LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

messing with crypto

messing with crypto

Posted Oct 2, 2009 15:24 UTC (Fri) by pflugstad (subscriber, #224)
In reply to: BruCON: Can we trust cryptography? by AndreE
Parent article: BruCON: Can we trust cryptography?

One only needs to look at the Debian random number generator fiasco to see the danger in messing with crypto code without a very thorough understanding of what's going on.

(Log in to post comments)

messing with crypto

Posted Oct 3, 2009 20:40 UTC (Sat) by gmaxwell (subscriber, #30048) [Link]

EhÂ… thats more an example of ignorantly modifying code to silence tool warnings, not really much of an example of the tricky implications of cryptography. At most you can say about the debian openssh example is that it shows that security is often an invisible property, but that isn't a crypto specific point... and you can argue that crypto should be left to the cryptonauts but security really must be every developers problem.

The mention of RC4 in WEP in the article makes a better example of the special challenges posed by cryptography, or perhaps the old watermarking attacks against pure CBC dmcrypt volumes prior to the introduction of ESSIV and LRW... the point that you can use the primitives correctly but still produce something insecure because of non-obvious (and sometimes highly mathematical) properties of the cryptographic components.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds