ciphergoth: (Default)
Paul Crowley ([personal profile] ciphergoth) wrote2006-09-04 06:41 am
  • Add Memory
  • Share This Entry
Entry tags:

Go choke on a bucket of cocks

I've posted before about the generally dreadful nature of cryptographic products. Yesterday I got into an argument on bloody Slashdot with a developer about whether he should try to use good crypto or not. Now, unlike [livejournal.com profile] jwz I can see that he's not the only one with attitude in this thread, but the result still gets me down.

http://slashdot.org/comments.pl?sid=195651&cid=16032881

Next time you use something that uses crypto, bear in mind that it was probably written by the likes of this guy.
Flat | Top-Level Comments Only

[identity profile] brad.livejournal.com 2006-09-04 05:56 am (UTC)(link)
You don't know my system and I like it that way. Nobody but me should know my system! Explaining it's just too hard.

defensive shields up!

[identity profile] trythil.livejournal.com 2006-09-04 08:52 am (UTC)(link)
That exchange was awesome.

In a sad way.
calum: (Default)

[personal profile] calum 2006-09-04 09:14 am (UTC)(link)
Doing encryption well in an embedded system is not hard. It's just a case of choosing the right approach for the CPU/memory requirements you have. And he's got a hardware accelerator! Sheesh!

There is a certain amount of that sort of attitude among embedded system programmers I have known - very much a "I have to code in less space and less cycles than you, therefore dont try to question how I do things".

Theres very much a "it's not possible to do X in an embedded system" attitude floating around, which usually turns out to be false. I had the same argument about writing object-oriented code for embedded systems. Everyone said "you cant do that. It doesnt work in embedded systems. It'll be too slow". Turns out the answer is.. "Not if you do it right".

[identity profile] ciphergoth.livejournal.com 2006-09-04 09:48 am (UTC)(link)
Yes. If this guy has enough cycles to do CBC mode, he has enough cycles for something better.

[identity profile] altamira16.livejournal.com 2006-09-04 11:23 am (UTC)(link)
Mistake #1: Reading slashdot comments

[identity profile] ciphergoth.livejournal.com 2006-09-04 11:33 am (UTC)(link)
You've left out

Mistake #2: Replying to them.

and of course

Mistake #0: Reading Slashdot.

(Anonymous) 2006-09-05 09:36 am (UTC)(link)
never argue with an idiot... they bring you down to their level then beat you with experience

[identity profile] sjmurdoch.livejournal.com 2006-09-04 01:40 pm (UTC)(link)
Amusing thread :-)

Perhaps I am missing something, but is there a need for unpredictable IVs? They should be unique, but wouldn't a counter be adequate, assuming you had sufficient locking to ensure no repetition?

On single pass encryption and authentication, I recently was reading about IGE mode, implemented in OpenSSL. It only needs an extra xor over CBC so looks pretty good.

[identity profile] ciphergoth.livejournal.com 2006-09-04 01:57 pm (UTC)(link)
What you say is true about CTR mode. However in CBC mode there's an attack in which the attacker chooses the first block of the plaintext based on the IV, so the proofs of security only work if the IVs are random and unpredictable.

IGE mode has been proposed several times with different names over the years; I proposed it about nine years ago and called it SBC, then discovered that Michael Brown at Dublin University had proposed it about eighteen months earlier and called it X-CBC. ABC seems to be an interesting extension. However, many similar attempts to build one-pass authenticated-encryption modes of operation have been broken, and as a result these days people tend to demand a proof of security. All the modes I'm advocating, as well as other patent-encumbered modes such as OCB, come with such a proof. I think it would be foolhardy to opt for a mode that does not have such a proof. The extra cost of GGM over CBC is pretty small - a single multiply in GF(2^128). And unlike CBC, GGM is parallelizable.

Oh no they aren't!

(Anonymous) 2006-09-06 10:45 am (UTC)(link)
You should try reading the paper a little more carefully. It assumes fixed IVs, which is patently dumb.

Re: Oh no they aren't!

[identity profile] ciphergoth.livejournal.com 2006-09-06 09:41 pm (UTC)(link)
Heh - you can tell how carefully I read the paper by the timestamps on my replies. Thanks. I still wouldn't recommend it though; I'd like to see a security reduction first.

Incidentally, I don't usually unscreen anonymous comments; please at least sign with a nom. Thanks!

[identity profile] ciphergoth.livejournal.com 2006-09-04 11:29 pm (UTC)(link)
By the way, just saw your temperature/clock skew result on Light Blue Touchpaper. That is just incredibly cool and scary.
Flat | Top-Level Comments Only