[openssl-users] Stand alone AES-CTR module
Lewis Rosenthal
lgrosenthal at 2rosenthals.com
Tue May 12 04:24:42 UTC 2015
Hi, all...
I think it wise to go back to the OP's stated objective, to create "an
independent to libraries source code for demonstration purposes for
AES-CTR mode." The operative prepositional phrase here being "for
demonstration purposes."
Thus, whether it is wise to implement one's own crypto
library/engine/etc. in *production*, I see no particular reason why
learning from creating one as a demonstration or proof of concept (and
even providing such code here or elsewhere for critique) is such a bad
thing.
This list is replete with experienced practitioners. If this isn't a
good place to critique such a demonstration or proof of concept, perhaps
someone here knows of a better list (one perhaps not focused on using
OpenSSL in particular, say crypto.stackexchange.com - adn that is not an
endorsement, merely an example).
On 05/11/2015 11:59 PM, Mike Mohr wrote:
> If you don't know about list comprehension in Python, you can simply
> construct a list in a loop to get the job done. The end result is the
> same no matter which approach you take.
>
> The same is not true for cryptography. While Sec_Aficionado is quite
> eloquent and makes several valid points, I think his overall argument
> does not hold water. I have audited the crypto implementations in a
> number of open-source projects over the years found wide variance in
> their quality. In one instance a popular piece of software included a
> feature which claimed to encrypt its data using AES-256. It turned
> out that the code copied the user's password directly into the key
> buffer, either padding with null bytes or truncating depending on the
> length. The data was then encrypted using AES-256 in ECB mode. The
> software's primary purpose was not cryptography, and it provided
> innovative and creative features otherwise. This type of bug is
> insidious, since it doesn't really protect the data in any meaningful
> way and lulls its users into a false sense of security.
>
> I am not advocating that the realm of information security be forever
> relegated to a select few. That is also dangerous, as Sec_Aficionado
> correctly pointed out. However, the study of cryptography should
> never be undertaken without the guidance of an experienced
> practitioner. I had the extraordinary opportunity to study
> information security at university under the guidance of an ex-NSA
> analyst. I recognize that I am extremely lucky to have had this
> chance, and that this kind of education is only available to a select
> set of people worldwide. I also don't have a solution to the problem
> of training the next generation of cryptographers. However, having yet
> another potentially compromised AES implementation written by a novice
> programmer is not something that I want to encourage.
>
> On Mon, May 11, 2015 at 6:12 AM, Sec_Aficionado
> <secaficionado at gmail.com <mailto:secaficionado at gmail.com>> wrote:
>
> While implementing one's own security and/or cryptography is
> certainly not advisable for a novice (or even advanced
> programmers), creating cipher implementations from scratch is
> probably one of the best ways to learn and understand the
> intricacies of the problem at hand.
>
> Learning about the pitfalls and advantages of the algorithms is
> key for a future security expert. Moreover, denying someone access
> to help on an open source project is antithetical to the OSS
> philosophy. How can anyone hope to understand code that by its
> very nature is cryptic and complex if there's no one willing to
> help disentangle, at least at a high level, the routines and
> functions?
>
> InfoSec is a black art today, but it needs to get out of that
> mode. After the last few years it is clear that unless we open up
> the understanding of these disciplines, we will be at the mercy of
> experts with hidden agendas. Only educated users can hope to make
> correct use of cryptography, or be able to choose the best
> application for their needs. As we know, even a robust cipher is
> useless if utilized for the wrong purpose or poorly configured. We
> can't turn away those with a genuine interest in learning how to
> use cryptography without dooming ourselves to continue with the
> status quo.
>
> I appeal to those of you who routinely share your knowledge and
> try to make a difference here, that you provide some guidance and
> not turn away people with basic questions like this one. These are
> the users who may become one day contributors. They should be
> nurtured and not shunned.
>
> OK, I'll get off my soapbox now. Have a great week everyone.
>
> On May 10, 2015, at 5:58 PM, Mike Mohr <akihana at gmail.com
> <mailto:akihana at gmail.com>> wrote:
>
>> The task of implementing AES should not be undertaken by a novice
>> programmer. Please save the world another heartbleed and pick
>> something more in line with your skill level.
>>
>> On May 10, 2015 11:48 AM, "konstantinos Alexiou"
>> <konstantinakos.a at gmail.com <mailto:konstantinakos.a at gmail.com>>
>> wrote:
>>
>> Dear Sirs,
>>
>>
>> I am new to C programming and i am trying to create an
>> independent to libraries source code for demonstration
>> purposes for AES-CTR mode.Could i have some help on doing
>> that using the source code contained under crypto/aes.
>>
>>
>> Thank you very much in advance.
>>
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
More information about the openssl-users
mailing list