[nycbug-talk] Re: Linux Cryptoloop

G. Rosamond george
Fri Mar 5 20:23:23 EST 2004

Roland said. . .

>They use hashalot to generate the key from a passphrase and it is
>just a simple hash or a salted hash rather than an industry standard
>passphrase->key algorithm such as PKCS#5 PBKDF2 (which I use in
>CGD.)  I do not understand exactly why everyone feels it is necessary
>to play amateur cryptographer when there are accepted ways to do
>these things that have been scrutinised by people who actually
>understand the issues involved.  This is actually a rather large
>pet peeve of mine, I mean if you presume that you know better than
>professional cryptographers how to turn a passphrase into a key
>then why don't you just write your own crypto algorithms, too? So,
>to make a long story short, the hashalot method is vulnerable to
>dictionary attack.

there's a real irony in what Roland's stating.  i agree with you very

i haven't thoroughly read their documents, even though i submitted the
link, but i do know that one area where free versus closed source is an
enormous debate is in cryptography.

(i'm not a cryptographer, have read a bit of Schneier, and maybe passed
two math classes in my life, but i think i can say a few basic things. .
. but it's all IMHO)

lots of vendors claim they have THE algorithm, but they can't reveal it,
as it would impede its security status.  but the only legitimate way to
qualify an encryption algorithm is to actually put it up to scrutiny.  i
know this has been tested time and time again.  hidden algorithms are
weak algorithms.

the same goes for standard practices in encryption.  amateurs are not in
a position to do ground-breaking work in cryptography.  there's no
recreating the wheel.  the true cryptographers of the world are a true
elite.  it would confuse me to think that a piece of linux software,
even one considered beta, would ignore the cryptography standard
practices.  more than most areas, cryptographers stand on their
predecessors' shoulders.  it is an area that improves over time.

it would seem to me the starting point for open source software
developers would be to look at the open source model of the cryptography


More information about the talk mailing list