Re: new developer volunteering: adding encryption to VNC

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

So here's our requirement list:
 - good secure hash function, preferably SHA1
  - reasonably strong cypher, probably blowfish, twofish or aes
   (note that for >64-bit key lengths, there may be more paperwork to
    file with the US government)
 - compatible java implementation for the java client
 - open enough license, wide availability

OpenSSL's 64-bit blowfish still looks like the winner so far. I
actually thought that BlowfishJ had a CFB implementation (converting
blowfish from a 64-bit block cypher into an 8-bit stream cypher),
which is what I planned on using, but it looks like I was mistaken
about that.

I'm also confused about Java's built in cryptography libraries. Has
anyone used the Java Cryptography Architecture? Is this built into all
JVM's? If I'm reading this right, then Sun's JVM's include some
cryptography, including Blowfish CFB, as of Java 1.4, but I don't know
if all other VM's do as well.

Here's an interesting (if dated) reference:
http://www.ibiblio.org/javafaq/slides/ukuug/future/Java_1.4_and_Beyond.html

Note that on every java release since 1.1, there's a bullet point:
  * security architecture changed completely

I'm going to be on a 6-hour flight tomorrow, so I've downloaded the
source to several cryptography libraries. Attention span and battery
life permitting, I'll try to look into other candidate libraries, and
play around with java encryption.

Ed

On 10/5/06, Bob Friesenhahn <bfr...@si...> wrote:
> On Thu, 5 Oct 2006, Ed Pizzi wrote:
>
> > On 10/5/06, Bob Friesenhahn <bfr...@si...> wrote:
> >> On Thu, 5 Oct 2006, Ed Pizzi wrote:
> >> >
> >> > Another consideration about using openssl - it's not strictly
> >> > GNU-compatible. The openssl license requires the following:
> >> >
> >> > * 3. All advertising materials mentioning features or use of this
> >> > *    software must display the following acknowledgment:
> >> >  *    "This product includes software developed by the OpenSSL Project
> >> >  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
> >> >
> >> > GNU projects build in exceptions to their licenses to allow them to be
> >> > built with OpenSSL library, even though it has a non-GNU compatible
> >> > license.
> >>
> >> GPL only covers/restricts the copying of programs, i.e. executable
> >> code.  It does not restrict advertising materials at all so I am not
> >> sure what your concern is.  As a matter of fact, GPL actually requires
> >> that programs falling under GPL license produce a copyright statement
> >> during normal operation, or via user request (e.g. via a --version
> >> option).
> >
> > I don't pretend to be an expert. Here's what I read:
> > http://en.wikipedia.org/wiki/Openssl#GPL_exception
>
> Interesting.  In my opinion "advertising materials" are not part of
> the GPL covered "program".  The GPL is subject to many differing
> interpretations.  The right granted by GPL is the right to distribute
> a binary version of the program as long as the source code is also
> distributed according to specified rules.  GPL is only about copying.
>
> Even the original BSD license has a clause which requires
> acknowledging the source in advertising literature.
>
> Bob
> ======================================
> Bob Friesenhahn
> bfr...@si..., http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
>
>