Pure Python Data Mangling or Encrypting
Johannes Bauer
dfnsonfsduifb at gmx.de
Sat Jun 27 05:12:07 EDT 2015
On 27.06.2015 10:38, Steven D'Aprano wrote:
> Can you say "timing attack"?
>
> http://codahale.com/a-lesson-in-timing-attacks/
>
> Can you [generic you] believe that attackers can *reliably* attack remote
> systems based on a 20µs timing differences? If you say "No", then you fail
> Security 101 and should step away from the computer until a security expert
> can be called in to review your code.
Yes, as people do more and more proper crypto (in contrast to crappy
stuff like LFSR-based custom keystream generators and such), side
channels become of great importance.
> I'm not a security expert. I'm not even a talented amateur. *Every time* I
> suggest that "X is secure", the security guy at work shoots me down in
> flames. But nicely, because I pay his wages <wink>
:-)
Being shot down in flames is the way to become a security expert,
probably the *only* way. I don't know anyone who is an expert who hasn't
had that horrible experience at least a dozen of times.
It is amazing how many holes you can poke in designs if you look at it
from enough angles. Having holes poked in my designs gives you a
thourough appreciation for the true crypto experts (i.e. people doing
theoretical cryptography).
Best regards,
Johannes
--
>> Wo hattest Du das Beben nochmal GENAU vorhergesagt?
> Zumindest nicht öffentlich!
Ah, der neueste und bis heute genialste Streich unsere großen
Kosmologen: Die Geheim-Vorhersage.
- Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1 at speranza.aioe.org>
More information about the Python-list
mailing list