Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?
From: Tom Sutcliffe <tomsci@...>
Date: Sat, 6 Feb 2021 17:38:37 +0000

Given a clean slate and no specific constraints, I'm a fan of libsodium https://doc.libsodium.org/ which has an approachable API that's hard to mess up (from a security point of view, I mean).

I'm sure there are probably others, but there are some Lua bindings to a subset of the libsodium API in NodeMCU which might be useful, if only as an example:

https://github.com/nodemcu/nodemcu-firmware/blob/dev-esp32/components/modules/sodium.c
https://nodemcu.readthedocs.io/en/dev-esp32/modules/sodium/

As a general rule, doing cryptography right is _extremely_ difficult and I would be cautious of any implementation written in Lua (or Javascript, or Python, etc). There's a reason OpenSSL, libsodium, GnuPG/libcrypto etc are all written in C. Examples of things you might not realise compromise your security are things like timing attacks, the C implementation of libsodium (to take one example) takes care to avoid falling foul of CPU branch prediction by avoiding conditional branches on critical code paths. The odds of that kind of thing surviving being translated into another language are extremely low. For example, in JavaScript your code may get JITted at runtime which could utterly destroy timing attack defences.

So whatever solution you go with, I'd recommend one written in C with Lua bindings. Under no circumstances should you be tempted to "roll your own" cryptography. You will get it wrong.

As others have said however, picking the "right" crypto for a particular situation is a bit of a minefield, it's a very complex subject, many solutions have tradeoffs that aren't always obvious or well documented, and very few people truly understand every nuance. Myself included! Given all that, I'm hesitant to provide any specific recommendations.

Regards,

Tom

> On 4 Feb 2021, at 6:07 am, Vishnu exer <vishnupratap82@gmail.com> wrote:
> 
> Hello everyone,
> 
> My requirement is to do encryption in Lua for a production system.
> 
> For doing this i'm exploring below 2 ways.
> 
> 1) Use encryption library already implemented in Lua 
> 2) Use C/C++/C#/Java (or any other language) encryption library which can be called from Lua
> 
> Can you please help me with your inputs on some encryption libraries which can be used in a Lua production system ?
> 
> Thanks
> Vishnu

Follow-Ups:
- Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?, Pierre Chapuis

References:
- Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?, Vishnu exer

Prev by Date: Re: [ANN] lua-http 0.4 release
Next by Date: Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?
Previous by thread: Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?
Next by thread: Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?
Index(es):
- Date
- Thread