1

One of our partners sent me a Key Injection Tool to inject encryption keys into a PINPAD with. Looks like they were short on developers and had to hire Python typists who have made a mess of a simple AES encryption/decryption. When do these companies learn that writing a security related software in Python is not really secure? I had to read the rubbish in Python and read it from scratch in C++ to get it to work, and am now contemplating whether to provide that company with my version of their Key Injection Tool or not...

Comments
  • 1
    Compiled languages give no greater level of security than interpreted languages. Decompilers are a thing, and have been for a long long time.

    Besides, people can just read assembly if they really want to.

    Why do you think C++ is more secure than python?
  • 4
    @atheist In certain areas you need "predictability" interpreted languages cannot provide. With predictability I mean:

    - Predictable memory. Assuming I do cryptography in Python. With the dynamic memory management, secret keys and data may remain in memory quite a long time - I can't even clear a string in Python! And depending on the security requirements, I may have to do it.
    - Side channel resistance. If I compute e.g. RSA operations with Python, the integer implementation will leak data because of minor (measurable) differences between each operation. I can't even implement counter measures, as there is too much of other things happening in the interpreter. One can't even compare to strings to equality in constant time w/o calling a function written in C...

    This is *only* required for certain areas - mainly cryptography, and only against "advanced" attackers.
    When creating larger applications, avoiding memory issues is usually better than having such predictability...
Add Comment