>On Thu, 10 Aug 2000, Michael Paul Johnson wrote:
>> What would you like to see covered in a practical book on cryptography for
>> programmers?
- Some fundamentals of groups and fields.
- Provide all your code examples on the web.
At 03:37 PM 8/10/00 -0400, dmolnar wrote:
>* Discussion of crypto libraries available (say an updated version of
> Shostack's comparisons), with attention to licensing issues.
> Discussion of multi-precision integer libraries available for
> various languages. Also their performance on various OS and
> chip combinations.
>* What is and is not provided by a library. What should a programmer
> expect to write? what should he or she certainly not try to write?
- A general discussion of ways of moving data through programs :
besides the standard "read N more bytes, call crypto function, output",
it's worth looking at Raph Levien's stream-oriented libraries,
as well as OpenSSL and other packages.
- Environments crypto applications will be used - batch file applications,
real-time speech/video, file system drivers, browser plugins, TCP/UDP
daemons -
differences in handling data flows and memory management, ways to screw up.
- A discussion of parameter negotiation techniques - obviously different
for batch and interactive connections.
- Threat scenarios for everything - the Photuris papers have some
good discussion on designing protocols to avoid resource-burning DOS's.
>* Practical details of encoding schemes which may come up in practice
> (such as what ASN is, how to use it, whether you need it, etc).
- Not just ASN and how to avoid it, but also portability,
representation of simple numbers and strings (e.g. the benefits of
PGP's ugly compressed number approaches and why you shouldn't use them :-)
Stealthy vs. non-stealthy representations, etc.
>* Lots of examples of how to screw up in subtle ways. Either
> cryptographically (e.g. not verifying that a particular
> element is a member of a subgroup or something else sneaky)
> or with the language (buffer overflows).
>
> Especially examples of tempting, but wrong, things to do.
Some theoretical focus on snake oil - particularly material about combining
algorithms, and about combinations of LFSRs or other simple PRNG algorithms
not being any stronger than the basic algorithms, since this is a popular
snake oil approach.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
