.  

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.



More information about the Discuss mailing list