crypto for the average programmer

[Travis H.]

In Peter Gutmann's godzilla cryptography tutorial, he has some really
good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal. 
I learned a few no-nos, such as not sending the same message to 3
seperate users in RSA (if using 3 as an encryption exponent).

My question is, what is the layperson supposed to do, if they must use
crypto and can't use an off-the-shelf product?  Is there any site
tracking such gotchas as they show up in the literature?  Are there
APIs written specifically so that a crypto-naive programmer can safely
use them?

This reminds me a bit of Schneier's advice in Practical Cryptography
to use a crypto hash on every user-supplied input to a crypto
algorithm; doing so makes it very difficult for them to control the
input in a way that breaks the system.  But plain SHA-1 is not enough
for him; he has a few constructions that prevent length-extension
attacks, and I presume it should include some random padding as well.

Additionally, I was thinking of providing some compression and crypto
libraries that return their output in two parts; one the predictable
portion, the other unpredictable.  One thing I've noticed is that many
libraries and programs don't distinguish between the two, and so you
risk giving the attacker known plaintext when post-processing them
(and you don't know exactly how much unless you dive into file format
specifics).  Would it be useful enough to merit the effort?
--
http://www.lightconsulting.com/~travis/  -><- P=NP if (P=0 or N=1)
"My love for mathematics is unto 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com