On Saturday, 5 July 2014 at 21:50:59 UTC, Nick Sabalausky wrote:
Secondly, if the difficulty you're referring to is all the
various side-channel attacks (like buffer overflows, timing
attack, etc), then you're conflating crypto and security. The
two are certainly related, but they are NOT the same.
It's called Fleming cryptanalysis :)
3. Too late anyway: See std.digest. Besides, if anything,
std.digest is arguably *worse* because (until 2.066) it only
provides the worst choices. std.random isn't much better.
Granted, it doesn't claim to be crypto-grade, but it doesn't
clearly state that it *isn't* and that's just as bad: People
are going to to decide (incorrectly) they can use it to
generate salts or tokens or whatever, and they will do so.
Heck, *I've* even done it, and *I'm* someone who actually knows
better.
The default PRNG is routinely used for salt generation :)
Granted, your library makes it easier to use good salts. Though,
it needs examples or tutorials, how to actually use the library
correctly.
