Crypto Craft Knowledge
James Hughes
hughejp at mac.com
Tue Feb 17 10:27:27 EST 2009
On Feb 14, 2009, at 12:54 PM, David Molnar wrote:
> Ben Laurie wrote:
>
> [snip discussion of bad crypto implementation practices]
>> Because he is steeped in the craft
>> knowledge around crypto. But most developers aren't. Most developers
>> don't even have the right mindset for secure coding, let alone
>> correct
>> cryptographic coding. So, why on Earth do we expect them to follow
>> our
>> unwritten rules, many of which are far from obvious even if you
>> understand the crypto?
>
> Yes, there's a need for a "crypto practices FAQ" to which one can
> refer.
> In addition to individual education, it'd be helpful to have something
> when pointing out common mistakes.
[snip specific discussion]
I find this conversation off the point. Consider other trades like
woodworking. There is no FAQ that can be created that would be
applicable to building a picture frame, dining room table or a covered
bridge. A FAQ for creating a picture frame would be possible, but this
is not the FAQ that is being discussed.
Crypto protocol failures are not trivial. The recent CBC attack on SSH
shows that this is the case.
http://secunia.com/Advisories/32760/
What FAQ would prescribe how not to make this mistake?
There are PhD programs related to this subject. I would argue (and
actually dovetailing with another thread) that, if one creates a FAQ,
that it point to well vetted implementations of information delivery
protocols like SSL and SSH, and that any FAQ regarding the use of
crypto libraries be that this is dangerous and should only be
attempted with proper oversight and/or training.
Crypto protocols are not trivial, and suggesting a FAQ would be able
to take the uninitiated to secure coding is more dangerous than good.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list