Hi, all...
I think it wise to go back to the OP's stated objective, to create "an
independent to libraries source code for demonstration purposes for
AES-CTR mode." The operative prepositional phrase here being "for
demonstration purposes."
Thus, whether it is wise to implement one's own crypto
library/engine/etc. in *production*, I see no particular reason why
learning from creating one as a demonstration or proof of concept (and
even providing such code here or elsewhere for critique) is such a bad
thing.
This list is replete with experienced practitioners. If this isn't a
good place to critique such a demonstration or proof of concept, perhaps
someone here knows of a better list (one perhaps not focused on using
OpenSSL in particular, say crypto.stackexchange.com - adn that is not an
endorsement, merely an example).
On 05/11/2015 11:59 PM, Mike Mohr wrote:
If you don't know about list comprehension in Python, you can simply
construct a list in a loop to get the job done. The end result is the
same no matter which approach you take.
The same is not true for cryptography. While Sec_Aficionado is quite
eloquent and makes several valid points, I think his overall argument
does not hold water. I have audited the crypto implementations in a
number of open-source projects over the years found wide variance in
their quality. In one instance a popular piece of software included a
feature which claimed to encrypt its data using AES-256. It turned
out that the code copied the user's password directly into the key
buffer, either padding with null bytes or truncating depending on the
length. The data was then encrypted using AES-256 in ECB mode. The
software's primary purpose was not cryptography, and it provided
innovative and creative features otherwise. This type of bug is
insidious, since it doesn't really protect the data in any meaningful
way and lulls its users into a false sense of security.
I am not advocating that the realm of information security be forever
relegated to a select few. That is also dangerous, as Sec_Aficionado
correctly pointed out. However, the study of cryptography should
never be undertaken without the guidance of an experienced
practitioner. I had the extraordinary opportunity to study
information security at university under the guidance of an ex-NSA
analyst. I recognize that I am extremely lucky to have had this
chance, and that this kind of education is only available to a select
set of people worldwide. I also don't have a solution to the problem
of training the next generation of cryptographers. However, having yet
another potentially compromised AES implementation written by a novice
programmer is not something that I want to encourage.
On Mon, May 11, 2015 at 6:12 AM, Sec_Aficionado
<secaficion...@gmail.com <mailto:secaficion...@gmail.com>> wrote:
While implementing one's own security and/or cryptography is
certainly not advisable for a novice (or even advanced
programmers), creating cipher implementations from scratch is
probably one of the best ways to learn and understand the
intricacies of the problem at hand.
Learning about the pitfalls and advantages of the algorithms is
key for a future security expert. Moreover, denying someone access
to help on an open source project is antithetical to the OSS
philosophy. How can anyone hope to understand code that by its
very nature is cryptic and complex if there's no one willing to
help disentangle, at least at a high level, the routines and
functions?
InfoSec is a black art today, but it needs to get out of that
mode. After the last few years it is clear that unless we open up
the understanding of these disciplines, we will be at the mercy of
experts with hidden agendas. Only educated users can hope to make
correct use of cryptography, or be able to choose the best
application for their needs. As we know, even a robust cipher is
useless if utilized for the wrong purpose or poorly configured. We
can't turn away those with a genuine interest in learning how to
use cryptography without dooming ourselves to continue with the
status quo.
I appeal to those of you who routinely share your knowledge and
try to make a difference here, that you provide some guidance and
not turn away people with basic questions like this one. These are
the users who may become one day contributors. They should be
nurtured and not shunned.
OK, I'll get off my soapbox now. Have a great week everyone.
On May 10, 2015, at 5:58 PM, Mike Mohr <akih...@gmail.com
<mailto:akih...@gmail.com>> wrote:
The task of implementing AES should not be undertaken by a novice
programmer. Please save the world another heartbleed and pick
something more in line with your skill level.
On May 10, 2015 11:48 AM, "konstantinos Alexiou"
<konstantinako...@gmail.com <mailto:konstantinako...@gmail.com>>
wrote:
Dear Sirs,
I am new to C programming and i am trying to create an
independent to libraries source code for demonstration
purposes for AES-CTR mode.Could i have some help on doing
that using the source code contained under crypto/aes.
Thank you very much in advance.
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
