A security review of the D library Crypto

Dukc ajieskola at gmail.com
Wed Jul 1 10:59:13 UTC 2020

On Wednesday, 1 July 2020 at 07:19:11 UTC, Cym13 wrote:
> Here's what you should know if you are a user:
> RSA, as implemented in the library, is still very much broken. 
> I do not recommend using it. The confidentiality and integrity 
> of all messages exchanged using this library must be 
> questionned: if you exchanged sensitive information such as 
> passwords using it I recommend to change them since their 
> security is not guaranteed.
> [snip]

Thanks for the article. IMO it was as clear for non-professionals 
as crypto can be: Even I (non-crypographer) understood what's the 
problem with padding with only one byte.

It also illustrates what's the prolem with cryptography: it's 
like coding without ability to test. Who could even dream to get 
that right the first or even the second time? I think there a 
shortcoming in the "don't roll your own crypto" - advice: One 
could think it only applies to the algorithms, not the 
implementation. That's what I did when I first heard it.

If one needs to use cryptography, would redundancy help? I mean, 
encode and decode the message with say three different algorithms 
from different libraries, so that the attacker would need to find 
a weakness in all of them?

More information about the Digitalmars-d-announce mailing list