[JDEV] Continued Improvement of Security Concerns
Max Horn
max at quendi.de
Wed Nov 15 08:17:01 CST 2000
At 14:53 Uhr -0800 14.11.2000, Rolle, Ted wrote:
>Yee Haw!!! We got us a rumble goin!!!
>
>I'd suggest making the encryption the default communications mode, with
>plaintext an alternative to assist in debugging.
>
>Also, they would be most useful as a pluggable module with Rijndael as the
>default, but able to change to, say, Twofish, or another system as needs and
>wills require.
>
>I'll help write the code if you wish.
The problem is not at all the crypto algorithm. The problem is
"trusting" a remote partner, and making sure a remote partner is
"valid".
This is a complicated topic, I wrote several mails to the JDEV ML
about this topic, and also have talked in the past (and will talk in
the future) with the Jabber core team about this.
I suggest to everyone who wants to talk about security with us to
read "Intro to Crypto" by Philip Zimmerman (the inventor of PGP)
which is available as text/html/pdf for free on the net.
Of course, this is not a problem if both sides of the communication
"know" each other and have a shared key. But in 99% of time this is
not the case. Thus, you have to relay on CAs (Certification Agencies)
that you trust and that help you validate your "partner" with whom
you want to communicate.
Again, read "Intro to Crypto" to understand better the problems of
cryptography (and let me asure you one thing: it's simple to write a
program using Rijndael/DES/RSA/TwoFish/Blowfish/IDEA/whatever that is
perfectly *unsecure*!)
Max
--
-----------------------------------------------
Max Horn
International C/C++/Internet Development
email: <mailto:max at quendi.de>
web: <http://www.quendi.de>
phone: (+49) 6151-494890
More information about the JDev
mailing list