|
That is kind of what I thought as well. As a programmer over the last 15 years I have enabled encryption on several of my medical imaging applications. Mostly the work spent doing this was selecting a library or using some builtin OS encryption and generating a key or certificate to use with the encryption. After that it was just a standard call.
John
|
|
|
|
|
I am referring to simple implementation as well. How are your keys stored, where are your keys stored, how is the memory protected when keys are in memory, is your algorithm implemented correctly, did you even check? Did you check the quality of your keys? All important questions. I am not a Cryptanalyst and ROT13 appears just a secure as AES-256, to me; in-fact, IIRC, the Java built in Crypto Algorithms are samples only and not for cryptographic use. Sun even referred you to a third-party if you wanted secure encryption.
In my opinion, and if you don't agree read the quality of questions in the forums, most developers are not even qualified to attempt to use the built in .NET cryptography API's let alone certify that they are used in a secure fashion. The fact that most of use can make a few API calls to generate what appears to be crypto-secured data does not make the data secure; only obscure.
|
|
|
|
|
I hate it when a discussion makes me think about my own position/outlook. So it seems I am making my passwords obscure rather than secure.
I would think that most senior/lead devs should be able to implement the existing systems, anything beyond that nah, I see you point about a dedicated professional.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Ennis Ray Lynch, Jr. wrote: I feel it is my ethical obligation to tell clients that a person with a lot more nose hair needs to be involved
How much much nose hair should I consider to be purely ethical?
I know some guys who would pass with flying colors!
|
|
|
|
|
I agree with you most heartily. Cryptography is a tricky business. There is a risk of catastrophic failure if you do not have someone who actually understands the stuff. It is worth remembering that unlike many aspects of applications people go through concerted effort to make one’s encryption less than effective.
The hacking of DVDs via software or magic marker is a classic example.
Ken
|
|
|
|
|
Each developer is in charge of his own encryption algorithm.
As for decryption? That falls to the director of IT. He's got plenty of time on his hands.
/xml> "The difference between genius and stupidity is that genius has its limits." - Albert Einstein
| "As far as we know, our computer has never had an undetected error." - Weisert
| "If you are searching for perfection in others, then you seek dissappointment. If you are searching for perfection in yourself, then you seek failure." - Balboos HaGadol Mar 2010
|
|
|
|
|
|
This remindes me my high-school teachers favorite quiz choices
Q. What is bla bla
a. bla bla
b. bla bla
c. bla bla
d. None of the Above
e. All of the above
We used to argue if 'e' can be logically correct? Yes it means all the answers (a,b,c) but at the face value 'd' also is part of ALL of the above.
Here also we got number of choices then "We never have need of encryption". How the heck is that going to be valid with the rest when multiple choice are possible
|
|
|
|
|
It would be correct if you swap d and e.
Q. What is bla bla?
a. bla bla
b. bla bla
c. bla bla
d. All of the above
e. None of the above
|
|
|
|
|
Nishant Sivakumar wrote: It would be correct if you swap d and e.
Absolutely. But, that was my point. He won't budge to change the order, which makes it, shall we say, illogical and confusing.
|
|
|
|