[Cryptography Team] Crypto for Squeak! Yea! (and msh-crypto)
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Thu Oct 27 06:35:35 CEST 2005
Hey Everybody!
I'm glad to hear there's interest for a 100% Smalltalk version of
crypto primitives. A long while ago I started work on the "Mobile
Security for Handhelds" Crypto package. Originally intended to be the
crypto layer for a squeak port to PalmOS, I eventually just decided
to work on it as a generic crypto package for Smalltalk.
You can find a changeset and a project file at http://
www.cryptonomicon.net/msh/squeak/ .
I've implemented a message digest infrastructure (including MD2, MD4,
MD5, SHA1, SHA256, and somewhere I have a SHA384, SHA512 and SHA1024
implementation.) I started a SymmetricStreamCipher abstract class and
a concrete implementation of ARC4. Somewhere I have a DES
implementation, but quite frankly it hasn't been at the top of my
mind lately.
Security and flexibility were at the top of the list of design
features, so I included the #clearSensitiveData method in the design
to ensure that sensitive bits get obliterated before they're GC'd. Of
course it's up to the developer to properly call these methods, but
they're there for when you need to call them.
I've talked to James about the CinCom implementation a couple of
times. On thing that's a little disturbing is that he tells me that
they haven't alerted BIS (formerly BXA) as to the existence of the
package. The current rules for US open source crypto developers are
that you have to alert the BIS (Bureau of Industry and Security)
before you export (i.e. - upload to a ftp site, post to a newsgroup,
or include in an email distribution that goes overseas) you're
supposed to send an email message to them telling them where they can
find a copy. I think this is to insure that it's really open source
and to provide them with a working copy should they find bad guys are
using your source. (saves them from having to reverse engineer the
code.) I could be wrong about this, but you probably want to double-
check with them...
It's probably worth noting that the msh-crypto package, while
incomplete, is distributed under a BSD style license that allows
commercial and non-commercial uses and derivative works.
More information about the Cryptography
mailing list