This post originated from an RSS feed registered with Agile Buzz by James Robertson. Original Post: Cryptography in VisualWorks Feed Title: Michael Lucas-Smith Feed URL: http://www.michaellucassmith.com/site.atom Feed Description: Smalltalk and my misinterpretations of life Latest Agile Buzz Posts Latest Agile Buzz Posts by James Robertson Latest Posts From Michael Lucas-Smith

This was a great presentation. The visual demonstration of the results of bad encryption were truelly inspired and brilliant. I really enjoyed this presentation.

True one-time pads are ineffecient in real life. Instead, symmetric and asymmetric keys are used. Symmetryic keys are used for bulk data encryption. Uses byte arrays to avoid string encoding issues.

Stream ciphers are a time-varying transformation on individual digits. Pike, A5, RC4, SEAL. Encrypted part of the slide using RC4 - big mess. Encrypted part of slide with the 'same key'. Then combined the two together - got a combination of both images - no-decryption required. Therefore, key re-use is catastrophic, do not do it. Good golden rule.

RC4 is very fast, which is why it's popular.

Block ciphers - fixed transformation on blocks (eg: 64, 128 bits). DES, IDEA, CAST, Blowfish, RC2, RC5.

DES has 64bit block size, 56 bit key (64 bites with parity), 16 rounds using 48 bit subkeys. It's approved but it's weak. Shouldn't use it any more.

The API is the same between stream and block cipher.. nice and simple for Smalltalkers. With block ciphers, you must encrypt a block of the right size. BlockPadding is used to make the right block size.

Should not use fixed blocks of text, result does not end up really encrypted. The block is encrypted but a higher level structure is unencrypted. The common approach is cipher block chaining mode. Doesn't have to be secret but it has to be random. Encrypted next block using last blocks result.

AES is the successor of DES. Blowfish is free.

Public key ciphers. Public and privcate keys. Hard to compute private from the public. Based on hard problems. Factoring, descrete logarithm. Much slower. Key encryption/exchange, signing. RSA, DSA, DH, ElGamal. Generally not used for bulk data since they're expensive. Encrypt with public key, decrypt with private key

Hash functions. Unlimited input size -> fixed output size. One-way only, hard to find the input for a given output. COllision resistant, hard to find two distinct inputs with the same output. It's a data 'finger-print'. MD2, MD4, MD5, SHA, RIPE-MD

missing section on Message Authentication (MAC)

Digital Signatures. Encrypt the text using the private key. You're the only one who can generate this signature and anyone who knows the public key can decrypt it and verify that it matches the text that you sent. Hash the plain text to send over. Both sides compare hashes with encrypt/decrypt, confirm that it's the same value.

Diffie-Hellman is used to use an unsecured connection to share a secret key. Both exchange public keys and send back a shared secret using the other persons public key and only they can decrypt using private key.

Question: OpenPGP, all components and wrappers to make it easy. a) No, not yet. Low priority since the spec is very big. They are working on it. Most of the framework is there.

Question: Why were some defunct a) Bit of both: increased computing power and flaws in the scheme

All of this is in Cincom Smalltalk. HMAC will be in 7.3

Question: Why build it? a) Wanted native encryption. More work than they expected.