A security review of the D library Crypto

Cym13 cpicard at purrfect.fr
Wed Jul 1 07:54:54 UTC 2020


On Wednesday, 1 July 2020 at 07:49:27 UTC, Arafel wrote:
> As somebody who also was somewhat involved in infosec and 
> cryptography in a previous life, I found your article really 
> interesting. So, first of all, thanks for taking the time to do 
> the review and for publishing the results!
>
> I see that you mostly focus on the algorithms, but did you also 
> check for side-channel attacks (for instance, timing attacks), 
> or given the flaws already found it would make little sense to 
> go deeper?

Fixing the issues from the article would require a huge amount of 
code changes, so I saw little point in timing the library as is. 
It must do the right thing before doing it the right way.

> I find that following a well-known algorithm is just the easy 
> part when implementing crypto... the hard one is ironing out 
> those pesky "implementation details". That's one of the reasons 
> why I would try to use one of the "big" libraries for 
> cryptography instead of rolling out my own, even if it meant 
> adding an external C/C++ dependency to my project.

I can definitely vouch for that.


More information about the Digitalmars-d-announce mailing list