-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathREADME
51 lines (38 loc) · 3.42 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
SecureD
SecureD is a cryptography library for D that is designed to make working with cryptography simple. Simplicity encourages the developers to use cryptography in a safe and correct manner.
Design Philosophy
- SecureD does not present a menu of options by default. This is because the dizzying array of options presented to developers by other cryptography libraries creates confusion about what they should actually be using 95% of the time. SecureD presents sensible defaults that should be used in 95% of implementations. However, a selection of options is available under the extended API's should a situation arise where such flexibility is required.
- SecureD reserves the right to change which algorithms and defaults it presents should significant weaknesses be found. If such change is required, this will trigger an increase of the major version number.
- SecureD takes a situational approach to it's construction. Identify a situation then apply best practices to implement with a solution. Situations that SecureD supports are:
- Data Integrity
- Data Storage
- Message Authentication
- Key Derivation (Both PKI and KDF based)
Developer-Friendly Misuse-Resistant API:
One of the largest problems with most cryptography libraries available today is that their convoluted API's actively encourage broken implementations. SecureD aims to provide a simple API that exposes a reasonable amount of choice.
Focus on Non Transport-Layer Usages:
SecureD is designed to support a wide-variety of uses. However, SecureD is explicitly NOT intended to be used as a transport-layer security API. Implementing transport security protocols is a complex task that involves multiple layers of defenses. If you need such services please use TLS instead.
Safe by Design:
Use only safe algorithms with safe modes. Make conservative choices in the implementation.
Do Not Reimplement Cryptography Algorithms:
Use industry standard libraries instead. SecureD is based on OpenSSL. Botan support was removed in V2 of SecureD due to the extensiveness of the rewrite that SecureD underwent. If someone is willing to update with new implementations they will be considered for inclusion.
Minimal Code:
Keep the code to a minimum. This ensures high-maintainability and facilitates understanding of the code.
Unittesting:
All API's are unittested using D's built in unittests. Any developer can verify the implementation with a simple 'dub test' command. This ensures that the library will perform as advertised.
Algorithms
- Hash + HMAC:
- SHA2: 256, 384, 512, 512/224, 512/256
- SHA3: 224, 256, 384, 512
- Symmetric:
- Algorithms: AES (128/192/256), ChaCha20
- Stream Modes: GCM, CTR, Poly1305 (ChaCha20 only)
- Block Modes: CFB, CBC (PKCS7 Padding Only)
- KDF: PBKDF2, HKDF, SCrypt
- Asymmetric: ECC: P256, P384, P521 (Key Derivation + Sign/Verify with SHA2-384 or SHA2-256)
- Asymmetric: RSA-AES Seal/Open, RSA Encrypt/Decrypt, and RSA Sign/Verify
- RNG: System RNG on POSIX and Windows
- Other: Constant Time Equality
Versioning:
SecureD follows SemVer. This means that the API surface and cryptographic implementations may be different between major versions. Minor and Point versions are cryptographically compatible. Minor versions may add new cryptographic algorithms to existing capabilities. Newer versions will provide an upgrade path from older versions where feasible.
SecureD is built against OpenSSL 3.0.12 or greater.