Re: [racket-users] OpenSSL vs. NaCl/libsodium
On 4/30/17 11:51 PM, James wrote: > I think we want standard TLS. I know enough about cryptography to > know that I really don't want to roll my own. So I guess OpenSSL is > what we'll use but then, maybe, something else for local file > cryptography and signing. We might even use OpenPGP as a helper > application. TLS for data in motion plus PGP for data at rest sounds like a fine choice. One very big win over NaCl/libsodium based solutions is that you have a mature story for key and certificate management. You might consider libressl instead of openssl: "LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes. Primary development occurs inside the OpenBSD source tree with the usual care the project is known for." Cheers, Tony -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [racket-users] OpenSSL vs. NaCl/libsodium
On Apr 28, 2017, at 5:03 PM, Tony Garnock-Jones wrote: > Hi James, > > On 4/28/17 1:13 PM, James wrote: >> https://github.com/mgorlick/CRESTaceans/tree/master/bindings/libsodium >> https://github.com/tonyg/racl/tree/master > > I'm the author of racl. I've not used mgorlick's code, but one thing to > bear in mind is that it uses libsodium, where racl uses plain NaCl. > Libsodium is definitely the way to go - plain NaCl is largely vestigial > at this point. > > If I were to use racl in production, I would change the implementation > of racl to use libsodium instead of NaCl. Thanks that's really helpful. I had heard that libsodium was the way to go but I'm just now reading about the details. > > Racl includes a few useful utilities (like SPKI SEXP I/O and some hacky > sketches of encrypted TCP ports based on NaCl primitives), where > mgorlick's code looks to be just the NaCl primitives. > > mgorlick's code has contracts; mine does not, which is a shame. I should > add some. > > Finally, neither NaCl nor libsodium nor racl provides anything TLS-like. > If you wanted some kind of streaming network code on top of NaCl, you're > firmly in "roll-your-own crypto" territory. I think we want standard TLS. I know enough about cryptography to know that I really don't want to roll my own. So I guess OpenSSL is what we'll use but then, maybe, something else for local file cryptography and signing. We might even use OpenPGP as a helper application. James -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [racket-users] OpenSSL vs. NaCl/libsodium
Thanks Neil. I'm aware of the problem of implementation issues, in general, but I am new to Racket. So, if I understand correctly, this would argue for using the OpenSSL Racket module for TLS. I think that's the most sensitive part, in terms of C/C++ bugs and failures, since it's network facing. James On Apr 28, 2017, at 1:37 PM, Neil Van Dyke wrote: > I always look at tonyg's work first. > > Aside: I try to keep uses of third-party crypto code as simple and minimal as > possible. We know crypto implementations are complex, and defect-prone. And > any party in the chain of the software architecture or provenance can > introduce a vulnerability (e.g., Debian breaking SSL when they were only > supposed to be compiling and packaging upstream code). One thing I've done > in the past, when appropriate, is to isolate crypto libraries to separate > processes, and use variations on Racket `system` to call them. This at least > keeps C/C++ bugs from being able to exploit or corrupt anything in the Racket > process, and also usually makes any failures in the running C/C++ code > short-lived > > > James wrote on 04/28/2017 01:13 PM: >> I am researching options for a major project which needs various >> cryptography functions. We want to implement TLS with ourselves as the only >> certificate authority, establish a web of trust, and also encrypt and sign >> individual files. I see that there is an OpenSSL module in Racket so that's >> an option. I thought I saw an NaCl module a while back but now I can't find >> it. Maybe I'm mistaken. What I did find was two different projects on >> Github which provide language bindings for Racket to libsodium. Neither >> have much documentation so I am wondering if they are ready for a major >> project and if so, which one should I use? >> >> They are: >> https://github.com/mgorlick/CRESTaceans/tree/master/bindings/libsodium >> https://github.com/tonyg/racl/tree/master >> >> I also see references to another one called natrium but there are only >> broken links. >> >> James >> > -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [racket-users] OpenSSL vs. NaCl/libsodium
Hi James, On 4/28/17 1:13 PM, James wrote: > https://github.com/mgorlick/CRESTaceans/tree/master/bindings/libsodium > https://github.com/tonyg/racl/tree/master I'm the author of racl. I've not used mgorlick's code, but one thing to bear in mind is that it uses libsodium, where racl uses plain NaCl. Libsodium is definitely the way to go - plain NaCl is largely vestigial at this point. If I were to use racl in production, I would change the implementation of racl to use libsodium instead of NaCl. Racl includes a few useful utilities (like SPKI SEXP I/O and some hacky sketches of encrypted TCP ports based on NaCl primitives), where mgorlick's code looks to be just the NaCl primitives. mgorlick's code has contracts; mine does not, which is a shame. I should add some. Finally, neither NaCl nor libsodium nor racl provides anything TLS-like. If you wanted some kind of streaming network code on top of NaCl, you're firmly in "roll-your-own crypto" territory. Cheers, Tony -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[racket-users] OpenSSL vs. NaCl/libsodium
I am researching options for a major project which needs various cryptography functions. We want to implement TLS with ourselves as the only certificate authority, establish a web of trust, and also encrypt and sign individual files. I see that there is an OpenSSL module in Racket so that's an option. I thought I saw an NaCl module a while back but now I can't find it. Maybe I'm mistaken. What I did find was two different projects on Github which provide language bindings for Racket to libsodium. Neither have much documentation so I am wondering if they are ready for a major project and if so, which one should I use? They are: https://github.com/mgorlick/CRESTaceans/tree/master/bindings/libsodium https://github.com/tonyg/racl/tree/master I also see references to another one called natrium but there are only broken links. James -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
