Note from a donor
H. S. Teoh
hsteoh at quickfur.ath.cx
Fri Oct 27 17:45:57 UTC 2017
On Fri, Oct 27, 2017 at 05:35:17PM +0000, Kagamin via Digitalmars-d wrote:
> On Wednesday, 25 October 2017 at 14:17:21 UTC, Jonathan M Davis wrote:
> > The point still stands though that you have to be _very_ careful
> > when implementing anything security related, and it's shockingly
> > easy to do something that actually leaks information even if it's
> > not outright buggy (e.g. the timing of the code indicates something
> > about success or failure to an observer)
>
> Fun read: http://cr.yp.to/papers.html#cachetiming - a cache timing
> attack on AES recovering full key. This flaw was accounted for in
> Salsa and Chacha design.
Yes, and this is exactly why I would not trust any D crypto
implementation that hasn't been vetted by crypto experts. Nobody would
think of such weaknesses when they're writing the code, unless they were
already aware of such issues beforehand -- and I doubt many of us here
would even be aware of half of the issues crypto implementors must work
with on a regular basis. If even the openSSL folk didn't manage to
avoid this exploit, we non-crypto people wouldn't even stand a chance.
Of course, the larger picture is that crypto algorithms are only a small
(albeit critical) part of a larger cryptosystem, and oftentimes the
weaknesses come not from the algorithm itself but from issues affecting
the other parts of the cryptosystem. You can have the best, most
unbreakable crypto (or whatever else) algorithm in your hand, but if you
use it incorrectly or just carelessly, you'd still get exploited, and
all that crypto strength would be for nought.
T
--
Insanity is doing the same thing over and over again and expecting different results.
More information about the Digitalmars-d
mailing list