Re: [DotGNU]Encryption protocols

[Rhys Weatherley]

On Sunday 09 March 2003 07:19 pm, Peter Minten wrote:

> I promised on IRC yesterday to look into openssl and which parts of it are
> useful to DotGNU. A quick look revealed that 2 protocols might be very
> useful: RSA and blowfish. RSA is good for the authentication (since it uses
> public and private keys) and blowfish is good for the encryption of
> communication.

This is pretty standard for encrypted channels.  The trick is not so much the 
algorithms involved (RSA, blowfish, SHA, etc), but the way they are used in 
combination.  There are ways of using RSA with blowfish, for example, that 
can be very insecure if you aren't careful.

A lot of work has gone into SSL/TLS to make sure that the algorithms are used 
correctly in combination.  It is would be very dangerous for DotGNU to make 
up a new session protocol.  It would be better to use the standard directly.

Pnetlib does currently have implementations of the core algorithms involved 
under System.Security.Cryptography.  Perhaps someone can take it as an action 
item to write an SSL/TLS implementation on top in C#.  Or perhaps instead 
take an action item to PInvoke-wrap OpenSSL and/or GnuPG for use in C# 
applications.  The latter is likely to be easier, and less likely to get 
wrong, but don't let that stop you.  A pure C# implementation would be kind 
of cool.

Cheers,

Rhys.