[squeak-dev] Re: [Pharo-dev] FFI blowfish for encrypting / decrypting [WAS] Re: How to encrypt a password?

Ron Teitelbaum ron at usmedrec.com
Tue Feb 18 15:02:45 UTC 2014


 

On Tue, Feb 18, 2014 at 12:35 AM, <mkobetic at gmail.com> wrote:

 

With stream ciphers (or block cipher in modes that emulate a stream cipher,
e.g. OFB, CTR) you absolutely must not reuse the same key to encrypt
different data ( <http://en.wikipedia.org/wiki/Stream_cipher_attack>
http://en.wikipedia.org/wiki/Stream_cipher_attack). You could try to devise
a way to avoid re-using the exact same key, e.g. generate the encryption key
by mixing in a unique id of the field that you're encrypting along with the
password, but unless you really know what you're doing, it's quite easy to
make a fatal mistake in your design. Best way to do this is to stick with
standard solutions. You're trying to use passwords for encryption, so your
standard options would be PKCS#5, bcrypt or scrypt.

 

Martin had a fantastic presentation a few years ago at StS (or was it ESUG)
where he started off showing slides based on a stock yellow-on-blue
Powerpoint template. It was about how to use VisualWorks encryption
packages; interesting from a technical point of view, but visually pretty
dull. Then he starts demonstrating by selecting regions of his slides and
encrypting them on the spot. The encrypted areas were just rectangular holes
in the slide filled with noise. Then he selected two regions of the slide,
encrypted them with the same key, and xored them together. Despite the
overlap of the two regions, you could easily make out the content of the
slide. It was the best demonstration of a mathematical concept I've ever
seen.

 

Colin

 

That's very cool!

 

Ron

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20140218/99567fcc/attachment.htm


More information about the Squeak-dev mailing list