crypto for the average programmer

Whyte, William WWhyte at ntru.com
Mon Dec 12 10:47:44 EST 2005 

> In Peter Gutmann's godzilla cryptography tutorial, he has some really
> good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal. 
> I learned a few no-nos, such as not sending the same message to 3
> seperate users in RSA (if using 3 as an encryption exponent).

> My question is, what is the layperson supposed to do, if they must use
> crypto and can't use an off-the-shelf product? 

Check the standards.

The RSA PKCS#1 standard, which are free, describe 
how to do RSA securely and summarize known security results. 
http://www.rsasecurity.com/rsalabs/node.asp?id=2124. Don't use
PKCS#3-style Diffie Hellman; it's been superseded by the 
versions in ASC X9.42 and IEEE Std 1363-2000.

The Standards for Efficient Cryptography Group (www.secg.org)
publishes SEC1, which describes how to do Elliptic curve algorithms
securely. The standard is free to download, but note that some 
techniques in it have licensing requirements.

NIST, in its series of FIPS standards and Special Publications, has defined 
federal standards for digital signatures and modes of operation for symmetric 
ciphers, and is moving towards standardizing key exchange mechanisms based
on public key algorithms. Those standards are also free, though they
sometimes reference non-free standards.

Other standards groups, such as the IEEE P1363 Working Group (which I chair
-- http://grouper.ieee.org/groups/1363/) and the ASC X9F1 working group 
for cryptographic techniques for the financial services industry, publish 
(for purchase) standards for secure use of other public-key algorithms. 
1363 is currently working on 
- Lattice-based cryptography, such as NTRU (who I work for)
- Password-based public key techniques such as SPEKE, SRP, etc
- A revision of the 1363-2000 standard.
A lot of the documents relevant to these projects are available for
free off the site. X9 is working on a wider range of projects, but
your company has to be an X9 member for you to access them.

> Is there any site
> tracking such gotchas as they show up in the literature?

Rather than tracking gotchas minute-by-minute it's probably best
to use existing standards.

Cheers,

William

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list