Re: My own e-mail encryption solution

"Anonymous" <nobody@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:5a1d3b7c39144f355fc52c3c6a657b3c@xxxxxxxxxxxxxxxxxxxxxxxxx
I'm thinking of devising my own e-mail encryption solution, which would be similar to S/MIME
and OpenPGP but use different algorithms. I'm not a crypto expert, but I'm planning on using well-
tested C++ libraries such as LibTomCrypt, CryptLib and /or Crypto++. Would it be safe to do so
using these libraries without having intricate knowledge of their internal working or the mathematics
involved?


With cryptography the devil is very much in the details. A seemingly innocent thing like making sure the RAM is initialized, Debian learned this the hard way with their OpenSSL. A single bit out of place can mean catastrophic failure as happened with SSL v1. Minor misunderstandings of the exact nature of the security can lead to catastrophic security failures as happened in SSL v2. Compatability efforts can compromise the security, this has happened repeatedly and is the reason for TLS because SSL v3 was subject to this. Slight misunderstanding of the keying process can be catastrophic to security, several implementations of SSH learned this the hard way. The point being that many of the failures are tiny mistakes that seem meaningless.

I would never discourage anyone from writing a piece of software, but I have to advice you not to release the software.
Joe

.

Relevant Pages

  • Re: Anyone looked at Mithra ?
    ... professional programmers who understand security in general, ... security in general and crypto in particular ... without all of this, SSL is slow DH. ...
    (sci.crypt)
  • Re: Still Looking for that One, BRAVE, NASA and/or NAA Employee Re: Apollo One
    ... >>disagree with cryptological security by obscurity. ... Except that in a properly designed crypto system, ... Again, however, if the keys themselves are encrypted with a high-order ...
    (sci.space.history)
  • Re: 8 bit white noise algorithm
    ... Key the cipher with the key of your choice (since security is not a concern, key management is not a concern). ... and then there are crypto-quality PRNGs. ... Most crypto algorithms only achieve high security when used in a rolling mode, initially seeded with something truly random. ...
    (comp.dsp)
  • Re: File encryption software?
    ... I agree with John except for the "fail dangerous" part. ... I'd bet there are more failures safe as people suck out thumb drives without dismounting or have some combination of programs, ... Encryption is one of those areas where what you don't know really will hurt you. ... of such details - and have been verified by expert crypto people. ...
    (rec.outdoors.rv-travel)
  • Newbie Salt and Pass Phrase Question.
    ... I'm using LibTomCrypt for my first crypto enabled app. ... It's a Database app, so communication security issues, ... like PKI, aren't problems. ...
    (sci.crypt)