On Thu, Aug 03, 2006 at 08:16:39PM +0200, Ulf Harnhammar wrote:
> On Wed, Aug 02, 2006 at 10:47:00PM +0000, Brian M. Carlson wrote:
> > Oh, and hi. I've been reading for a while, but I just haven't gotten
> > around to auditing anything lately. Just for the record, I am not a
> > cryptographer, but I know enough about cryptography to know how things
> > work and what problems usually happen with it. I also write crypto code
> > on occasion.
Welcome, Brian :-)
> Nice! It would be useful if you would take a look at various Debian packages
> that implement some kind of encryption and start making noise if you find
> things that are obviously insecure (Caesar ciphers, hiding data with XOR,
> or whatever usual mistakes people do). I don't think anyone has done that,
> at least systematically, so it would be appreciated.
In case you are interested in other packages that could stand a
crypto review, let me just quickly plug my own :-)
We have recently done lots of work on partman-crypto (block
device encryption support in debian-installer) to the point that
we think we can release it with etch. It adds support for both
dm-crypt(LUKS) and loop-AES and _should_ have as sound basic
primitives as those underlying crypto systems.
That said, there are actually several steps in setting up the
crypto systems that we have to handle ourselves, mostly related
to key generation/handling and protecting things from getting
swapped out to disk. Overall that makes me quite cautious about
releasing it for production use before someone knowledge- able
has had a chance to review the code.
Just in case you happen to have time and motivation to give
it a review, you can find the code in the archive and fetch it
using svn [0]. I'm more than happy to discuss any questions,
write high-level descriptions of what it does, or work on any
other suggestions you might have. Just let me know :-)
cheers,
Max
--
0. svn co svn://svn.debian.org/d-i/trunk/packages/partman/partman-crypto
|
