Path: csiph.com!usenet.pasdenom.info!news.redatomik.org!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.021 X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'subject:Python': 0.05; 'extent': 0.07; 'finished.': 0.07; 'mess': 0.09; 'security.': 0.09; 'url:github': 0.09; 'cc:addr:python-list': 0.10; 'thread': 0.10; '"this': 0.13; 'suggest': 0.15; '7:07': 0.16; 'encryption': 0.16; 'expert,': 0.16; 'expert.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'interest,': 0.16; 'minor,': 0.16; 'security?': 0.16; 'sufficient,': 0.16; 'thread?': 0.16; 'wrote:': 0.16; '>>>': 0.20; 'cc:2**0': 0.21; 'cc:addr:python.org': 0.21; 'trying': 0.22; 'fairly': 0.22; 'saying': 0.22; 'of.': 0.22; 'phd': 0.22; '2015': 0.23; 'sat,': 0.23; "haven't": 0.24; "i've": 0.24; 'header:In-Reply-To:1': 0.24; 'chris': 0.26; 'figure': 0.27; 'not,': 0.27; 'talented': 0.27; 'message-id:@mail.gmail.com': 0.28; "doesn't": 0.28; "i'm": 0.29; 'built.': 0.29; 'no,': 0.29; 'certainly': 0.31; 'putting': 0.31; 'probably': 0.32; 'embedded': 0.32; "d'aprano": 0.33; 'steven': 0.33; 'received:google.com': 0.34; 'done': 0.35; "isn't": 0.35; 'but': 0.36; 'possible': 0.36; 'subject:: ': 0.37; 'thought': 0.37; 'say': 0.38; 'doing': 0.38; 'means': 0.39; 'pm,': 0.39; 'field': 0.60; 'yes': 0.60; 'your': 0.60; 'even': 0.61; 'claim': 0.61; "you'll": 0.61; 'side': 0.62; 'here:': 0.62; 'expert': 0.63; 'else.': 0.66; 'subject:Data': 0.66; '3-4': 0.72; 'verification': 0.73; '*every': 0.84; 'chemical': 0.84; 'chrisa': 0.84; 'episode': 0.84; 'malicious': 0.84; 'to:none': 0.90; 'cryptography': 0.91; 'minister': 0.91; 'thesis': 0.91; 'anywhere,': 0.93; 'good,': 0.93; 'serious': 0.97 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=240kTuHzZhbCxtu2GU8kIlyCjkmo79hJ3xbmQLFEWNM=; b=U7nR5oEmR3Zn3zd4GwzmAZmvjPXnlpIfDfkqb179A/ffssV2DfBHZaovA54qlT1FNT 74IelNHgB5m2hvN0oQLXco6Ar+60n+5+vrWuLWn7cgaBL5bCorMADAnR83QbUAOnIyHD 7dDLgs615GPjNs5NIacHdxm6TUlzRB3iVsM5+wtltEM8+o1eqt7RpTqmhR+7nmcQ6HxV AibB47ny+1LtsNL92SOFTx9pADiXi+AXM9kzkDmW/AS3GfmgqgT2ZSU1Bvezfcob8jfX 1aFAjilTyqbWLJL2deRoVUTbawD2Sm/2EC4zLM1+ZJgEdFXhr6MwJJr7z6qv0bdk0X0c zjfg== MIME-Version: 1.0 X-Received: by 10.107.131.145 with SMTP id n17mr7424526ioi.53.1435396636959; Sat, 27 Jun 2015 02:17:16 -0700 (PDT) In-Reply-To: References: <558b7e85$0$1648$c3e8da3$5496439d@news.astraweb.com> <558bc912$0$2899$c3e8da3$76491128@news.astraweb.com> <558c1a7e$0$1668$c3e8da3$5496439d@news.astraweb.com> <558d86b0$0$1659$c3e8da3$5496439d@news.astraweb.com> <558e1ac6$0$1675$c3e8da3$5496439d@news.astraweb.com> <558e610f$0$1648$c3e8da3$5496439d@news.astraweb.com> Date: Sat, 27 Jun 2015 19:17:16 +1000 Subject: Re: Pure Python Data Mangling or Encrypting From: Chris Angelico Cc: "python-list@python.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 40 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1435396645 news.xs4all.nl 2839 [2001:888:2000:d::a6]:55082 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:93234 On Sat, Jun 27, 2015 at 7:07 PM, Johannes Bauer wrote: > On 27.06.2015 10:53, Chris Angelico wrote: >> On Sat, Jun 27, 2015 at 6:38 PM, Steven D'Aprano wrote: >>> I'm not a security expert. I'm not even a talented amateur. *Every time* I >>> suggest that "X is secure", the security guy at work shoots me down in >>> flames. But nicely, because I pay his wages >> >> Just out of interest, is _anybody_ active in this thread an expert on >> security? > > Yes. I've done a good 10 years of work in the field doing security > (mostly applied cryptography on embedded systems with a focus on side > channels like DPA, but also security concepts and threat/risk analysis) > and spent the last 3-4 years working on my PhD in the field of IT > security. My thesis is almost(tm) finished. I would claim to be an > expert, yes. Good, so this isn't like that episode of Yes Minister when they were trying to figure out whether to allow a chemical factory to be built. >> I certainly am not, which means that the proposal I'm >> currently putting together probably has a whole bunch of >> vulnerabilities that I haven't thought of. (Though there's no emphasis >> on encryption anywhere, just signing. I'm *hoping* that RSA public key >> verification is sufficient, but if it isn't, it would be possible for >> a malicious user to make a serious mess of stuff.) But I'm under no >> delusions. I don't say "this is secure" - all I'm saying is "this >> works in proof-of-concept". > > I must admit that I haven't seen your ideas in this thread? No, the proposal I'm putting together is unrelated. You'll see the *vast* extent of my security skills here: https://github.com/Rosuav/ThirdSquare My contribution to this thread has been fairly minor, just suggesting one attack that doesn't even work any more, not much else. ChrisA