[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-jce] Some small problems with your distribution




to: jce-support@iaik.tu-graz.ac.at
Dear Dr. Platzer (or whoever responsible for the product),

I downloaded your software recently (V2.51) for studying purposes
because I think we all need to know more about the security systems
we will be using in the near future.

Let me first congratulate you for what appears to be a very good
documentation that goes with the package. As I am not a security
specialist I cannot really evaluate the actual implementation,
but I am pretty confident it is of the same high standards.

Nevertheless, I wante to point out two (rather small) problems I had
with the package. First of all, I could not properly download
the jar files you have on your download page
(http://jcewww.iaik.tu-graz.ac.at/download.html).
When running jar tvf <file>.jar on them I get an error messsage.
The problem is that somewhere the NL bytes in the jar have been
converted into CR/NL. I could verify this by runnning a
CR/NL -> NL conversion program on two of them
(idea.jar and rsa_rc4.jar) after which the seem to be fine
(this did not work on iaik_jce_full.jar as there seem to be a couple of
CR/LF sequences which are genuine, and should not be converted into NL).

So the problem is either that Netscape (I tied both V3 and V4.5),
when downloading them using the "save link as" convert LF to CR/LF
(I would be surprised if this is really the case, I have not seen
this before, but I have not yet downloaded jar files before either),
or else someone at your site has ftp'ed these files in ASCII mode.
Could you please verify this problem and fit it if possible?

A second problem I have, which is maybe not really related
to your software, is thet there is no keystore management utility
included in the package. Granted, we could all use SUN's keytool
utility, but it seems that SUN's implementation does not support
the use of secret keys (for well known reasons), which considerably
cripples their distribution.
Of course, we can all write our own implementation of
a keytool utility, but this if not a very efficient use
of our (precious) time.

One last word about the general security aspects of using your package.
As I am a newcomer to this field I'm not sure my views are correct
but if I were paranoid about security I would also like to check the
source code of some of the programs I'm using, to make sure there are
no trapdoors in them (for instance, under pressure of the U.S.
governement,
not likely for software developed outside the US, I would think).
This especially would apply to the keytool program mentioned above.
On the other hand, I can imagine why you don't like to make the sources
to your code public. One possible solution would be to sign the jar
files you distribute, and include one or more certificate chains for them.
This, together with a contractual statement that you properly
implemented the algorithms according to well -know public standards
would constitute a more stringent commitment from your side.

At any rate, thank you for the high quality of your package and maybe
in the future, if ever I need an implementation for a project I will
recommend your package.

Guido De Vos
guvos@access.inet.co.th

(Note that I will return to Belgium shortly, but my email address
here in Thailand will probably remain valid at least till the end
of the year.



--
Mailinglist-archive at http://jcewww.iaik.tu-graz.ac.at/mailarchive/iaik-jce/maillist.html

To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the folowing content: UNSUBSCRIBE iaik-jce