Cryptography and D
deadalnix via Digitalmars-d
digitalmars-d at puremagic.com
Sat Jul 5 18:53:11 PDT 2014
On Saturday, 5 July 2014 at 23:45:47 UTC, Xinok wrote:
> If you don't trust OpenSSL, nobody said you have to use it.
> There are plenty of alternatives available. The fact still
> remains, implementing your own crypto is a very bad idea.
>
It seems to be the consensus. In the meantime, people like Mark
Karpeles build their own implementation of SSH in PHP, and
proceed to run a multimillion dollar exchange ( MtGox ).
Building your own crypto is a bad idea. And you know who ignore
bad idea ? Bad programmers. As a results, they are the one
building crypto libs. And you know what is a worse idea than
making your own crypto lib ? Letting Dunning-Kruger lemmings do
it for you.
> Why implement a crypto lib in C?
>
> (1) Maximum exposure - If a programming language has more than
> 100 users, chances are, there's an OpenSSL binding available
> for that language. C is an ideal language to make something
> available for as many platforms and environments as possible.
>
This is very true. However, as each plateform has its own
characteristics, you ends up not being able to port that simply,
and worse, you can break security without knowing it doing so.
I understand the social aspect of it, but from a security POV,
this is a neat loss.
I'm not sure if another approach is possible. It is clear that
nobody care about security until catastrophes happens. At least,
the recent event waked up many people on how bad the state of
affair is, and how clueless the people handling it right now are.
> (2) Determinism - If your intention is to implement crypto that
> is impervious to side-channel attacks, you need a language
> that's "close to the metal" and will behave how you expect it
> to. For example, Java would be a poor choice because things
> like garbage collection and JITing makes code highly
> non-deterministic.
D is an option here. Anything that isn't system related obviously
isn't, as you must ensure that you clean the memory behind you.
More information about the Digitalmars-d
mailing list