From: Ed P. <ed...@us...> - 2006-10-06 10:25:58
|
So here's our requirement list: - good secure hash function, preferably SHA1 - reasonably strong cypher, probably blowfish, twofish or aes (note that for >64-bit key lengths, there may be more paperwork to file with the US government) - compatible java implementation for the java client - open enough license, wide availability OpenSSL's 64-bit blowfish still looks like the winner so far. I actually thought that BlowfishJ had a CFB implementation (converting blowfish from a 64-bit block cypher into an 8-bit stream cypher), which is what I planned on using, but it looks like I was mistaken about that. I'm also confused about Java's built in cryptography libraries. Has anyone used the Java Cryptography Architecture? Is this built into all JVM's? If I'm reading this right, then Sun's JVM's include some cryptography, including Blowfish CFB, as of Java 1.4, but I don't know if all other VM's do as well. Here's an interesting (if dated) reference: http://www.ibiblio.org/javafaq/slides/ukuug/future/Java_1.4_and_Beyond.html Note that on every java release since 1.1, there's a bullet point: * security architecture changed completely I'm going to be on a 6-hour flight tomorrow, so I've downloaded the source to several cryptography libraries. Attention span and battery life permitting, I'll try to look into other candidate libraries, and play around with java encryption. Ed On 10/5/06, Bob Friesenhahn <bfr...@si...> wrote: > On Thu, 5 Oct 2006, Ed Pizzi wrote: > > > On 10/5/06, Bob Friesenhahn <bfr...@si...> wrote: > >> On Thu, 5 Oct 2006, Ed Pizzi wrote: > >> > > >> > Another consideration about using openssl - it's not strictly > >> > GNU-compatible. The openssl license requires the following: > >> > > >> > * 3. All advertising materials mentioning features or use of this > >> > * software must display the following acknowledgment: > >> > * "This product includes software developed by the OpenSSL Project > >> > * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" > >> > > >> > GNU projects build in exceptions to their licenses to allow them to be > >> > built with OpenSSL library, even though it has a non-GNU compatible > >> > license. > >> > >> GPL only covers/restricts the copying of programs, i.e. executable > >> code. It does not restrict advertising materials at all so I am not > >> sure what your concern is. As a matter of fact, GPL actually requires > >> that programs falling under GPL license produce a copyright statement > >> during normal operation, or via user request (e.g. via a --version > >> option). > > > > I don't pretend to be an expert. Here's what I read: > > http://en.wikipedia.org/wiki/Openssl#GPL_exception > > Interesting. In my opinion "advertising materials" are not part of > the GPL covered "program". The GPL is subject to many differing > interpretations. The right granted by GPL is the right to distribute > a binary version of the program as long as the source code is also > distributed according to specified rules. GPL is only about copying. > > Even the original BSD license has a clause which requires > acknowledging the source in advertising literature. > > Bob > ====================================== > Bob Friesenhahn > bfr...@si..., http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > > |