Crypto Craft Knowledge

James Hughes hughejp at mac.com
Tue Feb 17 10:27:27 EST 2009


On Feb 14, 2009, at 12:54 PM, David Molnar wrote:

> Ben Laurie wrote:
>
> [snip discussion of bad crypto implementation practices]
>> Because he is steeped in the craft
>> knowledge around crypto. But most developers aren't. Most developers
>> don't even have the right mindset for secure coding, let alone  
>> correct
>> cryptographic coding. So, why on Earth do we expect them to follow  
>> our
>> unwritten rules, many of which are far from obvious even if you
>> understand the crypto?
>
> Yes, there's a need for a "crypto practices FAQ" to which one can  
> refer.
> In addition to individual education, it'd be helpful to have something
> when pointing out common mistakes.
[snip specific discussion]

I find this conversation off the point. Consider other trades like  
woodworking. There is no FAQ that can be created that would be  
applicable to building a picture frame, dining room table or a covered  
bridge. A FAQ for creating a picture frame would be possible, but this  
is not the FAQ that is being discussed.

Crypto protocol failures are not trivial. The recent CBC attack on SSH  
shows that this is the case.
	http://secunia.com/Advisories/32760/
What FAQ would prescribe how not to make this mistake?

There are PhD programs related to this subject. I would argue (and  
actually dovetailing with another thread) that, if one creates a FAQ,  
that it point to well vetted implementations of information delivery  
protocols like SSL and SSH, and that any FAQ regarding the use of  
crypto libraries be that this is dangerous and should only be  
attempted with proper oversight and/or training.

Crypto protocols are not trivial, and suggesting a FAQ would be able  
to take the uninitiated to secure coding is more dangerous than good.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list