A security review of the D library Crypto
ajieskola at gmail.com
Wed Jul 1 10:59:13 UTC 2020
On Wednesday, 1 July 2020 at 07:19:11 UTC, Cym13 wrote:
> Here's what you should know if you are a user:
> RSA, as implemented in the library, is still very much broken.
> I do not recommend using it. The confidentiality and integrity
> of all messages exchanged using this library must be
> questionned: if you exchanged sensitive information such as
> passwords using it I recommend to change them since their
> security is not guaranteed.
Thanks for the article. IMO it was as clear for non-professionals
as crypto can be: Even I (non-crypographer) understood what's the
problem with padding with only one byte.
It also illustrates what's the prolem with cryptography: it's
like coding without ability to test. Who could even dream to get
that right the first or even the second time? I think there a
shortcoming in the "don't roll your own crypto" - advice: One
could think it only applies to the algorithms, not the
implementation. That's what I did when I first heard it.
If one needs to use cryptography, would redundancy help? I mean,
encode and decode the message with say three different algorithms
from different libraries, so that the attacker would need to find
a weakness in all of them?
More information about the Digitalmars-d-announce