Chris,
I just tried to use your SecureRandom for my SSL implementation and found out I needed the DESPlugin. I found it and everything worked fine, but I was reminded by your previous comment about there being a potential security issue for the communication between Smalltalk and the external black box (in this case the dll). I also noticed the comments about how slow the processing would be if the code was implemented in Smalltalk.
So two questions,
1) Do you feel the same way about the DESPlugin being insecure?
2) Do you believe that a native implementation would be too slow?
Ron Teitelbaum
Hi Ron,
I believe the plugin is only needed to seed a SecureRandom, otherwise you can seed it yourself with SecureRandom class>>#key:.
Do you feel the same way about the DESPlugin being insecure?
What do you mean by "insecure"? The black-box comment was more something regurgitated from Ferguson and Schneiers book; (going from memory here, check your copy) that there is no really secure operating system so, you have to be careful as your required infrastructure spreads out of Squeak and into the bowels of the OS. In the case of DESPlugin I doubt its much of a problem, but I honestly don't know..
Do you believe that a native implementation would be too
slow?
Too slow for what? It looks like TripleDES is used just to seed the SecureRandom so it depends on how often you need to re-seed it..
- Chris
PS - I don't know that I would call it "my" SecureRandom, I just improved the API's to allow for other PRNG algorithms. I'll be using the Fortuna PRNG for my stuff..
--- Ron Teitelbaum Ron@USMedRec.com wrote:
Chris,
I just tried to use your SecureRandom for my SSL implementation and found out I needed the DESPlugin. I found it and everything worked fine, but I was reminded by your previous comment about there being a potential security issue for the communication between Smalltalk and the external black box (in this case the dll). I also noticed the comments about how slow the processing would be if the code was implemented in Smalltalk.
So two questions,
Do you feel the same way about the DESPlugin being insecure?
Do you believe that a native implementation would be too
slow?
Ron Teitelbaum
From: Chris Muller Sent: Monday, July 17, 2006 10:56 AM Hi Ron,
I believe the plugin is only needed to seed a SecureRandom, otherwise you can seed it yourself with SecureRandom class>>#key:.
Thanks. I missed that.
Too slow for what?
Triple DES is one of the cipherSuites in SSL.
Ron
cryptography@lists.squeakfoundation.org