Re: A security review of the D library Crypto

Wed, 01 Jul 2020 06:10:55 -0700 

On 7/1/20 3:19 AM, Cym13 wrote:
As some of you may know one of my hobbies is to review open source software for security issues. About a year ago I reviewed the RSA implementation of Crypto[1]: a native D library which, according to dub statistics, is fairly popular. 


Issues were found and after discussion with the author I decided to wait 
for them to be fixed. A year later I would like to present the results 
of an updated review of the library:


https://breakpoint.purrfect.fr/article/review_crypto_d.html

Here's what you should know if you are a user:


RSA, as implemented in the library, is still very much broken. I do not 
recommend using it. The confidentiality and integrity of all messages 
exchanged using this library must be questionned: if you exchanged 
sensitive information such as passwords using it I recommend to change 
them since their security is not guaranteed.



“Is this really the place to have this discussion? Shouldn't this be 
between the author and you?“



The author was contacted a year ago and although our discussion was kind 
and productive I have not heard from him since. Most of the issues 
present today were already present in my first assessment. Some 
modifications were made, but most recommendations were ignored. After a 
year without action I feel that the users should know exactly what they 
are exposed to since they are the ones affected by these security 
issues. This follows standard vulnerability disclosure processes.



For all details and analysis I direct you to the blog post. It is a 
rather thorough and technical read so I would recommend grabbing a cup 
of tea first.



If you find any mistake or unclear parts I'll be glad to correct it so 
feel free to point it out. Furthermore if you would like someone to have 
a look at your project to identify issues I am always glad to help free 
and open source projects that can't afford security review through 
traditional means so feel free to reach out.


[1] https://code.dlang.org/packages/crypto



This is a fantastic writeup, and being someone who is naturally good at 
math, but never really cared for it at the advanced level, I find the 
level of detail perfect.


Thanks for the post!

-Steve






















					Reply via email to