Hi, all... I think it wise to go back to the OP's stated objective, to create "an independent to libraries source code for demonstration purposes for AES-CTR mode." The operative prepositional phrase here being "for demonstration purposes." Thus, whether it is wise to implement one's own crypto library/engine/etc. in *production*, I see no particular reason why learning from creating one as a demonstration or proof of concept (and even providing such code here or elsewhere for critique) is such a bad thing. This list is replete with experienced practitioners. If this isn't a good place to critique such a demonstration or proof of concept, perhaps someone here knows of a better list (one perhaps not focused on using OpenSSL in particular, say crypto.stackexchange.com - adn that is not an endorsement, merely an example). On 05/11/2015 11:59 PM, Mike Mohr wrote: > If you don't know about list comprehension in Python, you can simply > construct a list in a loop to get the job done. The end result is the > same no matter which approach you take. > > The same is not true for cryptography. While Sec_Aficionado is quite > eloquent and makes several valid points, I think his overall argument > does not hold water. I have audited the crypto implementations in a > number of open-source projects over the years found wide variance in > their quality. In one instance a popular piece of software included a > feature which claimed to encrypt its data using AES-256. It turned > out that the code copied the user's password directly into the key > buffer, either padding with null bytes or truncating depending on the > length. The data was then encrypted using AES-256 in ECB mode. The > software's primary purpose was not cryptography, and it provided > innovative and creative features otherwise. This type of bug is > insidious, since it doesn't really protect the data in any meaningful > way and lulls its users into a false sense of security. > > I am not advocating that the realm of information security be forever > relegated to a select few. That is also dangerous, as Sec_Aficionado > correctly pointed out. However, the study of cryptography should > never be undertaken without the guidance of an experienced > practitioner. I had the extraordinary opportunity to study > information security at university under the guidance of an ex-NSA > analyst. I recognize that I am extremely lucky to have had this > chance, and that this kind of education is only available to a select > set of people worldwide. I also don't have a solution to the problem > of training the next generation of cryptographers. However, having yet > another potentially compromised AES implementation written by a novice > programmer is not something that I want to encourage. > > On Mon, May 11, 2015 at 6:12 AM, Sec_Aficionado > <secaficionado at gmail.com <mailto:secaficionado at gmail.com>> wrote: > > While implementing one's own security and/or cryptography is > certainly not advisable for a novice (or even advanced > programmers), creating cipher implementations from scratch is > probably one of the best ways to learn and understand the > intricacies of the problem at hand. > > Learning about the pitfalls and advantages of the algorithms is > key for a future security expert. Moreover, denying someone access > to help on an open source project is antithetical to the OSS > philosophy. How can anyone hope to understand code that by its > very nature is cryptic and complex if there's no one willing to > help disentangle, at least at a high level, the routines and > functions? > > InfoSec is a black art today, but it needs to get out of that > mode. After the last few years it is clear that unless we open up > the understanding of these disciplines, we will be at the mercy of > experts with hidden agendas. Only educated users can hope to make > correct use of cryptography, or be able to choose the best > application for their needs. As we know, even a robust cipher is > useless if utilized for the wrong purpose or poorly configured. We > can't turn away those with a genuine interest in learning how to > use cryptography without dooming ourselves to continue with the > status quo. > > I appeal to those of you who routinely share your knowledge and > try to make a difference here, that you provide some guidance and > not turn away people with basic questions like this one. These are > the users who may become one day contributors. They should be > nurtured and not shunned. > > OK, I'll get off my soapbox now. Have a great week everyone. > > On May 10, 2015, at 5:58 PM, Mike Mohr <akihana at gmail.com > <mailto:akihana at gmail.com>> wrote: > >> The task of implementing AES should not be undertaken by a novice >> programmer. Please save the world another heartbleed and pick >> something more in line with your skill level. >> >> On May 10, 2015 11:48 AM, "konstantinos Alexiou" >> <konstantinakos.a at gmail.com <mailto:konstantinakos.a at gmail.com>> >> wrote: >> >> Dear Sirs, >> >> >> I am new to C programming and i am trying to create an >> independent to libraries source code for demonstration >> purposes for AES-CTR mode.Could i have some help on doing >> that using the source code contained under crypto/aes. >> >> >> Thank you very much in advance. >> -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com visit my IT blog www.2rosenthals.net/wordpress IRS Circular 230 Disclosure applies see www.2rosenthals.com -------------------------------------------------------------
