A security review of the D library Crypto
cpicard at purrfect.fr
Wed Jul 1 07:54:54 UTC 2020
On Wednesday, 1 July 2020 at 07:49:27 UTC, Arafel wrote:
> As somebody who also was somewhat involved in infosec and
> cryptography in a previous life, I found your article really
> interesting. So, first of all, thanks for taking the time to do
> the review and for publishing the results!
> I see that you mostly focus on the algorithms, but did you also
> check for side-channel attacks (for instance, timing attacks),
> or given the flaws already found it would make little sense to
> go deeper?
Fixing the issues from the article would require a huge amount of
code changes, so I saw little point in timing the library as is.
It must do the right thing before doing it the right way.
> I find that following a well-known algorithm is just the easy
> part when implementing crypto... the hard one is ironing out
> those pesky "implementation details". That's one of the reasons
> why I would try to use one of the "big" libraries for
> cryptography instead of rolling out my own, even if it meant
> adding an external C/C++ dependency to my project.
I can definitely vouch for that.
More information about the Digitalmars-d-announce