Hi, DON'T RUN YOUR OWN CUSTOM CRYPTO! [sorry for shouting, but this is kind of important]
If you followed any IT news for the last year or so you know that it is incredibly easy to mess up. Even if you are an expert. I'm sorry to say, you do not seem to be an expert, otherwise you'd know a lot of crypto libs already. So stay clear of low-level functions. At least for the moment. On Sun, January 7, 2018 19:00, Christophe Thomas wrote: > I'm working on a projects that needs to integrate following crypto > functions: > - validate signature If you have a choice of signature type: use GnuPG as an external process. There is even libGpgME to make it easier to call and parse the output. Otherwise: what kind of signature is it? What standard does it implement? The answer to this will tell you which tool to use. > - compute hash ==> I found QCryptographiqueHash If it is just as a simple checksum (testing against accidental corruption): yes, QCryptographicHash is fine. Use one of the more modern hashes (SHA2 or SHA3 family). If you need to protect against attackers: use GnuPG signatures. > - manage certificate ==> I found QSslCertificate It is the right class, but: What exactly is the purpose of not using default certificates in your case? > - do some decryption/encryption using blowfish ==> I found some simple C++ > implementation that I've added to my project Please don't. Use GnuPG for encryption. It is safe, proven, reliable. Anything you implement yourself is bound to be broken, even if it uses secure cyphers - as a non-expert you always forget to get one of the cryptographic primitives absolutely correct (e.g. did you know the clock is an important cryptographic entity? How secure is your random number generator?). > So I'm blocked on the first subject. I have to admit that I'm not > mastering > crypto subjects. What I understand: > - I have 3 data: > * a signature => (I only have 2 data named R & S) > * a hash of data (SHA1) > * a public key (p, g, g, y=pub data) > - I should use DSA > - I will get a Correct / Not Correct answer For your current project: use proven external tools and libraries. Do not implement the cypto yourself on any level! For your education: I suggest "Applied Cryptography" - it's a bit big, but a good read and written by one of the foremost experts in this field. Do not expect to be an expert after you read it! This takes longer. > Any hint on what to use? dive into openssl api ? use QCA project ( > https://github.com/highfidelity/qca) ? For education? Yes. Just note that QCA is very low-level. OpenSSL is merely confusing. You may want to use GnuTLS instead - the API is easier. For everyday, productive projects? Hell no! Use complete tools and libraries: Encrypting and signing files or other static blobs: GnuPG. Online communication: use QSSLSocket - it is a very nice and easy to use wrapper around OpenSSL - unfortunately the direct OpenSSL API is easier to use incorrectly than to use correctly. Calculating checksums: QCryptographicHash is fine in most cases; if you need to protect against potential attackers use GnuPG instead (or in addition once you know how it works properly). Konrad _______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
