On 2014-05-29 14:46, Mike Cramer wrote:
> You need to ask yourself a question: > > How well do you know coding and encryption handling to ensure that your > software doesn't have unintentional back doors and/or information > disclosure? This is a serious question because it requires serious answers > when you're dealing with cryptography. The weakest part of the security > system should not be the application. > > What libraries would you use for encryption? If any? I assume you would > leverage AES. Would the library you choose to use support AES-NI? Would you > use the Intel CPU-based PRNG? (http://en.wikipedia.org/wiki/RdRand) > > I think it's reasonable to assume that the "many eyes" approach to software > security doesn't really work. So simply saying you'll release it as GPL I > don't think should be considered "good enough" anymore when it comes to > encryption. The myriad of flaws in OpenSSL over the years both upstream and > in distributions should be a serious wake-up call on this one. > > My recommendation would be to use FileVault/Bitlocker/OS implementations > unless you can come up with a good reason why not to do so. Mike, Well aware of the Intel PRNG issues and others (http://twitter.com/ciurana -- I covered them when they happened and continue to address them). Ditto on the encryption: I know it well enough to come up with an initial implementation, and be conscious of the limitations of my coding. Part of this plan consists on establishing an auditing process from the get go, not unlike OpenBSD's, where security is built into the process, not only into the code and reviewed as an after thought. I want to have more than one block encryption algorithm built into it, different digests, and so on. Libraries, features selection, etc. are still in a preliminary stage. First I want to gauge level of interest. Would you like to help? :) Cheers! pr3d _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
