Re: [GNU Crypto] Documentation

[Casey Marshall]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, May 27, 2003 at 12:28:42PM +0200, Marcel Winandy wrote:

> > the issue is effectively whether to include in the makeKey(...) method
> > implementations checks for weak keys (and eventually other massaging
> > functions required by the algorithm) and bailing out with this new
> > exception if the key material is found to be in violation of certain
> > pre-conditions; e.g. weak key.  or, do not apply those checks relying
> > instead on the user alertness for ensuring the quality of the input key
> > material.
> >
> > i'd be also interested in hearing others' opinion on the subject.
> 
> The point is whether you want to provide a library with raw algorithms or to 
> provide a secure cryptography library. In the former case it is up to the 
> user to decide what is a weak key and how to treat with it. But in the latter 
> case (and I hope that is what you want) the library has to assure that weak 
> keys are rejected or at least the user is being warned.
> 

This sounds more like a documentation issue -- it should suffice to
mention weak keys and ways of testing them (such as DES.isWeak()).
Throwing an exception is probably not the best behavior in this case.

> The last thing is very important because there may be users who are not very 
> familiar with cryptography and possibly don't know about weak keys or how 
> they defined and what consequences they will have.
> 

I'm of the opinion that if someone is using GNU Crypto to build a crypto
application they *should* know a thing or two about cryptography.

If they don't, then it's to their own peril.

> The whole thing is about responsibility: who shall make secure cryptography - 
> the application programmer or the crypto library? I suggest the name of 
> library gives us a hint to answer this question...
> 

Going to the lengths of explicitly disallowing weak keys from ever
entering the system goes too far; it limits the flexibility of the
library for something that will probably happen once in a million years.
If it ever happens that the probability of generating weak keys *is* a
significant risk, then it's more likely that the cipher is flawed.

This is also mostly academic since the cipher in GNU Crypto with the
most serious weak key issues is DES, and it should not be considered
secure today anyway.

My vote is to not check for weak keys. Any user-level applications we
eventually write for GNU Crypto most definitely *should* check for weak
keys when they are generated, but I don't think this belongs in the
library proper.

- -- 
Casey Marshall || address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+08G4gAuWMgRGsWsRApO8AJ4g6WujZgJAZTrxOEvUXe95xdom8gCdEKfK
UeQCjC4DnEvAszssIIhlX7I=
=5ADt
-----END PGP SIGNATURE-----