RE: [Algorithms] Message signature in token ring
Brought to you by:
vexxed72
Menu
▾
▴
RE: [Algorithms] Message signature in token ring
|
From: Casey M. <gd...@fu...> - 2003-04-17 00:58:33
|
> >1) You can't proof or verify code you have only in binary form, > > No offense, but given that you are not a security expert, you probably > couldn't prove/verify code you saw in source form. Neither could I. I > mean, you could give it a general skim, but that's not really the same > thing. PROOF... not "prove". As in, a respectable security algorithm is going to have been _proven_ by mutliple math professors. But it is a good idea to _proof_ the code you are using for security. If I was going to use something for security, I would want to be able to inspect the source code and verify that it implements that algorithm correctly, and that nothing dangerous is going on. > >2) You can't port or ensure interoperability between platforms if you have > >to rely on the encryption native to each platform, > > There are implementations of standard algorithms, they should be compatible. Compatible with what? If I have a PS2 game that's supposed to talk to a Windows server, and I use the Windows crypto API, there's no code for the other end - so there's nothing to be "compatible" with. Do you see what I'm getting at here? You want to have the code, so you can port it to any machine. If you have to write a version for the PS2 but not for Windows, that's no good, because you have to do the work for PS2 anyway, and so you might as well just have used that on both platforms. > If it makes you feel warm and fluffy to have the source code, then use > some thoroughly peer-reviewed open source library. Sure, that's a fine idea. Your suggestion was to use the code in the OS, which I think is a bad idea, for the reasons I mentioned, which as far as I can see still apply 100%. - Casey |
