[Interest] Integrate crypto in Qt project

Konrad Rosenbaum konrad at silmor.de
Mon Jan 8 11:27:44 CET 2018


Hi,

DON'T RUN YOUR OWN CUSTOM CRYPTO!
[sorry for shouting, but this is kind of important]

If you followed any IT news for the last year or so you know that it is
incredibly easy to mess up. Even if you are an expert.

I'm sorry to say, you do not seem to be an expert, otherwise you'd know a
lot of crypto libs already. So stay clear of low-level functions. At least
for the moment.

On Sun, January 7, 2018 19:00, Christophe Thomas wrote:
> I'm working on a projects that needs to integrate following crypto
> functions:
> - validate signature

If you have a choice of signature type: use GnuPG as an external process.
There is even libGpgME to make it easier to call and parse the output.

Otherwise: what kind of signature is it? What standard does it implement?
The answer to this will tell you which tool to use.

> - compute hash ==> I found QCryptographiqueHash

If it is just as a simple checksum (testing against accidental
corruption): yes, QCryptographicHash is fine. Use one of the more modern
hashes (SHA2 or SHA3 family).

If you need to protect against attackers: use GnuPG signatures.

> - manage certificate ==> I found QSslCertificate

It is the right class, but:
What exactly is the purpose of not using default certificates in your case?

> - do some decryption/encryption using blowfish ==> I found some simple C++
> implementation that I've added to my project

Please don't.

Use GnuPG for encryption. It is safe, proven, reliable. Anything you
implement yourself is bound to be broken, even if it uses secure cyphers -
as a non-expert you always forget to get one of the cryptographic
primitives absolutely correct (e.g. did you know the clock is an important
cryptographic entity? How secure is your random number generator?).

> So I'm blocked on the first subject. I have to admit that I'm not
> mastering
> crypto subjects. What I understand:
> - I have 3 data:
> * a signature => (I only have 2 data named R & S)
> * a hash of data (SHA1)
> * a public key (p, g, g, y=pub data)
> - I should use DSA
> - I will get a Correct / Not Correct answer

For your current project: use proven external tools and libraries. Do not
implement the cypto yourself on any level!

For your education: I suggest "Applied Cryptography" - it's a bit big, but
a good read and written by one of the foremost experts in this field. Do
not expect to be an expert after you read it! This takes longer.

> Any hint on what to use? dive into openssl api ? use QCA project (
> https://github.com/highfidelity/qca) ?

For education? Yes.

Just note that QCA is very low-level. OpenSSL is merely confusing. You may
want to use GnuTLS instead - the API is easier.

For everyday, productive projects? Hell no! Use complete tools and libraries:

Encrypting and signing files or other static blobs: GnuPG.

Online communication: use QSSLSocket - it is a very nice and easy to use
wrapper around OpenSSL - unfortunately the direct OpenSSL API is easier to
use incorrectly than to use correctly.

Calculating checksums: QCryptographicHash is fine in most cases; if you
need to protect against potential attackers use GnuPG instead (or in
addition once you know how it works properly).


   Konrad




More information about the Interest mailing list