A security review of the D library Crypto
cpicard at purrfect.fr
Sat Jul 4 15:49:25 UTC 2020
On Saturday, 4 July 2020 at 14:37:41 UTC, H. S. Teoh wrote:
> I'm not the author, but I'm curious about the D implementation
> of Botan (https://code.dlang.org/packages/botan) -- how is its
> security level? I glanced at it before and it seemed OK, but
> it'd be really nice to have a 3rd party opinion, esp. from
> someone who's skilled with cryptanalysis.
I can't say much at the moment. Botan is another beast altogether
and lots of work is going to be required to get any certitude.
What I can say is that it's a nice library, ported from a library
that has been audited in the past and is still actively
maintained. A cursory shows none of the issues found in Crypto.
Everything seems really good.
The main issue with Botan from a design standpont may be its
completeness. It's great if you are building off an established
project or protocol and need specific algorithms. If you're
starting a new project from scratch though more options mean more
ways to potentially chose a bad one. I mentionned libsodium in a
previous answer; this is the kind of opiniated library that is
well suited to that type of new projects.
But really, it's hard to say anything bad when the project's wiki
starts with a list of books and resources to learn cryptography
prior to using the library . I don't know the author but at
least it seems like he knows what he's messing with.
So, to conclude, based on that preliminary look alone I would
feel confident about recommending Botan since I don't expect any
major issue. But I'll still need to find the time to properly
review it someday, be it only for my own peace of mind.
More information about the Digitalmars-d-announce