[Cryptography Team] Re: [squeak-dev] DigitalSignatureAlgorithm>>#initRandomNonInteractively is not randomChris Muller asqueaker at gmail.comThu Aug 26 23:02:13 UTC 2010
DigitalSignatureAlgorithm, SecureHashAlgorithm and ThirtyTwoBitRegister have been part of Squeak for a long time, there are legacy users, although I think they should migrate to using the counterparts in Cryptography. Folding Cryptography into Squeak would probably go against the political momentum toward smaller, more modular images. We don't need to do something that drastic just to solve this issue. I suggest instead that we merely move two utility methods from Cryptography: RandomGenerator class>>unpredictableStringsDo: aBlock RandomGenerator class>>generateKey to Random class in Squeak, and then employ them in DigitalSignatureAlgorithm for its #initRandomNonInteractively. #generateKey should be patched up from its dependence on Cryptography methods. This allows Squeak to purge the insecure approach of grabbing bits from a (silent or disconnected) SoundService, in favor of the robust one in Cryptography (except now moved to Squeak). - Chris On Mon, Aug 23, 2010 at 10:09 AM, Rob Withers <reefedjib at gmail.com> wrote: > Hi Chris, > > It works really well. The only issue now is the DigitalSignatureAlgorithm > is located in the core squeak image and the changes I made are in the > Cryptography package. It would be nice to fold Cryptography into the core > squeak image, or pull DigitalSignatureAlgorithm out into Cryptography. > > Rob > > -------------------------------------------------- > From: "Chris Muller" <asqueaker at gmail.com> > Sent: Sunday, August 22, 2010 5:35 PM > To: "The general-purpose Squeak developers list" > <squeak-dev at lists.squeakfoundation.org> > Cc: "Squeak Crypto" <cryptography at lists.squeakfoundation.org> > Subject: [Cryptography Team] Re: [squeak-dev] > DigitalSignatureAlgorithm>>#initRandomNonInteractively is not random > >> Good, SecureRandom employs its #generateKey method (on the class side) >> to initialize its 'picker' (class-instance var). This was intended to >> serve as a globally usable SecureRandom so that clients like >> DigitalSignatureAlgorithm would not have to define their own. >> >> On Sat, Aug 21, 2010 at 5:30 AM, Rob Withers <reefedjib at gmail.com> wrote: >>> >>> I found a problem with >>> DigitalSignatureAlgorithm>>#initRandomNonInteractively. It is grabbing >>> randomBits from the SoundSystem, but I may not have that installed. It >>> gave >>> me the same bits repeatedly. I modified >>> DigitalSignatureAlgorithm>>#initRandomNonInteractively to not rely on the >>> SoundSystem and instead use SecureRandom. This is published in the >>> Cryptography repository. >>> >>> Rob >>> >>> >> _______________________________________________ >> Cryptography mailing list >> Cryptography at lists.squeakfoundation.org >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography >> > _______________________________________________ > Cryptography mailing list > Cryptography at lists.squeakfoundation.org > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography >
More information about the Squeak-dev mailing list |