Easy to understand guide on using bouncycastle library

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Easy to understand guide on using bouncycastle library

Thotheolh Tay
Hi,

Bouncycastle is indeed rich with many APIs for many types of
cryptographic and secure functions.

The problem is that not all the functions are properly understood and
Googling, forum searching, hunting through books and emails may not
always yield answers and proper use.

Improper use of cryptographic and secure functions have proven to be a
dangerous game as it creates a false sense of security.

Is there some kind of guide that would help any level of users to easily
understand and use Bouncycastle without misinterpretation ?

That would be infinitely helpful.

Regards,
Thotheolh.

Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

Arshad Noor
Beginning Cryptography with Java, written by David Hook is the
definitive guide: http://www.amazon.com/gp/product/0764596330.

But, in order to recognize that a particular cryptographic tool,
algorithm, etc. is vulnerable or weak, you'll have to be plugged
into various cryptography forums that drills into that level of
detail.  Here is one that does that:

http://lists.randombit.net/mailman/listinfo/cryptography

Arshad Noor
StrongAuth, Inc.


On 11/28/2012 05:06 AM, Thotheolh Tay wrote:

> Hi,
>
> Bouncycastle is indeed rich with many APIs for many types of
> cryptographic and secure functions.
>
> The problem is that not all the functions are properly understood and
> Googling, forum searching, hunting through books and emails may not
> always yield answers and proper use.
>
> Improper use of cryptographic and secure functions have proven to be a
> dangerous game as it creates a false sense of security.
>
> Is there some kind of guide that would help any level of users to easily
> understand and use Bouncycastle without misinterpretation ?
>
> That would be infinitely helpful.
>
> Regards,
> Thotheolh.
>

Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

Open eSignForms
I wonder if David Hook has any plans to issue a second edition of the book using the latest APIs. It looks interesting, but being 7+ years old is tough since the BC API itself has undergone major changes since 2005.


On Wed, Nov 28, 2012 at 7:23 AM, Arshad Noor <[hidden email]> wrote:
Beginning Cryptography with Java, written by David Hook is the
definitive guide: http://www.amazon.com/gp/product/0764596330.

But, in order to recognize that a particular cryptographic tool,
algorithm, etc. is vulnerable or weak, you'll have to be plugged
into various cryptography forums that drills into that level of
detail.  Here is one that does that:

http://lists.randombit.net/mailman/listinfo/cryptography

Arshad Noor
StrongAuth, Inc.



On 11/28/2012 05:06 AM, Thotheolh Tay wrote:
Hi,

Bouncycastle is indeed rich with many APIs for many types of
cryptographic and secure functions.

The problem is that not all the functions are properly understood and
Googling, forum searching, hunting through books and emails may not
always yield answers and proper use.

Improper use of cryptographic and secure functions have proven to be a
dangerous game as it creates a false sense of security.

Is there some kind of guide that would help any level of users to easily
understand and use Bouncycastle without misinterpretation ?

That would be infinitely helpful.

Regards,
Thotheolh.



Reply | Threaded
Open this post in threaded view
|

RE: Easy to understand guide on using bouncycastle library

Ed Bras

+1 for the book or better doc's.

I have the same problem: the cryptographic is not an easy subject so doc is important (overcoming security problems).

At least the @deprecated tags should be better documented such that it's easy to apply changes.

Currently I have a many Supres-warning annotations as it costs me too much time to apply the changes.

Looking backward, I regret having done the upgrade.....

- Ed

 

From: Open eSignForms [mailto:[hidden email]]
Sent: dinsdag 4 december 2012 2:50
To: Arshad Noor
Cc: Thotheolh Tay; [hidden email]
Subject: Re: [dev-crypto] Easy to understand guide on using bouncycastle library

 

I wonder if David Hook has any plans to issue a second edition of the book using the latest APIs. It looks interesting, but being 7+ years old is tough since the BC API itself has undergone major changes since 2005.

 

On Wed, Nov 28, 2012 at 7:23 AM, Arshad Noor <[hidden email]> wrote:

Beginning Cryptography with Java, written by David Hook is the
definitive guide: http://www.amazon.com/gp/product/0764596330.

But, in order to recognize that a particular cryptographic tool,
algorithm, etc. is vulnerable or weak, you'll have to be plugged
into various cryptography forums that drills into that level of
detail.  Here is one that does that:

http://lists.randombit.net/mailman/listinfo/cryptography

Arshad Noor
StrongAuth, Inc.




On 11/28/2012 05:06 AM, Thotheolh Tay wrote:

Hi,

Bouncycastle is indeed rich with many APIs for many types of
cryptographic and secure functions.

The problem is that not all the functions are properly understood and
Googling, forum searching, hunting through books and emails may not
always yield answers and proper use.

Improper use of cryptographic and secure functions have proven to be a
dangerous game as it creates a false sense of security.

Is there some kind of guide that would help any level of users to easily
understand and use Bouncycastle without misinterpretation ?

That would be infinitely helpful.

Regards,
Thotheolh.

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

Thomas Lieven
> +1 for the book or better doc's.

Yes, that would be great.

> At least the @deprecated tags should be better documented such that it's
> easy to apply changes.

The @deprecated tags actually are documented but rather brief. You
certainly have to spend some time and effort to understand the meaning
but I was always able to adapt my code to the changes. Nonetheless, a
few more words would help a lot.
Unfortunately there is a lot of code that is not (meaningfully)
documented at all.

> Currently I have a many Supres-warning annotations as it costs me too
> much time to apply the changes.

Concerning the API changes I found the renaming of some basic classes
most annoying immediately followed by no longer available constructors,
etc. Suddenly a huge percentage of old code examples would no longer
compile at all. It is one thing to deal with deprecated code but its
something completely different to not be able to run the code at all.

> Looking backward, I regret having done the upgrade.....

I would not go so far, however BC currently is in no state I would
recommend for beginners. Please don't misunderstand me - BC is great in
general and, without doubt, it is certainly difficult to adapt such a
complex architecture but it still needs to be understandable, especially
for beginners.
What I'm missing most is something like the "big picture", some overview
that explains how BC components work at a more abstract level so it gets
easier to understand how to connect them and build something new.

Best regards

Thomas

Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

Jon Eaves
We'd be delighted for somebody who finds the lack of documentation annoying to write documentation
on the things they found out how to do. We found the lack of a cryptography library that was freely
available annoying, so we wrote it.

Not all the documentation needs to be detailed API level, which I understand is more complicated for
people to produce. Maybe a porting guide would be of great advantage to many users. Provide more example
code. Provide updates to the example code that's not working. All of this helps the project.

The advantage of open source is that (generally) the maintainers of the code are delighted to have people
provide input and time to the project.  There's not that many of us, and there's a lot of you.

This isn't meant to be snarky or rude - it's a fact of life. We do this for free, so many of you can take
advantage of that in making more money in your own companies. Imagine if every user of BC "paid" BC back by
donating documentation time (even at 10% of what a commercial offering might cost). I'm pretty sure the
documentation problems would all be gone.

Cheers,
        -- jon

On 4/12/2012 6:43 PM, Thomas Lieven wrote:

>> +1 for the book or better doc's.
>
> Yes, that would be great.
>
>> At least the @deprecated tags should be better documented such that it's
>> easy to apply changes.
>
> The @deprecated tags actually are documented but rather brief. You
> certainly have to spend some time and effort to understand the meaning
> but I was always able to adapt my code to the changes. Nonetheless, a
> few more words would help a lot.
> Unfortunately there is a lot of code that is not (meaningfully)
> documented at all.
>
>> Currently I have a many Supres-warning annotations as it costs me too
>> much time to apply the changes.
>
> Concerning the API changes I found the renaming of some basic classes
> most annoying immediately followed by no longer available constructors,
> etc. Suddenly a huge percentage of old code examples would no longer
> compile at all. It is one thing to deal with deprecated code but its
> something completely different to not be able to run the code at all.
>
>> Looking backward, I regret having done the upgrade.....
>
> I would not go so far, however BC currently is in no state I would
> recommend for beginners. Please don't misunderstand me - BC is great in
> general and, without doubt, it is certainly difficult to adapt such a
> complex architecture but it still needs to be understandable, especially
> for beginners.
> What I'm missing most is something like the "big picture", some overview
> that explains how BC components work at a more abstract level so it gets
> easier to understand how to connect them and build something new.
>
> Best regards
>
> Thomas
>

Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

Hanson Char
Hi Jon,

Would unit tests be considered useful documentation or example code ?  How about this example ?


What does one need to do to contribute (such tests) to the project ?

Regards,
Hanson

On Tue, Dec 4, 2012 at 12:32 AM, Jon Eaves <[hidden email]> wrote:
We'd be delighted for somebody who finds the lack of documentation annoying to write documentation
on the things they found out how to do. We found the lack of a cryptography library that was freely
available annoying, so we wrote it.

Not all the documentation needs to be detailed API level, which I understand is more complicated for
people to produce. Maybe a porting guide would be of great advantage to many users. Provide more example
code. Provide updates to the example code that's not working. All of this helps the project.

The advantage of open source is that (generally) the maintainers of the code are delighted to have people
provide input and time to the project.  There's not that many of us, and there's a lot of you.

This isn't meant to be snarky or rude - it's a fact of life. We do this for free, so many of you can take
advantage of that in making more money in your own companies. Imagine if every user of BC "paid" BC back by
donating documentation time (even at 10% of what a commercial offering might cost). I'm pretty sure the
documentation problems would all be gone.

Cheers,
        -- jon


On 4/12/2012 6:43 PM, Thomas Lieven wrote:
+1 for the book or better doc's.

Yes, that would be great.

At least the @deprecated tags should be better documented such that it's
easy to apply changes.

The @deprecated tags actually are documented but rather brief. You
certainly have to spend some time and effort to understand the meaning
but I was always able to adapt my code to the changes. Nonetheless, a
few more words would help a lot.
Unfortunately there is a lot of code that is not (meaningfully)
documented at all.

Currently I have a many Supres-warning annotations as it costs me too
much time to apply the changes.

Concerning the API changes I found the renaming of some basic classes
most annoying immediately followed by no longer available constructors,
etc. Suddenly a huge percentage of old code examples would no longer
compile at all. It is one thing to deal with deprecated code but its
something completely different to not be able to run the code at all.

Looking backward, I regret having done the upgrade.....

I would not go so far, however BC currently is in no state I would
recommend for beginners. Please don't misunderstand me - BC is great in
general and, without doubt, it is certainly difficult to adapt such a
complex architecture but it still needs to be understandable, especially
for beginners.
What I'm missing most is something like the "big picture", some overview
that explains how BC components work at a more abstract level so it gets
easier to understand how to connect them and build something new.

Best regards

Thomas



Reply | Threaded
Open this post in threaded view
|

RE: Easy to understand guide on using bouncycastle library

Ed Bras

Excellent idea.

It would be nice if there would be a kind of "Howto wiki" doc environment, where developers can drop in their examples, unit tests, such that a kind of "reference guide" grows, where you can search "tasks" you want to develop.

Example: Apache CXF: the download has loads of examples of all kind of common use cases.

 

My problem:  5 years ago I used BC a lot, and knew how things worked. Now I had to make changes and notice that it's hard to get back in it, and it would be nice if some handy doc would exists (like Howto's) that could help you with this..., make it easier "accessible".

 

What's important: make it easy for developers (and make them aware) to add their examples/use-case code, such that they will "actually" do it.

 

Another idea: put a "Pay pal donation" button on the website... ;)... (I only have debts (trying to make the best next thing) at the moment but used it with other open source projects in the past).

 

- Ed

 

From: Hanson Char [mailto:[hidden email]]
Sent: dinsdag 4 december 2012 16:59
To: Jon Eaves
Cc: Thomas Lieven; [hidden email]
Subject: Re: [dev-crypto] Easy to understand guide on using bouncycastle library

 

Hi Jon,

 

Would unit tests be considered useful documentation or example code ?  How about this example ?

 

 

What does one need to do to contribute (such tests) to the project ?

 

Regards,

Hanson

On Tue, Dec 4, 2012 at 12:32 AM, Jon Eaves <[hidden email]> wrote:

We'd be delighted for somebody who finds the lack of documentation annoying to write documentation
on the things they found out how to do. We found the lack of a cryptography library that was freely
available annoying, so we wrote it.

Not all the documentation needs to be detailed API level, which I understand is more complicated for
people to produce. Maybe a porting guide would be of great advantage to many users. Provide more example
code. Provide updates to the example code that's not working. All of this helps the project.

The advantage of open source is that (generally) the maintainers of the code are delighted to have people
provide input and time to the project.  There's not that many of us, and there's a lot of you.

This isn't meant to be snarky or rude - it's a fact of life. We do this for free, so many of you can take
advantage of that in making more money in your own companies. Imagine if every user of BC "paid" BC back by
donating documentation time (even at 10% of what a commercial offering might cost). I'm pretty sure the
documentation problems would all be gone.

Cheers,
        -- jon



On 4/12/2012 6:43 PM, Thomas Lieven wrote:

+1 for the book or better doc's.


Yes, that would be great.

At least the @deprecated tags should be better documented such that it's
easy to apply changes.


The @deprecated tags actually are documented but rather brief. You
certainly have to spend some time and effort to understand the meaning
but I was always able to adapt my code to the changes. Nonetheless, a
few more words would help a lot.
Unfortunately there is a lot of code that is not (meaningfully)
documented at all.

Currently I have a many Supres-warning annotations as it costs me too
much time to apply the changes.


Concerning the API changes I found the renaming of some basic classes
most annoying immediately followed by no longer available constructors,
etc. Suddenly a huge percentage of old code examples would no longer
compile at all. It is one thing to deal with deprecated code but its
something completely different to not be able to run the code at all.

Looking backward, I regret having done the upgrade.....


I would not go so far, however BC currently is in no state I would
recommend for beginners. Please don't misunderstand me - BC is great in
general and, without doubt, it is certainly difficult to adapt such a
complex architecture but it still needs to be understandable, especially
for beginners.
What I'm missing most is something like the "big picture", some overview
that explains how BC components work at a more abstract level so it gets
easier to understand how to connect them and build something new.

Best regards

Thomas

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

David Hook
In reply to this post by Hanson Char

We can always use more tests - providing it is accepted that any code is distributed under our licence.

Either adding them into jira or email [hidden email] is the way to go there.

As far as JavaDoc goes, if someone finds something really annoying (as in the lack of JavaDoc really did add hours to solving a problem, or what JavaDoc is there just makes things more confusing), please feel free to add it to Jira.

As far as an update to the book goes, I'm working on an e-book which will be released in stages (I think...). If everything goes to plan more details on this should be available soon with the next release.

Regards,

David

On 05/12/12 02:59, Hanson Char wrote:
Hi Jon,

Would unit tests be considered useful documentation or example code ?  How about this example ?


What does one need to do to contribute (such tests) to the project ?

Regards,
Hanson

On Tue, Dec 4, 2012 at 12:32 AM, Jon Eaves <[hidden email]> wrote:
We'd be delighted for somebody who finds the lack of documentation annoying to write documentation
on the things they found out how to do. We found the lack of a cryptography library that was freely
available annoying, so we wrote it.

Not all the documentation needs to be detailed API level, which I understand is more complicated for
people to produce. Maybe a porting guide would be of great advantage to many users. Provide more example
code. Provide updates to the example code that's not working. All of this helps the project.

The advantage of open source is that (generally) the maintainers of the code are delighted to have people
provide input and time to the project.  There's not that many of us, and there's a lot of you.

This isn't meant to be snarky or rude - it's a fact of life. We do this for free, so many of you can take
advantage of that in making more money in your own companies. Imagine if every user of BC "paid" BC back by
donating documentation time (even at 10% of what a commercial offering might cost). I'm pretty sure the
documentation problems would all be gone.

Cheers,
        -- jon


On 4/12/2012 6:43 PM, Thomas Lieven wrote:
+1 for the book or better doc's.

Yes, that would be great.

At least the @deprecated tags should be better documented such that it's
easy to apply changes.

The @deprecated tags actually are documented but rather brief. You
certainly have to spend some time and effort to understand the meaning
but I was always able to adapt my code to the changes. Nonetheless, a
few more words would help a lot.
Unfortunately there is a lot of code that is not (meaningfully)
documented at all.

Currently I have a many Supres-warning annotations as it costs me too
much time to apply the changes.

Concerning the API changes I found the renaming of some basic classes
most annoying immediately followed by no longer available constructors,
etc. Suddenly a huge percentage of old code examples would no longer
compile at all. It is one thing to deal with deprecated code but its
something completely different to not be able to run the code at all.

Looking backward, I regret having done the upgrade.....

I would not go so far, however BC currently is in no state I would
recommend for beginners. Please don't misunderstand me - BC is great in
general and, without doubt, it is certainly difficult to adapt such a
complex architecture but it still needs to be understandable, especially
for beginners.
What I'm missing most is something like the "big picture", some overview
that explains how BC components work at a more abstract level so it gets
easier to understand how to connect them and build something new.

Best regards

Thomas




Reply | Threaded
Open this post in threaded view
|

Re: Easy to understand guide on using bouncycastle library

Hanson Char
Hi David,

These unit tests can be distributed under your license.  Would they be considered acceptable ?


Or would you prefer submitting them via jira ?

Regards,
Hanson

On Tue, Dec 4, 2012 at 2:47 PM, David Hook <[hidden email]> wrote:

We can always use more tests - providing it is accepted that any code is distributed under our licence.

Either adding them into jira or email [hidden email] is the way to go there.

As far as JavaDoc goes, if someone finds something really annoying (as in the lack of JavaDoc really did add hours to solving a problem, or what JavaDoc is there just makes things more confusing), please feel free to add it to Jira.

As far as an update to the book goes, I'm working on an e-book which will be released in stages (I think...). If everything goes to plan more details on this should be available soon with the next release.

Regards,

David


On 05/12/12 02:59, Hanson Char wrote:
Hi Jon,

Would unit tests be considered useful documentation or example code ?  How about this example ?


What does one need to do to contribute (such tests) to the project ?

Regards,
Hanson

On Tue, Dec 4, 2012 at 12:32 AM, Jon Eaves <[hidden email]> wrote:
We'd be delighted for somebody who finds the lack of documentation annoying to write documentation
on the things they found out how to do. We found the lack of a cryptography library that was freely
available annoying, so we wrote it.

Not all the documentation needs to be detailed API level, which I understand is more complicated for
people to produce. Maybe a porting guide would be of great advantage to many users. Provide more example
code. Provide updates to the example code that's not working. All of this helps the project.

The advantage of open source is that (generally) the maintainers of the code are delighted to have people
provide input and time to the project.  There's not that many of us, and there's a lot of you.

This isn't meant to be snarky or rude - it's a fact of life. We do this for free, so many of you can take
advantage of that in making more money in your own companies. Imagine if every user of BC "paid" BC back by
donating documentation time (even at 10% of what a commercial offering might cost). I'm pretty sure the
documentation problems would all be gone.

Cheers,
        -- jon


On 4/12/2012 6:43 PM, Thomas Lieven wrote:
+1 for the book or better doc's.

Yes, that would be great.

At least the @deprecated tags should be better documented such that it's
easy to apply changes.

The @deprecated tags actually are documented but rather brief. You
certainly have to spend some time and effort to understand the meaning
but I was always able to adapt my code to the changes. Nonetheless, a
few more words would help a lot.
Unfortunately there is a lot of code that is not (meaningfully)
documented at all.

Currently I have a many Supres-warning annotations as it costs me too
much time to apply the changes.

Concerning the API changes I found the renaming of some basic classes
most annoying immediately followed by no longer available constructors,
etc. Suddenly a huge percentage of old code examples would no longer
compile at all. It is one thing to deal with deprecated code but its
something completely different to not be able to run the code at all.

Looking backward, I regret having done the upgrade.....

I would not go so far, however BC currently is in no state I would
recommend for beginners. Please don't misunderstand me - BC is great in
general and, without doubt, it is certainly difficult to adapt such a
complex architecture but it still needs to be understandable, especially
for beginners.
What I'm missing most is something like the "big picture", some overview
that explains how BC components work at a more abstract level so it gets
easier to understand how to connect them and build something new.

Best regards

Thomas