![]() ![]() ![]() That's not to say you're wrong, I think you have some valid points but in every other domain it appears there's a good enough level and when I at least encounter UK government crypto we're told it's the same. I see where you're coming from with it but to take your point I can pull keys out of a memory dump, who cares which process it comes from? In this case does it mean we should all wait for a perfect OS that scrubs memory on everything properly and encrypts swap? It's a matter of having something resilient enough for the use case not to matter. Don't make it harder to get found.Īs someone who's done a lot of non-crypto side channel stuff (particularly around signal modulation for exfil) I'm of the view that side channel stuff happens and it's not exclusive to crypto. Think of it like being a little kid lost in a shopping mall. How could anyone have any kind of grip on the safety of a system that fundamentally changes its crypto constructions so often?Ī lesson here: if you have to implement cryptography - and you and your users would be much better off if you didn't, and rather relied on a standard implementation like PGP - do one thing and stick with it. ![]() I'm not sure I've ever seen a system as popular as this so quickly take a tour of so much of cryptography. The difference between symmetric-keyed password-based encryption, RSA, Diffie-Hellman and ECC (presuming ECDH?) isn't minor it isn't a feature-level distinction. The hardest part of this to read for me isn't the vulnerability, but rather:Ģ011 Passwords: BPKDF2-HMAC-SHA1 with 1000 iterationsĢ011 Passwords: BPKDF2-HMAC-SHA1 with 600 iterations ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |