On Sat, Mar 09, 2013 at 08:19:26PM +0000, Matthew Toseland wrote:
> On Saturday 09 Mar 2013 15:43:11 Ian Clarke wrote:
> > We've been running into an IllegalKeySizeExpeption with Tahrir, which
> > requires that anyone outside the US download the Java Cryptography
> > Extension - obviously this is unacceptable from a usability perspective.
> >
> > How does Freenet address this problem?
>
> I assume you are trying to use 256-bit AES?
>
> Options:
>
> 1. Just use 128-bit crypto. This is 30%-40% faster than 256-bit, and should
> still provide adequate security, according to nextgens.
>
> 2. Use 256-bit crypto via the Bouncycastle lightweight API. This is not
> subject to keylength restrictions. Obviously you'll need to ship the jar.
> http://www.bouncycastle.org/documentation.html
>
> 3. Provide your own crypto libraries. src/freenet/crypt/ciphers/Rijndael*.java
>
> Complications:
>
> First, be careful with the key size of the various components, the limiting
> factor is usually not the symmetric crypto, see e.g.
> http://www.keylength.com/en/3/
>
> Second, use AES, i.e. 128-bit block size. 256-bit block size is used in
> Freenet at the moment and this complicates matters considerably; until
> Eleriseth's recent changes it was dramatically slower than using the standard
> 128-bit block size.
Hi Ian,
Let me translate: two choices:
- Use 128bit crypto (no export restriction, faster and ok unless you
assume that the attacker has access to a quantum computer way more powerful
than anything publicly known)
- Don't use JCA
https://github.com/sanity/tahrir/blob/master/src/main/java/tahrir/io/crypto/TrSymKey.java
https://github.com/sanity/tahrir/blob/master/src/main/java/tahrir/io/crypto/TrCrypto.java
Glancing at Tahrir's crypto , you have much bigger problems than the key-size
choice...
1) "RSA/None/NoPadding" is never okay. Padding is critical to RSA's security.
You want OAEPSomething.
(http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)
2) Unauthenticated encryption is a bad idea... You really shouldn't use AES/CBC
without integrity verification
(http://meri-stuff.blogspot.com/2012/04/secure-encryption-in-java.html). If I
were you I'd got for authenticated encryption AES/CTR/CCM or something like
that.
Really, if you want to keep it simple, use a higher level encryption library
(Keyczar, cryptlib, NaCL, the bouncycastle's high-level stuff, apache shiro,
...).
Regards,
Florent
_______________________________________________
Devl mailing list
[email protected]
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
