[cryptography] Oddity in common bcrypt implementation

Sampo Syreeni decoy at iki.fi
Mon Jun 27 19:30:38 EDT 2011


On 2011-06-20, Marsh Ray wrote:

> I once looked up the Unicode algorithm for some basic "case 
> insensitive" string comparison... 40 pages!

Isn't that precisely why e.g. Peter Gutmann once wrote against the 
canonicalization (in the Unicode context, "normalization") that ISO 
derived crypto protocols do, in favour of the "bytes are bytes" approach 
that PGP/GPG takes?

If you want to do crypto, just do crypto on the bits/bytes. If you 
really have to, you can tag the intended format for forensic purposes 
and sign your intent. But don't meddle with your given bits. 
Canonicalization/normalization is simply too hard to do right or even to 
analyse to have much place in protocol design.
-- 
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-50-5756111, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2



More information about the cryptography mailing list