Date: Fri, 10 Dec 2004 12:52:43 -0500 From: David Schultz <das@FreeBSD.ORG> To: Colin Percival <colin.percival@wadham.ox.ac.uk> Cc: freebsd-arch@FreeBSD.ORG Subject: Re: Adding standalone RSA code Message-ID: <20041210175243.GA28803@VARK.MIT.EDU> In-Reply-To: <41B92CF3.2090302@wadham.ox.ac.uk> References: <41B92CF3.2090302@wadham.ox.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 09, 2004, Colin Percival wrote: > I'd like to add a new library for lightweight barebones RSA > computations, and associated commandline rsa-makekey, rsa-sign, > and rsa-verify utilities. > > To a certain extent, this duplicates existing functionality > (openssl), but I think my code has important advantages which > justify the duplication: > 1. It is lightweight (around 2% of the size of openssl), which > may allow it to be used in memory-limited environments, > 2. It is far more auditable, due to its smaller size, and > 3. It is designed for security rather than performance; I made > certain design decisions which result in my code being rather > slower than openssl as a result of a desire to avoid potential > attack vectors. > > My reason for wanting to add this code is that I'm using it > in FreeBSD Update (and recently portsnap as well) and this is > the first step towards migrating that into the base system. I'm not sure I agree with your point (2). My concern is that just because a library is small and open source doesn't mean it's secure. Consider, for instance, that Kerberos version 4 had design-level vulnerabilities that were unnoticed for well over a decade. The OpenSSL library has an advantage over yours in that it has been vetted by numerous cryptographers, owing to its popularity. Textbook descriptions of RSA are often deceptively simple, but turn out to have subtle flaws without the appropriate padding (e.g. OAEP) and careful key generation. Besides that, the OpenSSL developers have already been forced to address even more obscure problems such as timing analysis attacks. I don't mean to suggest that you're not aware of these issues, but this stuff can be tricky, and I've seen home-brewed cryptography (e.g. iterated hash construction) done wrong before. Moreover, your point (1) doesn't seem particularly relevant for FreeBSD. We don't target systems that lack sufficient memory for OpenSSL, and there are existing RSA implementations that are designed for embedded systems.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041210175243.GA28803>