Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Right, so you go on Wikipedia and implement RSA. You understand every single thing you do.

Oops. You forgot padding. Because of some strange identity that applies to the simple math you just implemented straight from the textbook, all your encrypted data can be trivially decrypted.



Or even if you get the algorithm correct, maybe you forgot to handle all the memory the key touches special and it's swapped to disk. Or maybe your implementation is vulnerable to timing attacks or something more obscure.


Just trying to send some text via e-mail, so swaps to disk and/or timing attacks should not work. That is, not trying to encrypt streams of voice or video, and do assume that the computer used for the de/encryption is 'secure'.


The problem with it being swapped to disk is that it means the decrypted form of your key (you're storing it encrypted by a passphrase, right?) is now persisting while your computer is off, which exposes it to more threats (someone images your disk when you take your computer in for repair).

Timing attacks would certainly be harder if you're never signing anything in a situation the attacker controls, but I'm leery about claiming nothing could be done.


> decrypted form of your key (you're storing it encrypted by a passphrase, right?)

Haven't yet implemented the little de/encryption command line program l described so don't know just how I'd store my private RSA key. The private key would likely be just on my computer some place as just ordinary data maybe with a comment that clearly describes the data as my private key.

I'm not sure what you mean by a "passphrase", but I can guess; with my guess, no, I wouldn't do that because (1) it makes life harder for me and (2) doesn't really make decrypting my data much more difficult for an attacker.

> when you take your computer in for repair

Right, if I lose physical control of my computer, then all or nearly all the data I encrypted can now be decrypted by others.

So, right, for anyone who would lose physical control of his computer for any reason, the 'approach to computer security' I outlined would have a huge hole in it.

In my case, I would never take my computer for repair since I built and repair my own computer.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: