Cryptography and D
deadalnix via Digitalmars-d
digitalmars-d at puremagic.com
Sat Jul 5 12:33:30 PDT 2014
On Sunday, 29 June 2014 at 07:19:49 UTC, Adam Wilson wrote:
> On Sat, 28 Jun 2014 23:08:51 -0700, Charles
> <charles.hoskinson at gmail.com> wrote:
>
>> Is there a native D crypto library like Crypto++?
>
> No. And for good reason. Building a cryptography library is an
> extremely dificult proposition. Even after you've completed the
> build, you still face a trust problem. You need to convince
> people that your library is not subject to a myriad of
> side-channel attacks. The only way to do that is to battle-test
> is, which requires that people use it in the first place. The
> philosophy of the D community is to binding to more trusted and
> tested libraries.
>
I used to think that. A few years ago, I looked into OpenSSL,
noticed several horrors. Several of them mentioned here:
https://www.youtube.com/watch?v=GnBbhXBDmwU
I had the same reasoning: crytpo is hard and these guys know much
more than I do.
They don't. The simple fact they are are using C to build
security related basic block show that they have no idea what
they are doing. No bound check, no memory safety, integer
overflow is undefined behavior (which mean that even if you
remember to check for it, you are not checking for it).
More information about the Digitalmars-d
mailing list