[kaoD]

Something tells me a conspirator wouldn't be required anyways. Your security is either sound or broken, i.e. probably broken unless you use proven implementations of proven cryptosystems with proven configurations.

E.g. even if RSA is (currenly) safe, as well as its primitives and common configuration... rolling your own implementation will probably be subject to timing attacks.

[stcredzero]

Something tells me a conspirator wouldn't be required anyways.

The conspirator is there to teach about Defense in Depth. Systems that rely on just 1 "impenetrable" membrane tend to be brittle. Their failure is catastrophically sudden and complete, like glass breaking. Glass is way harder than steel, but steel structures are much more robust, because steel's ductility allows for partial failures and continued resistance/integrity.

Your security is either sound or broken

What about "Defense in depth?"

[marcosdumay]

Defense in depth mostly does not work (against willful targeted attacks).

Software is not the real world where things bend. If a barrier is sane, it will stand, nobody will break it. But no matter how many non-sane barriers you add, you can not turn them into a sane one. The only thing you will achieve is to increase your system complexity and get more bugs as a result.

[mSparks]

only one encryption scheme works against "willful targeted attacks" - the one time pad (and even that has potential for going wrong)

All the others are about making the effort required greater than the will to get there in favor of usability.

All the standard libraries stop at "miniscule effort for a state".

And states aren't even "the big boys" anymore.

[mSparks]

since im not in the market for downvoting. ill just say.

eh.

RSA is a simple formula. takes a bit of fiddling and skill to get BigIntegers working. but anyone who passed highschool algebra could roll their own. in fact many high schools even set it as homework.

timing attacks you say. erm, not remotely connected.

[munin]

If you implement RSA from the textbook, as a simple formula, you'll leave yourself vulnerable to padding based attacks that can recover the private key. It turns out that though the formulas are straightforward and the math can be explained after a decent undergraduate education, the implementation is still very subtle.

[mSparks]

padding attacks are only really related to encrypting data not sharing the product of two very large primes. You clearly havent got the faintest idea what you are talking about.

Rather than putting the rest of us at risk by putting zero value on the security of anything you make and guessing someone [a spook] will do it for you, why dont you recommend everyone takes some time out to at least learn the basics.

Yes, there are several "mines" you need to be wary of.

But they all pale into insignificance compared to linking openssl and thinking you are done.

[kaoD]

> timing attacks you say. erm, not remotely connected.

Fine, I'll trust your overwhelming evidence instead of the many timing attacks described against RSA implementations.

[mSparks]

All those attacks are "theoretical". As opposed to actually having been usefull in the wild - FUD (heartbleed otoh.....).

padding -> irrelevent to an RSA public key, everyone has to know the exact modulus and product, even the bad guys (although I recommend keeping public keys relatively secret)

timing -> irrelevent to an RSA public key, there is nothing you can get from how long it takes to decrypt or encrypt even 1024 bits of data (which is more than most impliementations even send), sometimes the exact same data will take 1ms, sometimes 100ms, it depends what else the machine is doing at the time.