DES Plugin Secure?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

DES Plugin Secure?

Ron Teitelbaum

Chris,

 

I just tried to use your SecureRandom for my SSL implementation and found out I needed the DESPlugin.  I found it and everything worked fine, but I was reminded by your previous comment about there being a potential security issue for the communication between Smalltalk and the external black box (in this case the dll).  I also noticed the comments about how slow the processing would be if the code was implemented in Smalltalk.

 

So two questions,

 

1)       Do you feel the same way about the DESPlugin being insecure?

2)       Do you believe that a native implementation would be too slow?

 

Ron Teitelbaum


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: DES Plugin Secure?

Chris Muller
Hi Ron,

I believe the plugin is only needed to seed a SecureRandom, otherwise
you can seed it yourself with SecureRandom class>>#key:.

> 1)       Do you feel the same way about the DESPlugin being insecure?

What do you mean by "insecure"?  The black-box comment was more
something regurgitated from Ferguson and Schneiers book; (going from
memory here, check your copy) that there is no really secure operating
system so, you have to be careful as your required infrastructure
spreads out of Squeak and into the bowels of the OS.  In the case of
DESPlugin I doubt its much of a problem, but I honestly don't know..

> 2)       Do you believe that a native implementation would be too
> slow?

Too slow for what?  It looks like TripleDES is used just to seed the
SecureRandom so it depends on how often you need to re-seed it..

 - Chris

PS - I don't know that I would call it "my" SecureRandom, I just
improved the API's to allow for other PRNG algorithms.  I'll be using
the Fortuna PRNG for my stuff..


--- Ron Teitelbaum <[hidden email]> wrote:

> Chris,
>
>  
>
> I just tried to use your SecureRandom for my SSL implementation and
> found
> out I needed the DESPlugin.  I found it and everything worked fine,
> but I
> was reminded by your previous comment about there being a potential
> security
> issue for the communication between Smalltalk and the external black
> box (in
> this case the dll).  I also noticed the comments about how slow the
> processing would be if the code was implemented in Smalltalk.
>
>  
>
> So two questions,
>
>  
>
> 1)       Do you feel the same way about the DESPlugin being insecure?
>
> 2)       Do you believe that a native implementation would be too
> slow?
>
>  
>
> Ron Teitelbaum
>
>

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: DES Plugin Secure?

Ron Teitelbaum
> From: Chris Muller
> Sent: Monday, July 17, 2006 10:56 AM
> Hi Ron,
>
> I believe the plugin is only needed to seed a SecureRandom, otherwise
> you can seed it yourself with SecureRandom class>>#key:.
>
Thanks.  I missed that.

>
> Too slow for what?  

Triple DES is one of the cipherSuites in SSL.

Ron



_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography