[sip-comm-dev] GSoC 09 - OTR + BouncyCastle

Werner Dittmann Werner.Dittmann at t-online.de
Sun Jul 5 17:50:06 CEST 2009

George, Emil,

Emil Ivov schrieb:
> Hey George,
> George Politis wrote:
>> I agree we don't really need all the BouncyCastle, because of it's huge
>> size (Emil made this very clear to me!).
>> I think that even without the full set of BouncyCastle classes, we could
>> still have a trimmed down BouncyCastle bundle (like very-light-bc.jar)
>> which will contain the functionality needed by otr4j and zrtp4j. 
> This would indeed make sense if there's a substantial set of classes
> needed by both.
>> There
>> is even the org.sip.commmunicator.util.Base64 which essentially is the
>> BouncyCastle encoder/decoder (it is mentioned in the class file off
>> course), but maybe we could import that too from the very-light-bc.jar,
>> (a Base64 encoded/decoder is essential for the otr protocol so we will
>> have to include that in very-light-bc.jar).
> I wouldn't worry about Base64 and keep it where it is. Its use goes
> beyond cryptography and bc so we could keep it where it is.
>> That said, if I added the required BouncyCastle classes directly in
>> otr4j it might work, but still there are some very fundamental
>> interfaces that both zrtp4j and otr4j should contain -like the
>> org.bouncycastle.crypto.CipherParameters interface-, which could lead to
>> the same problems again (Problem B in the post).
> As a matter of fact that won't really be a problem since if both libs
> contain it, their respective bundles won't be exporting it and hence no
> class would be able to reference both of them. The only reasons to have
> a very-light-bc.jar would be to avoid duplication and improve
> organization (which doesn't mean they aren't good enough).

As a matter of fact the zrtp4j bundle exports the BC part because the
the SRTP classes need these BC classes as well. That was the reason to export
them. Thus IMHO it would make sense to build the very lightweight BC lib for
ZRTP, OTR, and SRTP and later on maybe others as well.

I've all the necessary sources on my system and also have the build files
around. What I can offer is to create a small project and create
the lib. This would be a system lib and thus we need to import the classes
in the felix properties file.

George, can you provide me with a short list of crypto functions that
OTR requires? I know the following:

- DH
- HMAC (which digest to use with the HMAC? SHA256?)
- SHA256 digest
- AES Counter mode (CTR)

anything else?


> Cheers
> Emil

To unsubscribe, e-mail: dev-unsubscribe at sip-communicator.dev.java.net
For additional commands, e-mail: dev-help at sip-communicator.dev.java.net

More information about the dev mailing list