Encryption and developers

A newsgroup poster recently stated:

I found a freeware dll, md5lib.dll, on the web and am trying to use it in Access 2003.

My reply (which has been added to for the purposes of this posting)

I would strongly urge using the CryptoAPI as specified by Microsoft.  Read the documentation thoroughly on MSDN.   Although MSDN can be difficult to plow through.

See Security Alert: Debian & Ubuntu Linux Weak Encryption Keys which in turn has links to a number of articles such as DSA-1571-1 openssl -- predictable random number generator

My point is that rolling your own solution or using someone else's solution without you thoroughly understanding encryption and the code can cause problems.  I trust Microsoft to do a good job with their code.  I would've generally trusted open source systems as there are lots of folks reviewing the code.  But that didn't work in this case.  I certainly would not at all trust do it yourself code or dlls found on the web.

Published Tue, Nov 18 2008 14:14 by Tony
Filed under: ,

Comments

# re: Encryption and developers

The more interesting point here is that if you use CryptoAPI, your solution will benefit from upgrades that Microsoft rolls out to address any issues with their security or encryption.

Not that an automatic upgrade would have helped with the Debian / Ubuntu issue, mind you, as that caused problems generating certificates - and once the certificate is generated, no update is going to remove it, because of all the things that would break.

Monday, November 24, 2008 4:06 PM by Alun Jones

Leave a Comment

(required) 
(required) 
(optional)
(required)