[cryptography] QODE(quick offline data encryption)

shawn wilson ag4ve.us at gmail.com
Wed Jan 7 15:05:52 EST 2015


On Wed, Jan 7, 2015 at 2:40 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> On 2015-01-07, at 12:26 PM, Kevin <kevinsisco61784 at gmail.com> wrote:
>
>>    Any company could review it and decide if it's worth using or not.
>
> Hi Kevin.
>
> Actually that’s a part of my job within the company I work for. I’m the one who can read some of the primary literature in cryptography. Now this makes me unusual, not a lot of companies
> our size have someone with my skills.
>

And I'm betting they're Fortune 100. My point is, the company I work
for does pentesting and have seen so many issues with information that
people thought was "encrypted" not being "encrypted" and then leaked
because it was only obfuscated with some base32/64 or w/e and maybe
rotated by some value or w/e. It's kinda insane what people will do
instead of using a well vetted crypto library. So I'm fearful that
we'll stumble across someone using your library by finding some issue
with it and the client says "well, we encrypted it" and then "well,
obviously not".

OTOH, people will be people. If you want to keep it available and hope
that no one uses it in production and that someone reviews it *shrug*.
If someone uses it vs making their own system, hopefully you're
smarter than them (probably) and it'll be harder to break than w/e
they might've done. And it would probably be a good learning exercise
if an "expert" got back to you with issues.


More information about the cryptography mailing list