On Wed, Aug 25, 2004 at 03:17:15PM +0100, Ben Laurie wrote:
> lrk wrote:
>
> >My examination of RSAREF and OpenSSL code was more toward understanding how
> >they handled big numbers. It appears both generate prime numbers which are
> >half the length of the required N and with both of the two most
Hello,
I've had a look at the code, the main problems I see are side-channel
attacks. The implementation is pretty standard, strong primes, proper
fields etc, however no salt!
Key generation, or more so the process of key generation should be
unique every time regardless of how unique the parameter
lrk wrote:
On Thu, Aug 12, 2004 at 03:27:07PM -0700, Jon Callas wrote:
On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:
So, how many people on this list have actually looked at the PGP key
generation code in any depth? Open source makes it possible for
people to look for security holes, but it su
On Thu, Aug 12, 2004 at 03:27:07PM -0700, Jon Callas wrote:
> On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:
>
> >So, how many people on this list have actually looked at the PGP key
> >generation code in any depth? Open source makes it possible for
> >people to look for security holes, but it
On 10 Aug 2004, at 5:16 AM, John Kelsey wrote:
So, how many people on this list have actually looked at the PGP key
generation code in any depth? Open source makes it possible for
people to look for security holes, but it sure doesn't guarantee that
anyone will do so, especially anyone who's at
> From: lrk <[EMAIL PROTECTED]>
> Sent: Aug 6, 2004 1:04 PM
> To: "R. A. Hettinga" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Cryptography and the Open Source Security Debate
...
> More dangerous is a key generator which deliberately pro
>
> Contributed by: Daniel R. Miessler
> :: Open Content
>
> If you follow technology trends, you're probably aware of the two schools
> of thought with regard to security and/or cryptography. Does cryptography
> and security solutions become more secure as the number of eyes pouring
> over its
There doesn't appear to be a discussion forum related to the Web post, so
I'll reply here.
We've gone through a similar thought process at my company. We have a
commercial security product (MatrixSSL), but provide an open source version
for many of the good points Daniel makes. There are a few a