In Peter Gutmann's godzilla cryptography tutorial, he has some really good (though terse) advice on subtle gotchas in using DH/RSA/Elgamal. I learned a few no-nos, such as not sending the same message to 3 seperate users in RSA (if using 3 as an encryption exponent).
My question is, what is the layperson supposed to do, if they must use crypto and can't use an off-the-shelf product? Is there any site tracking such gotchas as they show up in the literature? Are there APIs written specifically so that a crypto-naive programmer can safely use them? This reminds me a bit of Schneier's advice in Practical Cryptography to use a crypto hash on every user-supplied input to a crypto algorithm; doing so makes it very difficult for them to control the input in a way that breaks the system. But plain SHA-1 is not enough for him; he has a few constructions that prevent length-extension attacks, and I presume it should include some random padding as well. Additionally, I was thinking of providing some compression and crypto libraries that return their output in two parts; one the predictable portion, the other unpredictable. One thing I've noticed is that many libraries and programs don't distinguish between the two, and so you risk giving the attacker known plaintext when post-processing them (and you don't know exactly how much unless you dive into file format specifics). Would it be useful enough to merit the effort? -- http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1) "My love for mathematics is unto 1/x as x approaches 0." GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]