Re: Safe password?

"Unruh" <unruh-spam@physics.ubc.ca> wrote in message
news:douk14$fqv$2@nntp.itservices.ubc.ca...
> "giorgio.tani" <giorgio.tani@email.it> writes:
>
>>I would rather enforce the application's capability to
>>exploit the AES
>>256 keyspace, in example AFAIK you have two ways:
>
> No it is idiotic. The application uses AES256 and then
> demands a key length
> of less than 16 characters. That is idiotic. It indicates
> that the designer
> knew nothing about cryptography or security. And you would
> trust anything
> to him/her?

It may seem idiotic to you, but the Sun JRE does essentially
the same thing. It allows the developer to develop a system
using strong cipher algorithms and then, at run time, based
on the presence and contents of a "policy file", limits the
key length. One can download "unlimited strength" policy
files from the Sun site, but the default is to use "strong"
(read "weakened") keys.

On a side note, this must have some interesting implications
for the portability and global interoperability of Java
applications created using Sun's cryptographic services.
Received on Tue Jan 3 03:41:48 2006