Pure Python Data Mangling or Encrypting

Johannes Bauer dfnsonfsduifb at gmx.de
Sat Jun 27 06:18:29 EDT 2015 

On 27.06.2015 11:17, Chris Angelico wrote:

> Good, so this isn't like that episode of Yes Minister when they were
> trying to figure out whether to allow a chemical factory to be built.

I must admit that I have no clue about that show or that epsisode in
particular and needed to read up on it:
https://en.wikipedia.org/wiki/The_Greasy_Pole

>> I must admit that I haven't seen your ideas in this thread?
> 
> No, the proposal I'm putting together is unrelated. You'll see the
> *vast* extent of my security skills here:
> 
> https://github.com/Rosuav/ThirdSquare
> 
> My contribution to this thread has been fairly minor, just suggesting
> one attack that doesn't even work any more, not much else.

Well, if people already have a solution ready there's a good chance that
any criticism falls on deaf ears. In any case something that others have
to be responsible for, their party, their choice.

I've looked at your code even though I don't know pike. That's the
typesafe JavaScript derivative, isn't it?

The only thing that I found horrible was the ssh key format to PKCS
parsing. Man that's hacky :-) You're creating a DER structure on-the-fly
that you fill with the key and that you then have parsed back. I've only
seen ssh-keygen used to generate keys (not to initiate actual ssh
connections), why don't you use openssl to generate the keys? I think
you can generate a RSA keypair in openssl (also valid for ssh should you
need it) and I'm pretty sure that you can generate a ssh public key with
ssh-keygen from that private keypair file. That would eliminate the need
to do this kind of parsing, but it's just a PoC as I understand it.

It appears to be online-only, is that correct? Is Internet coverage so
good down under? I wish this were the case in Germany :-/

Not 100% about it, but I think that the bus concepts that are active in
Germany (locally in some cities) either user asymmetric transponders
(i.e. SmartMX), which gives a beautiful, decentralized, secure and
offline solution at the cost of being comparatively expensive. The
others use symmetric transponders which have limited off-line
functionality: i.e. monotonic counters which are reset in a
cryptographically secured way by backend systems every time a
online-connection persists and which are counted down in the offline case.

In any case, interesting. Thanks for sharing.
Best regards,
Johannes

-- 
>> Wo hattest Du das Beben nochmal GENAU vorhergesagt?
> Zumindest nicht öffentlich!
Ah, der neueste und bis heute genialste Streich unsere großen
Kosmologen: Die Geheim-Vorhersage.
 - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1 at speranza.aioe.org>

More information about the Python-list mailing list