"Travis H." <[EMAIL PROTECTED]> writes: >In Peter Gutmann's godzilla cryptography tutorial, he has some really good >(though terse) advice on subtle gotchas in using DH/RSA/Elgamal. I learned a >few no-nos, such as not sending the same message to 3 seperate users in RSA >(if using 3 as an encryption exponent).
I should point out that what's in the tutorial isn't an exhaustive list of potential pitfalls, it simply contains examples of some of the easiest-to- explain ones. The reason for adding that section was that I've seen a number of cases of people using raw PKC ops (e.g. raw, unpadded RSA) because their boss told them "Use RSA encryption" and their crypto toolkit provides an rsaEncrypt() function, the result being that they encrypt a 10MB file with RSA in ECB mode. Java is the main offender here, they make it pretty trivial to do this even though it makes no sense, so people who are told to "encrypt this with RSA" end up using the RSA-ECB that their tools give them. >My question is, what is the layperson supposed to do, if they must use crypto >and can't use an off-the-shelf product? Is there any site tracking such >gotchas as they show up in the literature? I don't know if there's any site tracking this, but (as the tutorial says) you can either go with PKCS #1 (the de facto standard, easy to implement and widely used) or if you want to put in the effort of tracking things through the literature to see which one is currently in fashion, take your pick of OAEP, RSA-PSS, Simple RSA, and so on ad nauseum. The P1363 work tracks progress in this area pretty closely, although you'll need some sort of P1363- to-english phrasebook to figure out what they're saying. >Are there APIs written specifically so that a crypto-naive programmer can >safely use them? Uhh, do you want a non-off-the-shelf product or an off-the-shelf product? If off-the-shelf is OK, grab any crypto toolkit that handles this for you and use that, you know that if it's used in any standard protocol and interoperates with a pile of other software then there's a good chance they've got it right. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
