Re: The importance of IVs
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: The importance of IVs

From: Regis <nobody@thisaddress.com>
Date: Sun Aug 28 2005 - 00:16:43 CEST



On 27 Aug 2005 13:15:34 -0700, "mobius30" <mobius30@hushmail.com>


wrote:



>Build a good solid TRUE Blowfish crypto app in VB.NET.  Nothing


>spectacular, just a simple plain-text app that is secure (i.e. doesn't


>write to swap



The best way to prevent any information leakage to a swap file is to


eliminate the swap file from the O/S altogether.  I never trust the


swap file because you have no idea what's being written to it or when.


I've done various experiments over the years with swap files on every


flavour of Windows, and my results have always brought me back to the


same conclusions -- if you need true security on any given PC, you


have to eliminate the swap file.  



Even if you write your application so that it performs no disk


reads/writes whatsoever, and all your processing is done strictly in


RAM, Windows will still find a way to dump some of your information


into its damn swap file.



With RAM prices as low as they are today, you can easily bring up your


workstation to 1 GB and turn off the swap file.  I've done precisely


that on my main Windows machine.  Been running swap-free with 1 GB for


nearly two years now and have been loving every minute of it.



> Almost every app I've found (freeware at least) uses C or C++.



Yeah...I know what you mean.  I've been there myself having to sift


through all the "C" crap.  I've never taken to C or any of its


variants for the simple reason that it's too messy.  There was a time


when if you wanted to do any serious programming, you had to know


C...but thankfully those days are long behind us.



>So, yes, your help would be greatly appreciated.  Do you know of any


>off-the-shelf free (or low-cost) apps that implement TRUE 16-round


>64-bit block Blowfish (you know, what Schneier actually intended a


>decade ago!)?  



Well, if you want off-the-shelf, you're going to have to trust the


original programmer and take his word for it, because 99% of the time


you won't have access to source code for non-freeware products.



There's definitely no shortage of crypto software out there.  Take a


stroll over to Tucows and search for "Blowfish".  I came up with 43


different results.



My personal recommedation for ready-made file/disk encryption would be


PGP Desktop -- hands down, no contest.  They even give you access to


the source code if you want to compile your own.  Plus it's got the


expertise and reputation of Phil Zimmerman and PGP behind it.



> Any in VB6 or .NET?  Source code for the either?  Any


>libraries that have the Blowfish functions (or classes) in VB6 or .NET


>(or can be called from a VB.NET app)? 



I don't do VB personally, but I know that there's plenty of crypto


algorithms that have been ported to VB.  I found a very good starting


point for you here:


http://www.di-mgt.com.au/crypto.html#BlowfishVB



One thing I'd like to mention though.  If you're looking at developing


something crypto-related, you might consider using Twofish (Blowfish's


bigger, stronger brother).  Or even still, go with AES (Rijndael).


Received on Thu Sep 29 21:51:13 2005