Pure Python Data Mangling or Encrypting

[Chris Angelico]

On Sat, Jun 27, 2015 at 7:07 PM, Johannes Bauer <dfnsonfsduifb at gmx.de> wrote:
> On 27.06.2015 10:53, Chris Angelico wrote:
>> On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano <steve at pearwood.info> wrote:
>>> I'm not a security expert. I'm not even a talented amateur. *Every time* I
>>> suggest that "X is secure", the security guy at work shoots me down in
>>> flames. But nicely, because I pay his wages <wink>
>>
>> Just out of interest, is _anybody_ active in this thread an expert on
>> security?
>
> Yes. I've done a good 10 years of work in the field doing security
> (mostly applied cryptography on embedded systems with a focus on side
> channels like DPA, but also security concepts and threat/risk analysis)
> and spent the last 3-4 years working on my PhD in the field of IT
> security. My thesis is almost(tm) finished. I would claim to be an
> expert, yes.

Good, so this isn't like that episode of Yes Minister when they were
trying to figure out whether to allow a chemical factory to be built.

>> I certainly am not, which means that the proposal I'm
>> currently putting together probably has a whole bunch of
>> vulnerabilities that I haven't thought of. (Though there's no emphasis
>> on encryption anywhere, just signing. I'm *hoping* that RSA public key
>> verification is sufficient, but if it isn't, it would be possible for
>> a malicious user to make a serious mess of stuff.) But I'm under no
>> delusions. I don't say "this is secure" - all I'm saying is "this
>> works in proof-of-concept".
>
> I must admit that I haven't seen your ideas in this thread?

No, the proposal I'm putting together is unrelated. You'll see the
*vast* extent of my security skills here:

https://github.com/Rosuav/ThirdSquare

My contribution to this thread has been fairly minor, just suggesting
one attack that doesn't even work any more, not much else.

ChrisA