encryption quality assurance

0 views
Skip to first unread message

DavidG

unread,
Dec 4, 2009, 1:15:13 PM12/4/09
to Clipperz
Hi,

This is an incredibly cool idea - but of course, with something so
sensitive, one really wants to be sure things are working correctly.

How do you verify that the encryption code written in JavaScript is
"correct"? In particular, how do you test the system so that you can
be assured that the encryption results are the same as those which
would be obtained from "reference" code (presumably, written in C or
Java or something similar)?

I am hardly an encryption expert - but before diving into using and
recommending this system, I would want to be reasonably sure that the
JavaScript is equivalent to the original C programs (and, of course,
underlying encryption standards). Is there a standard test suite which
can be run?

Thank you -

David

Giulio Cesare Solaroli

unread,
Dec 5, 2009, 8:05:13 AM12/5/09
to dge...@gmail.com, Clipperz
Hello David,

AES (the standard encryption algorithm that Clipperz uses) provides a
clear definition and relevant test vectors to define the expected
behavior.

Our implementation is based on the original specification, and not
derived from other source code.
We have automatic tests that include also the standard test vectors in
order to ensure that the algorithm is implemented correctly.

Another big issue when dealing with encryption, is the random number
generator. It is possible to screw the whole encryption schema if the
random number generator is not random enough.

In order to improve security, we have implemented also the Fortuna
PRNG (Pseudo Random Number Generator).

Hope this helps.

Regards,

Giulio Cesare
> --
>
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> To unsubscribe from this group, send email to clipperz+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.
>
>
>

DavidG

unread,
Dec 5, 2009, 3:57:10 PM12/5/09
to Clipperz
Hi Giulio -

Is there a place where I can see and run those tests? Thanks!

David

On Dec 5, 8:05 am, Giulio Cesare Solaroli <giulio.ces...@gmail.com>
wrote:
> Hello David,
>
> AES (the standard encryption algorithm that Clipperz uses) provides a
> clear definition and relevant test vectors to define the expected
> behavior.
>
> Our implementation is based on the original specification, and not
> derived from other source code.
> We have automatic tests that include also the standard test vectors in
> order to ensure that the algorithm is implemented correctly.
>
> Another big issue when dealing with encryption, is the random number
> generator. It is possible to screw the whole encryption schema if the
> random number generator is not random enough.
>
> In order to improve security, we have implemented also the Fortuna
> PRNG (Pseudo Random Number Generator).
>
> Hope this helps.
>
> Regards,
>
> Giulio Cesare
>

Giulio Cesare Solaroli

unread,
Dec 7, 2009, 5:47:50 AM12/7/09
to dge...@gmail.com, Clipperz
Hello David,

sorry, but I never realized that tests have always been left out of
public packaging of our code.

Attached you can find the Community edition Zip with an extra test
folder that I have manually patched to include the relevant test of
the Crypto module.

I will try to enhance the build script in order to have all the tests
included in the community edition; I also need to include the build
script itself into the community edition.

Hope this helps.

Regards,

Giulio Cesare



community.edition.003_tests.zip
Reply all
Reply to author
Forward
0 new messages