What's the usual best practice around crypto in Squeak? Usually rolling one's own crypto is a ridonculously bad idea so... do folks usually pipe things to and from the cryptography of the underlying OS using OSProcess?
On Mon, 29 Mar 2010, Casey Ransberger wrote:
What's the usual best practice around crypto in Squeak? Usually rolling one's own crypto is a ridonculously bad idea so... do folks usually pipe things to and from the cryptography of the underlying OS using OSProcess?
There was a Cryptography team a few years ago with a few devs and big plans, but the team disappeared somehow... Anyway we have some usable code and a lot of half baked stuff here: http://www.squeaksource.com/Cryptography.html Start with Cryptography-cmm.11.mcz if you're interested.
People are usually looking for three stuff: - hashes (MD5, SHA1, etc). These work pretty well. I think MD5 should be added to Squeak in the future. - SSL. It's somewhat broken (has issues with certificates IIRC) and really slow if used without the DESPlugin. The Cobalt developers forked the Cryptography package and fixed lots of stuff about SSL. But if you just want to fetch a few web pages, you better try curl first. - SSH. That's pre-alpha. :)
Levente
I think that we need also some industry algorithms as DES, TripleDES, Blowfish, AES.
I never had the time to help to the Crypto team, and did a product using encrytion on Dolphin, but should try to implement here somethings.....as allways.......when time permits :(
2010/3/29 Levente Uzonyi leves@elte.hu:
On Mon, 29 Mar 2010, Casey Ransberger wrote:
What's the usual best practice around crypto in Squeak? Usually rolling one's own crypto is a ridonculously bad idea so... do folks usually pipe things to and from the cryptography of the underlying OS using OSProcess?
There was a Cryptography team a few years ago with a few devs and big plans, but the team disappeared somehow... Anyway we have some usable code and a lot of half baked stuff here: http://www.squeaksource.com/Cryptography.html Start with Cryptography-cmm.11.mcz if you're interested.
People are usually looking for three stuff:
- hashes (MD5, SHA1, etc). These work pretty well. I think MD5 should be
added to Squeak in the future. - SSL. It's somewhat broken (has issues with certificates IIRC) and really slow if used without the DESPlugin. The Cobalt developers forked the Cryptography package and fixed lots of stuff about SSL. But if you just want to fetch a few web pages, you better try curl first.
- SSH. That's pre-alpha. :)
Levente
On Tue, 30 Mar 2010, Germán Arduino wrote:
I think that we need also some industry algorithms as DES, TripleDES, Blowfish, AES.
I'm unsure about Blowfish, but the other algorithms are implemented. DES (and therefore TripleDES) even has a plugin to make it useable. I started to write a plugin for AES but it's half baked.
Levente
I never had the time to help to the Crypto team, and did a product using encrytion on Dolphin, but should try to implement here somethings.....as allways.......when time permits :(
2010/3/29 Levente Uzonyi leves@elte.hu:
On Mon, 29 Mar 2010, Casey Ransberger wrote:
What's the usual best practice around crypto in Squeak? Usually rolling one's own crypto is a ridonculously bad idea so... do folks usually pipe things to and from the cryptography of the underlying OS using OSProcess?
There was a Cryptography team a few years ago with a few devs and big plans, but the team disappeared somehow... Anyway we have some usable code and a lot of half baked stuff here: http://www.squeaksource.com/Cryptography.html Start with Cryptography-cmm.11.mcz if you're interested.
People are usually looking for three stuff:
- hashes (MD5, SHA1, etc). These work pretty well. I think MD5 should be
added to Squeak in the future. - SSL. It's somewhat broken (has issues with certificates IIRC) and really slow if used without the DESPlugin. The Cobalt developers forked the Cryptography package and fixed lots of stuff about SSL. But if you just want to fetch a few web pages, you better try curl first.
- SSH. That's pre-alpha. :)
Levente
--
Germán S. Arduino <gsa @ arsol.net> Twitter: garduino Arduino Software & Web Hosting http://www.arduinosoftware.com PasswordsPro http://www.passwordspro.com =================================================
2010/3/30 Levente Uzonyi leves@elte.hu:
I'm unsure about Blowfish, but the other algorithms are implemented. DES (and therefore TripleDES) even has a plugin to make it useable. I started to write a plugin for AES but it's half baked.
I saw (when tried time ago) but never can did them works properly....May be are my own faults about how to deal with these plugins....Do you know some tutorial or so?
On Tue, 30 Mar 2010, Germán Arduino wrote:
2010/3/30 Levente Uzonyi leves@elte.hu:
I'm unsure about Blowfish, but the other algorithms are implemented. DES (and therefore TripleDES) even has a plugin to make it useable. I started to write a plugin for AES but it's half baked.
I saw (when tried time ago) but never can did them works properly....May be are my own faults about how to deal with these plugins....Do you know some tutorial or so?
These algorithms work without plugins, they are written in smalltalk. I don't think there are tutorials, but there are lots of tests. Those can serve as examples.
Levente
2010/3/30 Levente Uzonyi leves@elte.hu:
On Tue, 30 Mar 2010, Germán Arduino wrote:
2010/3/30 Levente Uzonyi leves@elte.hu:
I'm unsure about Blowfish, but the other algorithms are implemented. DES (and therefore TripleDES) even has a plugin to make it useable. I started to write a plugin for AES but it's half baked.
I saw (when tried time ago) but never can did them works properly....May be are my own faults about how to deal with these plugins....Do you know some tutorial or so?
These algorithms work without plugins, they are written in smalltalk. I don't think there are tutorials, but there are lots of tests. Those can serve as examples.
ahh, ok, not problem with the Smalltalk code.
My fault is when plugins are needed.
Cheers. Germán.
There is no "usual best practice around crypto" in Squeak or any other technology. "Crypto" is just one primitive tool of several needed for digital security, and depending on what the security requirements are..
Squeak's Cryptography package works and includes test-cases demonstrating its various capabilities.
On Mon, Mar 29, 2010 at 8:16 PM, Casey Ransberger casey.obrien.r@gmail.com wrote:
What's the usual best practice around crypto in Squeak? Usually rolling one's own crypto is a ridonculously bad idea so... do folks usually pipe things to and from the cryptography of the underlying OS using OSProcess?
If it is not absolutely crucial to be 100% secure, then using lower-level may suffice. IMO, ultimately, the end-to-end argument cannot be denied, which is why we protect our sensitive bits at the core (e.g., the domain objects themselves)..
squeak-dev@lists.squeakfoundation.org