[Cryptography] RSA is dead.
Bill Cox
waywardgeek at gmail.com
Sun Dec 22 16:59:43 EST 2013
Nonsense. Most other equally capable developers should be able to discover
a backdoor with far less effort to hide it. Reading other people's code is
a skill that some people never acquire, but it's generally easier to
understand someone else's code entirely than to have created it from
scratch.
If the code is so obscure that this is not the case, that code should not
be used in crypto. I'll just point out that gtksu falls exactly into this
category, yet we continue to use it... it really deserves to be retired.
Open source is *very* helpful, but if the people with the decision power
over what to include are far more ignorant than the coders... well then
just forget security.
On Sun, Dec 22, 2013 at 4:38 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>wrote:
> Ralf Senderek <crypto at senderek.ie> writes:
>
> >Isn't the most obvious conclusion that no crypto tool can be secure if it
> is
> >not open source?
>
> That won't help things much: Any sufficiently capable developer of crypto
> software should be competent enought to backdoor their own source code in
> such
> a way that it can't be detected by an audit. If you're capable of dealing
> with exotic side-channel and timing attacks, countering weird obscure
> mathemtatical properties of cryptosystems to avoid leaking keys, and all
> manner of other tricks, then you had better be capable of backdooring your
> code as well.
>
> Availability of source code is not soy sauce for security.
>
> Peter.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131222/db800048/attachment.html>
More information about the cryptography
mailing list