[plug] Encyption algorithms

Beau Kuiper ekuiperba at cc.curtin.edu.au
Sat Nov 13 20:20:15 WST 1999


On Sat, 13 Nov 1999, you wrote:
> Beau Kuiper wrote:
> > Well, DES is as good as useless unfortunately. There probably are better
> > choices. You are probably right about CAST-128 not being as well cryptanalysed
> > as other algorithms. But I think I will stick with CAST-128 since it is well
> > described, there are no weak keys, it is fast, has 128-bit protection, and it
> > hasn't got any patent problems. If any major problems are found with CAST-128
> > in the future, then it would be pretty simple to replace it with blowfish or
> > triple DES.
> 
> Why is DES "as good as useless"?  I would still say 3DES would be your
> best choice.  As for replacing it in the future, I'm not sure that would
> be quite as easy as you imagine -- consider the difficulty should this
> program of yours become widely used.

I should have said single DES. Triple DES is still very usable. Also CAST-128
has been scrutinized for over 10 years, but I could probably implement both :)

> > > Of course, it really depends on the purpose you need the encryption
> > > for...
> > 
> > It is intended to encrypt both control and data connections on an ftp
> > communication link.
> 
> You can use scp for effectively this already - but you probably know
> this.

Ah, but it is always good to have more choice. FTP is generally easier to set
up to.

> > You should have a read of RFC 2228, It describes security extensions for the
> > FTP protocol. Of course, I will have to modify a client to actually use these
> > security extensions too.
> 
> Actually, I shouldn't read it at all because I'm not implementing an FTP
> client/server.  Since you are, however, I'm glad you have. :)  I don't
> know whether this is a serious exercise or just hacking around for the
> fun of it but the Free software world is very much in need of a
> fully-featured FTP server right now due to all the security flaws that
> have been found in WU-FTPD and ProFTPd.  It would be great for a new
> ftpd to appear that supported all the features that ProFTPd does...
> *hint*

Ok, I referenced that RFC more as a way of saying it is a standard rather than
non-standard. I have already written an ftp server (named muddleftpd) that
(while still missing a few important features) has many important features, is
fast, and very secure, and is Free. I use it myself so I make sure it doesn't
become a security mess like those mentioned above. This is a serious attempt
to write something useful, while I learn a lot about debugging and writing
non-trivial software. If you want to see it, visit:

http://www.arach.net.au/~wildfire/muddleftpd

Sorry about the shameless plug
Beau Kuiper
ekuiperba at cc.curtin.edu.au

> Regards,
> 
> Christian.
> 
> -- 
> If you can't beat your computer at chess, try kickboxing.
Tried that, computer still wins in the long run.


More information about the plug mailing list