Yes, adding padding to RSA is on our todo list. Perhaps we will just use 128 bit AES. If either of you feel like submitting a patch to address these issues it would be appreciated.
Ian. On Sun, Mar 10, 2013 at 4:58 AM, Florent Daigniere < [email protected]> wrote: > On Sat, Mar 09, 2013 at 08:19:26PM +0000, Matthew Toseland wrote: > > On Saturday 09 Mar 2013 15:43:11 Ian Clarke wrote: > > > We've been running into an IllegalKeySizeExpeption with Tahrir, which > > > requires that anyone outside the US download the Java Cryptography > > > Extension - obviously this is unacceptable from a usability > perspective. > > > > > > How does Freenet address this problem? > > > > I assume you are trying to use 256-bit AES? > > > > Options: > > > > 1. Just use 128-bit crypto. This is 30%-40% faster than 256-bit, and > should still provide adequate security, according to nextgens. > > > > 2. Use 256-bit crypto via the Bouncycastle lightweight API. This is not > subject to keylength restrictions. Obviously you'll need to ship the jar. > > http://www.bouncycastle.org/documentation.html > > > > 3. Provide your own crypto libraries. > src/freenet/crypt/ciphers/Rijndael*.java > > > > Complications: > > > > First, be careful with the key size of the various components, the > limiting factor is usually not the symmetric crypto, see e.g. > > http://www.keylength.com/en/3/ > > > > Second, use AES, i.e. 128-bit block size. 256-bit block size is used in > Freenet at the moment and this complicates matters considerably; until > Eleriseth's recent changes it was dramatically slower than using the > standard 128-bit block size. > > > Hi Ian, > > Let me translate: two choices: > - Use 128bit crypto (no export restriction, faster and ok unless > you assume that the attacker has access to a quantum computer way more > powerful than anything publicly known) > - Don't use JCA > > > https://github.com/sanity/tahrir/blob/master/src/main/java/tahrir/io/crypto/TrSymKey.java > > https://github.com/sanity/tahrir/blob/master/src/main/java/tahrir/io/crypto/TrCrypto.java > Glancing at Tahrir's crypto , you have much bigger problems than the > key-size choice... > 1) "RSA/None/NoPadding" is never okay. Padding is critical to RSA's > security. You want OAEPSomething. ( > http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/) > 2) Unauthenticated encryption is a bad idea... You really shouldn't use > AES/CBC without integrity verification ( > http://meri-stuff.blogspot.com/2012/04/secure-encryption-in-java.html). > If I were you I'd got for authenticated encryption AES/CTR/CCM or something > like that. > > Really, if you want to keep it simple, use a higher level encryption > library (Keyczar, cryptlib, NaCL, the bouncycastle's high-level stuff, > apache shiro, ...). > > Regards, > Florent > _______________________________________________ > Devl mailing list > [email protected] > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > -- Ian Clarke Personal blog: http://blog.locut.us/
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
