ECB, CTR ("Counter"), EAX and GGM are all modes of operation for block ciphers. This wikipedia page
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
provides a good overview of the different modes, and why ECB is a bad choice
Ok, yes, KryptOn 1.0 is using ECB mode. This is very easily changed, though, the method is BlockCipher>>#makoEncrypt:.
(I was particularly struck by the spectacular failure of ECB mode to encrypt the sample image!)
That surprised me too, but then thinking about it makes sense because all the background pixels are the same color, therefore they are encrypting to the same bits. So the background color changes but the "disturbed" pixels (other than the background color) are causing the original shape of the original image to show through.
With specific reference to a Mako signed-sealed envelope, probably the best thing to do is to perform the public-key signing operation on the original data, and then encrypt-and-MAC the signed data as a separate step. The thing to do is to change the way envelopes are sealed (the signing process can be left alone) to be an encrypt-and-MAC operation rather than a simple encrypt-only operation with no integrity protection. For instance, Rijndael in EAX or GGM mode would do nicely for the enciphering step.
Ok, if this is the right thing to do then I will try to make these changes.
Another thing to watch out for is the key-exchange protocol, which can be really sensitive.
Ok, if you have any suggestions please let me know here on the cryptography list.
Regards, Chris
With specific reference to a Mako signed-sealed envelope, probably the best thing to do is to perform the public-key signing operation on the original data,
Err... recalling vaguely from memory - wasn't signing plaintext a big no-no? There were some attacks on RSA that based on feeding a signer plaintexts (or is my memory leaving me here?)...
I always sign hashes...
Cees De Groot wrote:
Err... recalling vaguely from memory - wasn't signing plaintext a big no-no? There were some attacks on RSA that based on feeding a signer plaintexts (or is my memory leaving me here?)...
Are you perhaps thinking of the need for something like RSA-PSS?
At the very least hash-then-sign, but RSA-PSS looks like the latest-and-greatest insight from the crypto community, so I wouldn't ignore it :)
On 1/11/06, Tony Garnock-Jones tonyg@lshift.net wrote:
Cees De Groot wrote:
Err... recalling vaguely from memory - wasn't signing plaintext a big no-no? There were some attacks on RSA that based on feeding a signer plaintexts (or is my memory leaving me here?)...
Are you perhaps thinking of the need for something like RSA-PSS? _______________________________________________ Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Chris Muller wrote:
Ok, if you have any suggestions please let me know here on the cryptography list.
I've been thinking about whether there might be any existing standards for this kind of thing we could simply implement, thereby removing the need for designing our own protocols.
Would it make sense, for instance, to have a Smalltalk implementation of OpenPGP, http://www.ietf.org/rfc/rfc2440.txt ? It's good for encrypting and signing messages, all the design's been done, it's widely implemented, and it has already been *extensively* analysed. Could KryptOn become an OpenPGP?
Cheers, Tony
cryptography@lists.squeakfoundation.org