REPOST: Re: TrueCrypt 4.0 Out

From: BRG (brg_at_nowhere.org)
Date: 11/03/05

Next message: Paul Cooper: "Re: TrueCrypt 4.0 Out"
Previous message: Bryan Olson: "REPOST: Re: TrueCrypt 4.0 Out"
In reply to: tomstdenis_at_gmail.com: "Re: TrueCrypt 4.0 Out"
Next in thread: tomstdenis_at_gmail.com: "REPOST: Re: TrueCrypt 4.0 Out"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 03 Nov 2005 15:36:28 +0000

tomstdenis@gmail.com wrote:

> BRG wrote:
>> There are reasons for avoiding cryptograhic libraries in some situations.
>>
>> Libraries are typically collections of basic algorithms combined with
>> higher level protocols and code structures in which the library designer
>> has imposed his or her views on both code and security design.
>
> That's a bit infantile. Libraries like OpenSSL allow you to have
> direct access to the crypto primitives. If you don't like the SSL
> protocol you don't have to use it. You can still use the crypto
> though.

That's your view but one I do not share. If you truly see this as
infantile, then you have a great deal to learn about information security.

>> Those who want to use their own higher level security and code design
>> philosophies (and are expert enough to do so) will hence often prefer to
>> bring together individual open source algorithm implementations in which
>> they have developed a lot of trust rather than rely on a library and
>> hence become subject to the prejudices of its author.
>
> I don't see the benefit. Different authors have different coding
> styles, interfaces, etc. Bringing dozens of random pieces of code
> together only means you have to work the source code so that they're
> uniform.

I would not expect you to see the benefit but the fact that you don't
see it doesn't mean that it doesn't exist.

Do you have any evidence to back your assertion that the TrueCrypt team
selected their algorithm implementations randomly? What leads you to
conclude that they did not make their selections with care?

If the right choices have been made, there will be no need to make
significant changes to the source code of imported algorithm
implementations.

And really, if you can't trust a library author why can you
> trust a cipher implementation author?

This is not an issue that is determined in any major way by the choice
between the use of a library or non-library approach.

> Not every crypto library implements high level protocols like SSL, TLS
> or SSH or PGP, etc. libgcrypt for example is a general purpose crypto
> library. It presumably is trustworthy is it not?
>
>> I am not suggesting libraries should be avoided but simply that you are
>> wrong to discount the alternative approach used by TrueCrypt. Neither of
>> these approaches is invariably better than the other.
>
> If you looked at the code for TrueCrypt you'd see the same horrors I
> did. But because your code was used you assume the development process
> was flawless?

No.

> No offense but since I know "better can be done" I have to disagree
> with the method they chose. It's sloppy and prone to mistake.

Of course it could be better. But not for the reasons you suggest.

Brian Gladman

========= WAS CANCELLED BY =======:
Path: ...news-out.cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.com!prodigy.net!news.glorb.com!hwmnpeer01.lga!hwmedia!hw-filter.lga!fe10.lga.POSTED!53ab2750!not-for-mail
From: BRG <brg@nowhere.org>
Control: cancel <436a2e69$0$1462$ed2619ec@ptn-nntp-reader01.plus.net>
Subject: Re: TrueCrypt 4.0 Out
Newsgroups: sci.crypt
Message-ID: <610e7a40%8%2205-ee3782dc@ptn-nntp-reader01.plus.net>
Lines: 2
Date: Fri, 3 Nov 2005 18:07:46 GMT
NNTP-Posting-Host: 68.198.254.63
X-Complaints-To: abuse@cv.net
X-Trace: fe10.lga 1131048274 68.198.254.63 (Thu, 03 Nov 2005 13:04:34 MST)
NNTP-Posting-Date: Thu, 03 Nov 2005 13:04:34 MST
Organization: Optimum Online

Next message: Paul Cooper: "Re: TrueCrypt 4.0 Out"
Previous message: Bryan Olson: "REPOST: Re: TrueCrypt 4.0 Out"
In reply to: tomstdenis_at_gmail.com: "Re: TrueCrypt 4.0 Out"
Next in thread: tomstdenis_at_gmail.com: "REPOST: Re: TrueCrypt 4.0 Out"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: TrueCrypt 4.0 Out
... >> There are reasons for avoiding cryptograhic libraries in some situations. ... > direct access to the crypto primitives. ... selected their algorithm implementations randomly? ...
(sci.crypt)
REPOST: Re: TrueCrypt 4.0 Out
... > There are reasons for avoiding cryptograhic libraries in some situations. ... direct access to the crypto primitives. ... Not every crypto library implements high level protocols like SSL, ... If you looked at the code for TrueCrypt you'd see the same horrors I ...
(sci.crypt)
REPOST: Re: TrueCrypt 4.0 Out
... I regularly use two cryptographic libraries and I contribute my code to ... have for your assertion that the TrueCrypt team selected their algorithm ... My code uses several different calling interfaces. ... > I don't see the value in using standalone algorithm implementations. ...
(sci.crypt)
Re: Cryptosoft
... | Tom St Denis wrote: ... |>algorithm for different platforms? ... | of open source libraries that implement the same algorithms, ... | reason why anyone should trust closed source. ...
(sci.crypt)
Re: TrueCrypt 4.0 Out
... I regularly use two cryptographic libraries and I contribute my code to ... have for your assertion that the TrueCrypt team selected their algorithm ... My code uses several different calling interfaces. ... > I don't see the value in using standalone algorithm implementations. ...
(sci.crypt)