Comments on: NaCl: DJB’s new crypto library http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/ Embedded security, crypto, software protection Sat, 13 Mar 2010 14:29:16 +0000 http://wordpress.com/ hourly 1 By: Nate Lawson http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/#comment-5181 Nate Lawson Mon, 20 Jul 2009 17:06:56 +0000 http://rdist.root.org/?p=395#comment-5181 kme, absolutely a good point. You don't want to allow the developer to build a protocol that says "use crypto_box_foo() or crypto_box_bar()", based on an unprotected field. kme, absolutely a good point. You don’t want to allow the developer to build a protocol that says “use crypto_box_foo() or crypto_box_bar()”, based on an unprotected field.

]]> By: kme http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/#comment-5180 kme Mon, 20 Jul 2009 11:41:01 +0000 http://rdist.root.org/?p=395#comment-5180 I was thinking more in terms of bespoke applications using some homegrown non-SSL protocol (which seems to be more what NaCL is aimed at). These high level libraries will help developers get the crypto right, which is great, but if they're still writing their own cipher suite negotiation, then half the time it'll be vulnerable to a version-downgrade attack. I was thinking more in terms of bespoke applications using some homegrown non-SSL protocol (which seems to be more what NaCL is aimed at). These high level libraries will help developers get the crypto right, which is great, but if they’re still writing their own cipher suite negotiation, then half the time it’ll be vulnerable to a version-downgrade attack.

]]> By: Nate Lawson http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/#comment-5177 Nate Lawson Sat, 18 Jul 2009 18:55:35 +0000 http://rdist.root.org/?p=395#comment-5177 kme, yes, migration is an issue both in terms of rolling keys and ciphers (as you mention). I don't think most people need better cipher suite negotiation though. It's more of a policy thing. The whole business of SSL certs is "pay $ to get the warning to go away". So what if sites that still used MD5 certs generated a warning in IE 8+? You have financially-assisted cipher-suite upgrades. :-) kme, yes, migration is an issue both in terms of rolling keys and ciphers (as you mention). I don’t think most people need better cipher suite negotiation though. It’s more of a policy thing. The whole business of SSL certs is “pay $ to get the warning to go away”. So what if sites that still used MD5 certs generated a warning in IE 8+? You have financially-assisted cipher-suite upgrades. :-)

]]> By: kme http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/#comment-5172 kme Fri, 17 Jul 2009 10:32:15 +0000 http://rdist.root.org/?p=395#comment-5172 Another thing often missing from these high level libraries is an implementation of cipher-set negotiation. This will become important 5 or 10 years down the track when we decide we want to phase out an old, broken algorithm from our app - if there's no cipher-set negotiation then we have no choice but to have a flag day when we upgrade every client and server together. In many cases that would be enough to put the whole thing into the too-hard basket, which would not be good for security. Another thing often missing from these high level libraries is an implementation of cipher-set negotiation. This will become important 5 or 10 years down the track when we decide we want to phase out an old, broken algorithm from our app – if there’s no cipher-set negotiation then we have no choice but to have a flag day when we upgrade every client and server together. In many cases that would be enough to put the whole thing into the too-hard basket, which would not be good for security.

]]> By: Nate Lawson http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/#comment-5166 Nate Lawson Wed, 15 Jul 2009 16:15:40 +0000 http://rdist.root.org/?p=395#comment-5166 Steve, thanks for commenting. I do think it needs more review. Hopefully it gets more eyes and becomes more robust. I still like Keyczar and its approach, I just needed to emphasize it's not a mature implementation yet. Steve, thanks for commenting. I do think it needs more review. Hopefully it gets more eyes and becomes more robust. I still like Keyczar and its approach, I just needed to emphasize it’s not a mature implementation yet.

]]> By: Steve Weis http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/#comment-5164 Steve Weis Wed, 15 Jul 2009 10:39:53 +0000 http://rdist.root.org/?p=395#comment-5164 I'd like to encourage more external review of Keyczar from the community at large. The DSA bug was avoidable and something I missed when reviewing the Python implementation. More eyes on the code would have probably caught it. Most of Keyczar had to be rewritten from scratch in order to open source it, and now there is a C++ implementation that was written by an external contributor. So there is a lot of new code that needs more scrutiny. I'm interested in checking out DJB's library. I've always been impressed with his high-performance implementations. I’d like to encourage more external review of Keyczar from the community at large. The DSA bug was avoidable and something I missed when reviewing the Python implementation. More eyes on the code would have probably caught it. Most of Keyczar had to be rewritten from scratch in order to open source it, and now there is a C++ implementation that was written by an external contributor. So there is a lot of new code that needs more scrutiny.

I’m interested in checking out DJB’s library. I’ve always been impressed with his high-performance implementations.

]]>