crypto algorithms search results.
cryptographic implementations
algorithm Detected
MD2 6
MD4 49
MD5 920
ShA- 1 136
ShA- 2 192
AeS 39
total 1,342
ments: “huh?,” “sigh,” and “aghast.”
The “huh?” segment wonders what
the big deal is: the absence of a stan-
dardized system library with these
functions means that you have to
“Bring Your Own Crypto” if you want
some.
The “sigh” segment thinks this is
the least of our troubles.
The “aghast” segment will see this
as a total failure of good software engineering practices, a call to arms for better education, and reason for a stake
through the heart of the Open Zombie
Group.
And they are all correct, of course,
each from its own vantage point.
Fortunately, what this is not, is The
Next Big Security Issue, even though I
would not be surprised if one or more
“security researchers” would claim so
from their parents’ basement.b If these
b The fact that MD5 seems to be more in demand—yes, I may indeed be to blame for that
myself, but that is a story for another day;
search for “md5crypt” if you cannot wait—
than its quality warrants is a matter of choice
of algorithm, not a matter of implementation
of the algorithm chosen.
had been independent implementations, then there would be reason to
worry about the security implications,
but they are not.
In a few cases, optimized or license-sanitized versions have been written,
but overwhelmingly this is just pointless copy-and-paste of identical source
code in blatant disregard of Occam’s
three-quarters-millennia-old advice.
I am a card-carrying member of the
“aghast” segment. My membership
card is a FreeBSD commit message
shown in the figure here.
My libmd, which is as unencumbered by copyright issues as it can be,
later grew more cryptographic hash algorithms, such as RIPEMD-160 and the
SHA family, and it has been adopted by
some other operating systems.
I am also in the “sigh” segment,
because not all mainstream operating
systems have adopted libmd, despite
having 16 years to do so, and if they
have, they do not agree what should
be in it. For example, Solaris seems to
leave MD2 out (see http://hub.opensolar-is.org/bin/view/Project+crypto/libmd),
which begs the question: Which part
of “software portability” don’t they
understand?
I am, sadly, also in the “huh?” seg-
ment, because there seems to be no
hope. The rational thing to expect
would be that somebody from The
Open Group reads this article, repro-
duces my statistics, and decides that
yes, there is indeed demand for a “lib-
stdcrypto” filled with the usual bunch
of crypto algorithms. That, I am told, is
impossible. The Open Group does not
write new standards; they just bicker
over the usability of ${.CURDIR} in
make( 1) and probably also the poten-
tial market demand for fire that can be
applied nasally.
a card-carrying member of the “aghast” segment.
src/lib/libmd/Makefile:
r1802 | phk | 1994-07-24 03:29: 56 +0000 (Sun, 24 Jul 1994)
Related articles
on queue.acm.org
Languages, Levels, Libraries, and Longevity
John R. Mashey
http://queue.acm.org/detail.cfm?id=1039532
Gardening Tips
Kode Vicious
http://queue.acm.org/detail.cfm?id=1870147
Imported libmd. This library contains MD2, MD4, and MD5.
These three boggers pop up all over the place all of the time, so I
decided we needed a library with them. In general, they are used for
security checks, so if you use them you want to link them static.
Poul-henning Kamp ( phk@FreebsD.org) has
programmed computers for 26 years and is the inspiration
behind bikeshed.org. his software has been widely
adopted as “under the hood” building blocks in both open
source and commercial products. his most recent project
is the Varnish httP accelerator, which is used to speed up
large web sites such as Facebook.
© 2011 aCm 0001-0782/11/0300 $10.00
