
Effective Cryptography in the JVM - pron
https://tersesystems.com/2015/10/05/effective-cryptography-in-the-jvm/
======
tomku
Google, please hire this person to rewrite the entire Keyczar documentation
wiki. Keyczar might be great from a crypto point of view, but the lack of good
documentation and binaries is probably a major reason why people ignore it and
implement their own "dangerous" crypto using BouncyCastle.

While I'm making unreasonable and arbitrary demands, password-based encryption
support in Keyczar would be great too, thanks.

------
kushti
How keyczar could be compared with the Bouncy Castle we JVM guys stuck for
years? Was it reviewed by credible cryptographers?

~~~
tptacek
BouncyCastle is a low-level library, like OpenSSL. It's very hazardous to use
in practice. It also gets less cryptographic scrutiny than OpenSSL does.

The point of this article is that you should use high-level libraries that
supply high-level constructions you can use directly in your code, rather than
primitives that you'll have to knit together into high-level constructions
yourself.

~~~
102030485868
Why is it hazardous to use in practice?

~~~
pvg
Because it won't stop you from doing any of this stuff and more.

[https://www.nccgroup.trust/us/about-us/newsroom-and-
events/b...](https://www.nccgroup.trust/us/about-us/newsroom-and-
events/blog/2009/july/if-youre-typing-the-letters-a-e-s-into-your-code-youre-
doing-it-wrong/)

------
tofflos
I've always liked [http://www.jasypt.org](http://www.jasypt.org) as a wrapper
for low level cryptographic operations. But I don't know how it compares to
Keyczar.

~~~
tptacek
Is jasypt message encryption even authenticated?

[http://svn.code.sf.net/p/jasypt/code/trunk/jasypt/src/main/j...](http://svn.code.sf.net/p/jasypt/code/trunk/jasypt/src/main/java/org/jasypt/encryption/pbe/StandardPBEByteEncryptor.java)

------
needusername
2015 and Google still can not be bothered to put their stuff in Maven Central.
It is as if they were actively trying to stop people from using their stuff.

