LibTomNet [v0.01]

Steven M. Bellovin smb at
Tue Jul 8 21:24:27 EDT 2003

[Moderator's note: I've been choking back the LibTomNet argument but I
 thought Steve's specific references here are interesting, even if the
 point has already been made. --Perry]

In message <20030707230743.64482.qmail at>, tom st denis w

>The RFC looks like it was written by a member of the ACLU and done at
>an hourly rate of some sort.  It contains no test vectors, no sample
>source code and generally is not enough information to code a compliant
>SSL protocol.

What does the ACLU have to do with it?  "Be liberal in what you accept?"

>Not only is my code way smaller than a compliant SSL library but it is
>also simpler.  There are only eight functions in LibTomNet and of
>LibTomCrypt you only need a half dozen at most [setup the prng, RSA key
>gen, export/import].  In otherwards my code is [should be] very easy to
>work with since there is a minimum of clutter to get in the way.
Tom, I don't know you, and I don't know what your background in crypto 
protocol design is.  It's an *exceedingly* subtle art.

A few months ago, I went back and reread the original Needham-Schroeder 
paper, from December 1978.  It is, as far as I know, the first paper in 
the open literature on cryptographic protocols.  In it, the authors 
warn that they think that this is a very difficult area, and that 
subtle flaws will occurs.  That's one of the more amazing instances of 
prescience I've seen.

Let me briefly review the history of that protocol.  As I said, it was 
published in December, 1978.  It had symmetric and asymmetric versions 
of the protocol.  The latter -- taking into account certificates, which 
had not yet been invented -- was only three lines long.  In August 1981,
Denning and Sacco published a paper describing a comparatively subtle 
flaw in the protocol; they also proposed a fix.  In 1994, Abadi and 
Needham described a flaw in the Denning/Sacco replacement.  (That flaw 
might have been described in 1987, but I'm traveling and don't have my 
library with me...)  In 1996, a new flaw was found in the original 
Needham-Schroeder asymmetric variant -- a flaw that was blindingly 
obvious once pointed out.

Tell me -- why should anyone trust your new protocol, given the history 
of one of the most-studied protocols in the field?  SSLv3 has had a lot 
of scrutiny.  Has yours?

>At anyrate LibTomNet is not an SSL replacement.  It's a library for
>developers who need simple to work with secure sockets.

That's what SSL is.

		--Steve Bellovin, (me) (2nd edition of "Firewalls" book)

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list