This post originated from an RSS feed registered with Python Buzz
by Dmitry Dvoinikov.
Original Post: Notes on implementing TLS. #1: Reasons for.
Feed Title: Things That Require Further Thinking
Feed URL: http://feeds.feedburner.com/ThingsThatRequireFurtherThinking
Feed Description: Once your species has evolved language, and you have learned language, [...] and you have something to say, [...] it doesn't take much time, energy and effort to say it. The hard part of course is having something interesting to say.
-- Geoffrey Miller
The last few months I've been busy implementing TLS protocol support for this product of ours. It's in fairly good shape by now and I'd like to share a few thoughts.
First of all, why having own implementation when there are existing ones ? Actually there are quite a few reasons.
1. We need it to support Russian GOST family of cryptoalgorithms. 2. In Russia one cannot freely implement GOST, only using of certified libraries produced by state accredited companies is allowed. 3. We need it tightly integrated with our existing product. For example different such crypto libraries may need to be used simultaneously. 4. To make things worse, one option is to have crypto operations done by hardware token or smart card.
Therefore in the worst case you have USB dongle with GOST support inside, and you have to pass all crypto operations through it. Not just the private key operations, but even simple hash you can't do outside.
One other thing is that the product is not crypto-centric. We need a client-server tunnel in which the server supports hundreds if not thousands connections and utilizes multiple cores effectively. This asks for a different approach in which you think about the server architecture upfront and leave a modest place for cryptography. It leaves a lot more room for maneuver.
Previous Topic
