Java

[GAJSS] Crytpography for Programmers

I had a good bit on this talk, but JRoller’s habit of eating a post when you “Save as Draft” but the session has expired killed it. Stuart Halloway gave a fairly good overview of key cryptography concepts. Not enough to write your own algorithm, just enough to be dangerous, and probably enough to effectively use existing alogrithms in your application, which is really all most of us need anyhow. He alleges, based on the advice of several colleagues, that the JKS Java keystore implementation is NOT secure, and should not be used. Another nugget is that when generating random numbers for security-sensitive purposes, use SecureRandom, not the basic math package Random implementation. Past that, it’s mostly been an overview of key crypto concepts, keys, symmetric and asymmetric encryption, hashes, stuff like that.

Probably the most compelling point is that when evaluating the security of a crypto algorithm, the standard metrics that are spewed – key length, block size, etc. aren’t really relevant. What IS relevant is that number of steps required to break the crypto. And let me reiterate what should be obvious – unless you are an encryption expert, you are best off using the known, time-tested algorithms without known exploits, rather than attempting to write your own.

Advertisements