I found a problem with DigitalSignatureAlgorithm>>#initRandomNonInteractively. It is grabbing randomBits from the SoundSystem, but I may not have that installed. It gave me the same bits repeatedly. I modified DigitalSignatureAlgorithm>>#initRandomNonInteractively to not rely on the SoundSystem and instead use SecureRandom. This is published in the Cryptography repository.
Rob
Good, SecureRandom employs its #generateKey method (on the class side) to initialize its 'picker' (class-instance var). This was intended to serve as a globally usable SecureRandom so that clients like DigitalSignatureAlgorithm would not have to define their own.
On Sat, Aug 21, 2010 at 5:30 AM, Rob Withers reefedjib@gmail.com wrote:
I found a problem with DigitalSignatureAlgorithm>>#initRandomNonInteractively. It is grabbing randomBits from the SoundSystem, but I may not have that installed. It gave me the same bits repeatedly. I modified DigitalSignatureAlgorithm>>#initRandomNonInteractively to not rely on the SoundSystem and instead use SecureRandom. This is published in the Cryptography repository.
Rob
Hi Chris,
It works really well. The only issue now is the DigitalSignatureAlgorithm is located in the core squeak image and the changes I made are in the Cryptography package. It would be nice to fold Cryptography into the core squeak image, or pull DigitalSignatureAlgorithm out into Cryptography.
Rob
-------------------------------------------------- From: "Chris Muller" asqueaker@gmail.com Sent: Sunday, August 22, 2010 5:35 PM To: "The general-purpose Squeak developers list" squeak-dev@lists.squeakfoundation.org Cc: "Squeak Crypto" cryptography@lists.squeakfoundation.org Subject: [Cryptography Team] Re: [squeak-dev] DigitalSignatureAlgorithm>>#initRandomNonInteractively is not random
Good, SecureRandom employs its #generateKey method (on the class side) to initialize its 'picker' (class-instance var). This was intended to serve as a globally usable SecureRandom so that clients like DigitalSignatureAlgorithm would not have to define their own.
On Sat, Aug 21, 2010 at 5:30 AM, Rob Withers reefedjib@gmail.com wrote:
I found a problem with DigitalSignatureAlgorithm>>#initRandomNonInteractively. It is grabbing randomBits from the SoundSystem, but I may not have that installed. It gave me the same bits repeatedly. I modified DigitalSignatureAlgorithm>>#initRandomNonInteractively to not rely on the SoundSystem and instead use SecureRandom. This is published in the Cryptography repository.
Rob
Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
DigitalSignatureAlgorithm, SecureHashAlgorithm and ThirtyTwoBitRegister have been part of Squeak for a long time, there are legacy users, although I think they should migrate to using the counterparts in Cryptography.
Folding Cryptography into Squeak would probably go against the political momentum toward smaller, more modular images. We don't need to do something that drastic just to solve this issue.
I suggest instead that we merely move two utility methods from Cryptography:
RandomGenerator class>>unpredictableStringsDo: aBlock RandomGenerator class>>generateKey
to Random class in Squeak, and then employ them in DigitalSignatureAlgorithm for its #initRandomNonInteractively. #generateKey should be patched up from its dependence on Cryptography methods.
This allows Squeak to purge the insecure approach of grabbing bits from a (silent or disconnected) SoundService, in favor of the robust one in Cryptography (except now moved to Squeak).
- Chris
On Mon, Aug 23, 2010 at 10:09 AM, Rob Withers reefedjib@gmail.com wrote:
Hi Chris,
It works really well. The only issue now is the DigitalSignatureAlgorithm is located in the core squeak image and the changes I made are in the Cryptography package. It would be nice to fold Cryptography into the core squeak image, or pull DigitalSignatureAlgorithm out into Cryptography.
Rob
From: "Chris Muller" asqueaker@gmail.com Sent: Sunday, August 22, 2010 5:35 PM To: "The general-purpose Squeak developers list" squeak-dev@lists.squeakfoundation.org Cc: "Squeak Crypto" cryptography@lists.squeakfoundation.org Subject: [Cryptography Team] Re: [squeak-dev] DigitalSignatureAlgorithm>>#initRandomNonInteractively is not random
Good, SecureRandom employs its #generateKey method (on the class side) to initialize its 'picker' (class-instance var). This was intended to serve as a globally usable SecureRandom so that clients like DigitalSignatureAlgorithm would not have to define their own.
On Sat, Aug 21, 2010 at 5:30 AM, Rob Withers reefedjib@gmail.com wrote:
I found a problem with DigitalSignatureAlgorithm>>#initRandomNonInteractively. It is grabbing randomBits from the SoundSystem, but I may not have that installed. It gave me the same bits repeatedly. I modified DigitalSignatureAlgorithm>>#initRandomNonInteractively to not rely on the SoundSystem and instead use SecureRandom. This is published in the Cryptography repository.
Rob
Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Cryptography mailing list Cryptography@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
cryptography@lists.squeakfoundation.org