lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 29 May 2014 14:57:39 -0700
From: "CIURANA EUGENE (pr3d4t0r - Full Disclosure)" <fulldisclosure@...e.net>
To: <fulldisclosure@...lists.org>
Subject: Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

 

On 2014-05-29 14:46, Mike Cramer wrote: 

> You need to ask yourself
a question:
> 
> How well do you know coding and encryption handling to
ensure that your
> software doesn't have unintentional back doors and/or
information
> disclosure? This is a serious question because it requires
serious answers
> when you're dealing with cryptography. The weakest
part of the security
> system should not be the application.
> 
> What
libraries would you use for encryption? If any? I assume you would
>
leverage AES. Would the library you choose to use support AES-NI? Would
you
> use the Intel CPU-based PRNG?
(http://en.wikipedia.org/wiki/RdRand)
> 
> I think it's reasonable to
assume that the "many eyes" approach to software
> security doesn't
really work. So simply saying you'll release it as GPL I
> don't think
should be considered "good enough" anymore when it comes to
>
encryption. The myriad of flaws in OpenSSL over the years both upstream
and
> in distributions should be a serious wake-up call on this one.
>

> My recommendation would be to use FileVault/Bitlocker/OS
implementations
> unless you can come up with a good reason why not to
do so.

Mike, 

Well aware of the Intel PRNG issues and others
(http://twitter.com/ciurana -- I covered them when they happened and
continue to address them). 

Ditto on the encryption: I know it well
enough to come up with an initial implementation, and be conscious of
the limitations of my coding. Part of this plan consists on establishing
an auditing process from the get go, not unlike OpenBSD's, where
security is built into the process, not only into the code and reviewed
as an after thought. 

I want to have more than one block encryption
algorithm built into it, different digests, and so on. 

Libraries,
features selection, etc. are still in a preliminary stage. First I want
to gauge level of interest. 

Would you like to help? :) 

Cheers!


pr3d 

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ