gnu-crypto-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU Crypto] PRNG and Base64

From: Raif S. Naffah
Subject: Re: [GNU Crypto] PRNG and Base64
Date: Sun, 14 Sep 2003 12:46:10 +1000
User-agent: KMail/1.5.1 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Sat, 13 Sep 2003 05:25 pm, Casey Marshall wrote:
> On Fri, Sep 12, 2003 at 02:38:19PM -0000, Anthony Green wrote:
> > Hello,
> >
> > I've started using GNU Crypto for an app, so thank you very much!

excellent!


> > I started using it before reading the README file, and quickly
> > noticed that my random numbers didn't seem so random.  I'm
> > wondering if it's possible for somebody not to notice...  My
> > suggestion is that GNU Crypto _releases_ should have
> > PRNG.REPRODUCABLE = false in order to help prevent a tragedy.

the default value was chosen to be true in order to facilitate testing 
and debugging of the library.  this was, and to a lesser degree still 
is, important when bugs in the jdk are discovered; e.g. the method  
BigInteger.isProbablePrime() in jdk versions pre 1.4.

but your point is still valid.  production code should not suffer from 
programmers' aim for convenience.  may be the solution is to use an 
instance with pre-determined parameters for code that needs a prng with 
reproducible output, and have PRNG behave, always, as non-reproducible.

i'll have a closer look at the code and see what can be done.


> > I had to borrow a Base64 encoder/decoder from Bouncy Castle because
> > I couldn't find one in GNU Crypto.  That might be a useful addition
> > to gnu.crypto.util (or am I just not finding one?).  Would you
> > accept a patch, or is this out of scope?
>
> The next version (2.0) looks like it will have a Base64 class; it's
> in CVS right now in the class gnu.crypto.util.Base64.
>
> <http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/gnu-crypto/gnu-cr
>ypto/source/gnu/crypto/util/Base64.java?rev=1.2&content-type=text/plai
>n>...

correct.

you may want to use the version in CVS, which includes more algorithms 
than the released version.  but beware, there's a problem 
building/using it (a GCJ-friendly version) with the latest GCJ.  i 
asked people more knowledgeable about GCJ than me to look into this and 
hopefully this problem should be solved soon.


btw. are you using the shared library version, or just the jars?

cheers;
rsn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Que du magnifique

iD8DBQE/Y9Zz+e1AKnsTRiERAyZoAJ922lpo7gw8LoO1P1/n+7gU4p/+WwCePj99
zYMZ8T3RRJE83ytNsCZCnF8=
=/UIy
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]