[JDEV] Continued Improvement of Security Concerns

Max Horn max at quendi.de
Wed Nov 15 08:17:01 CST 2000


At 14:53 Uhr -0800 14.11.2000, Rolle, Ted wrote:
>Yee Haw!!!  We got us a rumble goin!!!
>
>I'd suggest making the encryption the default communications mode, with
>plaintext an alternative to assist in debugging.
>
>Also, they would be most useful as a pluggable module with Rijndael as the
>default, but able to change to, say, Twofish, or another system as needs and
>wills require.
>
>I'll help write the code if you wish.

The problem is not at all the crypto algorithm. The problem is 
"trusting" a remote partner, and making sure a remote partner is 
"valid".


This is a complicated topic, I wrote several mails to the JDEV ML 
about this topic, and also have talked in the past (and will talk in 
the future) with the Jabber core team about this.


I suggest to everyone who wants to talk about security with us to 
read "Intro to Crypto" by Philip Zimmerman (the inventor of PGP) 
which is available as text/html/pdf for free on the net.


Of course, this is not a problem if both sides of the communication 
"know" each other and have a shared key. But in 99% of time this is 
not the case. Thus, you have to relay on CAs (Certification Agencies) 
that you trust and that help you validate your "partner" with whom 
you want to communicate.


Again, read "Intro to Crypto" to understand better the problems of 
cryptography (and let me asure you one thing: it's simple to write a 
program using Rijndael/DES/RSA/TwoFish/Blowfish/IDEA/whatever that is 
perfectly *unsecure*!)



Max
-- 
-----------------------------------------------
Max Horn
International C/C++/Internet Development

email: <mailto:max at quendi.de>
   web: <http://www.quendi.de>
phone: (+49) 6151-494890




More information about the JDev mailing list