Keyczar

[Ben Laurie]

http://www.links.org/?p=374

When I joined Google over two years ago I was asked to find a small 
project to get used to the way development is done there. The project I 
chose was one that some colleagues had been thinking about, a key 
management library. I soon realised that unless the library also handled 
the crypto it was punting on the hard problem, so I extended it to do 
crypto and to handle key rotation and algorithm changes transparently to 
the user of the library.


About nine months later I handed over my starter project to Steve 
Weis, who has worked on it ever since. For a long time we've talked 
about releasing an open source version, and I'm pleased to say that 
Steve and intern Arkajit Dey did just that, earlier this week: Keyczar[1].


Keyczar is an open source cryptographic toolkit designed to make 
it easier and safer for developers to use cryptography in their 
applications. Keyczar supports authentication and encryption with both 
symmetric and asymmetric keys. Some features of Keyczar include:


* A simple API
* Key rotation and versioning
* Safe default algorithms, modes, and key lengths
* Automated generation of initialization vectors and ciphertext 
signatures


When we say simple, by the way, the code for loading a keyset and 
encrypting some plaintext is just two lines. Likewise for decryption. 
And the user doesn't need to know anything about algorithms or modes.


Great work, guys! I look forward to the real version (C++, of course!).

[1] http://www.keyczar.org/

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Security by restraining order

[Matt Blaze]

The EFF yesterday filed a letter from a number of academic security  
researchers
urging the judge in the MIT Charlie Card case to reverse the  
restraining

order.  It can be found on the EFF's case page, at
   http://www.eff.org/cases/mbta-v-anderson/

As a security researcher (and one of the signers of the letter to the  
judge), I was
particularly struck by the ironic -- and very unfortunate -- message  
that the court
order sends to our community:  it's safer to irresponsibly blindside  
users and vendors
by publishing about vulnerabilities without warning them first (thus  
denying them

the opportunity to seek a pre-publication gag order).

Surely that's not what that the court or the MBTA seek to encourage  
here.


I blog a bit more about this at
  http://www.crypto.com/blog/security_through_restraining_orders/

-matt





On Aug 13, 2008, at 3:58, David Farber wrote:


clipped from Steve Bellovin blog --
The MBTA versus (Student) Security Researchers
12 August 2008

As I'm sure many of you have heard, the MBTA (Massachusetts Bay  
Transportation Authority) has a very insecure fare payment system.  
Some students at MIT, working under the supervision of Ron Rivest —  
yes, that Ron Rivest, the R in RSA — found many flaws and planned  
a presentation at DEFCON on it. The MBTA sought and received an  
injunction barring the presentation, but not only were the slides  
already distributed, the MBTA's court filing included a confidential  
report prepared by the students with more details than were in the  
talk...


The Electronic Frontier Foundation is appealing the judge's order,  
and rightly so. Not only is this sort of prior restraint blatantly  
unconstitutional, it's bad public policy: we need this sort of  
security research to help us build better systems. I and a number of  
other computer scientists have signed a letter supporting the  
appeal. You can find the complete EFF web page on the case here.


djf --- Here's the letter:

http://www.eff.org/files/filenode/MBTA_v_Anderson/letter081208.pdf

The rest of the case files are here:
http://www.eff.org/cases/mbta-v-anderson


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]