top | item 4780098

(no title)

0xABADC0DA | 13 years ago

The real problem is the software libraries are just as hard.

Take OpenSSL for example... it's almost easier to learn the crypto than to figure out the API. Here's a good one: an SSL read/write operation can fail with more than one error, and if you don't clear or loop through all the errors then the next operation will fail because of the previous errors -- even if it succeeded. Or just try getting it to work with non-blocking sockets, you finally believe it is working and surprise it fails only once the network gets saturated. Or hours later when it renegotiates the crypto.

And you still have to know all the crypt terms to use it. What's a PEM? A BIO? PKCS? DHparams? What's "ASCII armor"? X509? Did SSL_library_init() add weak algorithms? Why do I have to know this just to create a secure connection?

Most of blame for crypto problems belongs to the libraries not the developers using them.

discuss

tptacek|13 years ago

Don't use OpenSSL, don't use Crypto++, don't use CommonCrypto, don't use CryptoAPI. Those are expert interfaces and you'll get them wrong.

Instead, use NACL or Keyczar. Those are high-level interfaces designed to help generalist developers not make mistakes.