[Cryptography] Looking for feedback on new Java crypto library
Bill Stewart
bill.stewart at pobox.com
Tue Nov 12 23:03:53 EST 2013
At 09:11 AM 11/12/2013, James Yonan wrote:
>On 11/11/2013 16:14, Jerry Leichter wrote:
>>4. There are multiple constant salts used in the algorithm. They
>>are documented as having come from /dev/urandom. But of course
>>there's absolutely no way for anyone to know where they came from.
>>While I doubt these values would provide any kind of back door, the
>>right way to pick such constants is to avoid any *possibility* that
>>they are "cooked" somehow - e.g., use values from pi *starting at the
>>first position*.
>
>But doesn't that lead to a salt monoculture?
If you don't like the salt monoculture from always using pi at the beginning,
you can pick e, or sqrt(2), or other popularly irrational numbers.
You could even get fancy and pick pi-offset-by-"your-version-number"-digits,
which is probably also obviously not cooked.
More information about the cryptography
mailing list