Thread: OLC and Cambridge 10/20/25 support ending
View Single Post
  #40  
Old December 11th 11, 09:59 PM posted to rec.aviation.soaring
Westbender
external usenet poster
  
Posts: 154
Default OLC and Cambridge 10/20/25 support ending
On Dec 11, 10:54*am, Max Kellermann wrote:
Westbender wrote:
I have put together a secure solution in the form of a windows app
and associated validation DLL.

Is there a chance you're going to release the source code of that DLL
under a free software license?

(If you think this would harm security, then it's not secure, just
snake oil.)

Max

I haven't gotten that far yet. I don't think there's any reason why
the source code can't be released, although I don't know why that
would be important. All the DLL does is run the hashing algorithm and
decrypt the signature using the public key so they can be compared.
There isn't much to it. Really, the only thing that needs to be secure
is the private key that's used to create the digital signature in the
converter program. The private key is not in any way part of the
validation DLL. By the way, in case you're wondering, this software
uses 1024 bit DSA asymmetric encryption/decryption keys. The hashing
algorithm is my own and uses SHA1.

In my opinion, the most important thing is managing the private/public
key pairs and keeping them in sync. This software has to be stable so
that there is as little chance as possible for problems. If this were
to come to fruition, the slightest problem resulting in technical
support inquiries created by people monkeying around with open source
code will possibly cause the OLC to want to drop support again.
Remember this is for legacy CAI loggers only. There will be no need
for future development since the design and versions of those loggers
are static. Once this software matures, there will be very little need
for updates.

There will have to be some controlling authority to manage and release
new key pairs if the need for them (unlikely crack) ever arose.
Although I can't imagine that anyone would want to spend the effort to
crack a digital signature of this complexity on flight logs for the
OLC. I agree with most people that we should not have to go through
this crap. However since this is what it's going to take to keep these
loggers alive on the OLC, then I'm willing to give this a try.