I know we've talked about our package structure before
but.. As I work through this book, I have some fixes and additions to our Crytography packages. Here is a list of things I plan to post in the coming days: - addition of entropic sources for seed material - addition of the CTR (counter) cipher mode - addition of the "Fortuna" random generator - fix for seriously broken MillerRabin algorithm preventing generation of proper-sized asymmetric keys (i.e., for Diffie-Hellman / ElGamal and maybe RSA too). For the first one "entropic sources for seed material". It individually hashes unpredictable strings from the users environment such as: - current directory - Time millisecondClockValue - World imageForm bits compressToByteArray - SmalltalkImage current vmStatisticsReportString - Sensor mousePoint - etc., etc. and then finally SHA256 hashes the concatentation of all of those hashes. Slow, but totally unpredictable. I've started by implementing SecureRandom class>>#entropicSourcesDo: which is used by SecureRandom class>>#randomSeed. But SecureRandom is in the "CryptographyBase" package, so I can't use SHA1 and SHA256. It seems to me that many crypto primitives are built from other ones. Wouldn't it be easier to have everything back in one package? What are we trying to accomplish here by having them all in separate packages? How should I proceed? Thanks, Chris _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
Chris,
The reason for the separate packages is to make it easier for people to find and load what they need. If I only need a cipher then I shouldn't have to load all the packages. If I understand correctly SecureRandom relies on external packages, so either the external packages become part of base, or SecureRandom needs to come out of base, and should have SHA1 and SHA256 as a prerequisite. (I'm not sure how to define prerequisites in MC maybe Cees or someone can help there). I would vote for pulling SecureRandom out of base. I believe there are benefits to having multiple packages. I wouldn't want to see that removed, if anything having separate packages, having to stop and decipher what the package names mean, as a first place to start understanding cryptography is useful in itself. What does everyone else think? Ron Teitelbaum > -----Original Message----- > From: [hidden email] > [mailto:[hidden email]] On Behalf Of > Chris Muller > Sent: Monday, February 13, 2006 4:10 PM > To: [hidden email] > Subject: [Cryptography Team] package structure > > I know we've talked about our package structure before > but.. > > As I work through this book, I have some fixes and > additions to our Crytography packages. Here is a list > of things I plan to post in the coming days: > > - addition of entropic sources for seed material > - addition of the CTR (counter) cipher mode > - addition of the "Fortuna" random generator > - fix for seriously broken MillerRabin algorithm > preventing generation of proper-sized asymmetric keys > (i.e., for Diffie-Hellman / ElGamal and maybe RSA > too). > > For the first one "entropic sources for seed > material". It individually hashes unpredictable > strings from the users environment such as: > > - current directory > - Time millisecondClockValue > - World imageForm bits compressToByteArray > - SmalltalkImage current vmStatisticsReportString > - Sensor mousePoint > - etc., etc. > > and then finally SHA256 hashes the concatentation of > all of those hashes. Slow, but totally unpredictable. > > I've started by implementing SecureRandom > class>>#entropicSourcesDo: which is used by > SecureRandom class>>#randomSeed. But SecureRandom is > in the "CryptographyBase" package, so I can't use SHA1 > and SHA256. > > It seems to me that many crypto primitives are built > from other ones. Wouldn't it be easier to have > everything back in one package? What are we trying to > accomplish here by having them all in separate > packages? > > How should I proceed? > > Thanks, > Chris > _______________________________________________ > Cryptography mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography _______________________________________________ Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
In reply to this post by Chris Muller
Hi Chris and all,
I think I agree with Ron, perhaps we should take SecureRandom (and RandomPool) out of the base. About collecting randomness, do you think we need SecureRandom class>>#entropicSourcesDo:? Shouldn't we use a RandomPool? Luciano On 2/13/06, Chris Muller <[hidden email]> wrote: > I know we've talked about our package structure before > but.. > > As I work through this book, I have some fixes and > additions to our Crytography packages. Here is a list > of things I plan to post in the coming days: > > - addition of entropic sources for seed material > - addition of the CTR (counter) cipher mode > - addition of the "Fortuna" random generator > - fix for seriously broken MillerRabin algorithm > preventing generation of proper-sized asymmetric keys > (i.e., for Diffie-Hellman / ElGamal and maybe RSA > too). > > For the first one "entropic sources for seed > material". It individually hashes unpredictable > strings from the users environment such as: > > - current directory > - Time millisecondClockValue > - World imageForm bits compressToByteArray > - SmalltalkImage current vmStatisticsReportString > - Sensor mousePoint > - etc., etc. > > and then finally SHA256 hashes the concatentation of > all of those hashes. Slow, but totally unpredictable. > > I've started by implementing SecureRandom > class>>#entropicSourcesDo: which is used by > SecureRandom class>>#randomSeed. But SecureRandom is > in the "CryptographyBase" package, so I can't use SHA1 > and SHA256. > > It seems to me that many crypto primitives are built > from other ones. Wouldn't it be easier to have > everything back in one package? What are we trying to > accomplish here by having them all in separate > packages? > > How should I proceed? > > Thanks, > Chris Cryptography mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography |
Free forum by Nabble | Edit this page |