[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Good and Bad Crypto
- Subject: [Discuss] Good and Bad Crypto
- From: invalid at pizzashack.org (Derek Martin)
- Date: Tue, 22 Apr 2014 10:36:09 -0500
- In-reply-to: <f134eeeef944486ca75cd35da6f930e7@CO2PR04MB684.namprd04.prod.outlook.com>
- References: <14b5446b65314ece8402914040d7efb6@CO2PR04MB684.namprd04.prod.outlook.com> <5355DA7B.email@example.com> <f134eeeef944486ca75cd35da6f930e7@CO2PR04MB684.namprd04.prod.outlook.com>
On Tue, Apr 22, 2014 at 11:40:58AM +0000, Edward Ned Harvey (blu) wrote: > > From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss- > > bounces+blu=nedharvey.com at blu.org] On Behalf Of Tom Metro > > > > Being open source [...]. It's > > is merely a necessary precondition for determining that crypto is > > trustworthy. > > Sorry, but this statement is simply false. Anything involving security or encryption is rarely simply anything. > Tell me the difference between the AesManaged class library, when I > run it under closed-source .NET, and when I run it under open-source > mono? There is literally no difference. It's a standard, > deterministic library with literally the exact same binary output > given the same input. Closed or open is irrelevant, because the > behavior is standard, published, verifiable, deterministic. Hogwash. The difference is interested, qualified parties can't inspect the implementation to see if, say, using a particular key won't make the implementation upload logs of all your transactions to a black hat site, or download kiddie porn to your hardrive, etc.. If you can't inspect it, you can't trust it. Period. > > Using a proprietary library that implements an open *standard* is way > > better than one where the developer decided to roll his own crypto > > algorithm. > > Nobody rolls his own crypto algorithm. And I mean nobody. > > Everybody, and I mean everybody, uses a standard library implementation of an open standard. This is also utter nonsense. http://books.google.com/books?id=GToEAAAAMBAJ&pg=RA1-PA117&lpg=RA1-PA117&dq=insecure+proprietary+encryption+algorithm&source=bl&ots=mu7p4S2lrF&sig=o-0RjkKNIiJW8zkc0koyxz9O3o0&hl=en&sa=X&ei=b4lWU6KuMo6-sQTRiIDYBg&ved=0CG4Q6AEwCQ#v=onepage&q=insecure%20proprietary%20encryption%20algorithm&f=false It took me ~5s to prove that statement wrong. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.