[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?
- From: "Pierre Chapuis" <catwell@...>
- Date: Sat, 06 Feb 2021 19:31:03 +0100
I agree with Tom, if you must do crypto "online" (i.e. for instance in a Web server) then you must rely on C bindings. Pure Lua crypto can be used for "offline" things e.g. to encrypt or decrypt a file sent / received by email, since this is not vulnerable to things like timing attacks. And even then, Lua crypto library are much less audited than C libraries, so use bindings when you can. In case you really need one, the two relatively serious pure Lua crypto libraries I know are plc [1] and lockbox [2].
I agree that libsodium would be the best option, but sadly I just don't know a generic, battle-tested binding for Lua. If you go the OpenSSL route, the "openssl" and "luaossl" rocks [3] [4] are reliable (or LuaSec if you just need TLS).
[1] https://luarocks.org/modules/philanc/plc
[2] https://luarocks.org/modules/somesocks/lockbox
[3] https://luarocks.org/modules/zhaozg/openssl
[4] https://luarocks.org/modules/daurnimator/luaossl
--
Pierre Chapuis
On Sat, Feb 6, 2021, at 18:38, Tom Sutcliffe wrote:
> Given a clean slate and no specific constraints, I'm a fan of libsodium
> https://doc.libsodium.org/ which has an approachable API that's hard to
> mess up (from a security point of view, I mean).
>
> I'm sure there are probably others, but there are some Lua bindings to
> a subset of the libsodium API in NodeMCU which might be useful, if only
> as an example:
>
> https://github.com/nodemcu/nodemcu-firmware/blob/dev-esp32/components/modules/sodium.c
> https://nodemcu.readthedocs.io/en/dev-esp32/modules/sodium/
>
> As a general rule, doing cryptography right is _extremely_ difficult
> and I would be cautious of any implementation written in Lua (or
> Javascript, or Python, etc). There's a reason OpenSSL, libsodium,
> GnuPG/libcrypto etc are all written in C. Examples of things you might
> not realise compromise your security are things like timing attacks,
> the C implementation of libsodium (to take one example) takes care to
> avoid falling foul of CPU branch prediction by avoiding conditional
> branches on critical code paths. The odds of that kind of thing
> surviving being translated into another language are extremely low. For
> example, in JavaScript your code may get JITted at runtime which could
> utterly destroy timing attack defences.
>
> So whatever solution you go with, I'd recommend one written in C with
> Lua bindings. Under no circumstances should you be tempted to "roll
> your own" cryptography. You will get it wrong.
>
> As others have said however, picking the "right" crypto for a
> particular situation is a bit of a minefield, it's a very complex
> subject, many solutions have tradeoffs that aren't always obvious or
> well documented, and very few people truly understand every nuance.
> Myself included! Given all that, I'm hesitant to provide any specific
> recommendations.
>
> Regards,
>
> Tom
>
> > On 4 Feb 2021, at 6:07 am, Vishnu exer <vishnupratap82@gmail.com> wrote:
> >
> > Hello everyone,
> >
> > My requirement is to do encryption in Lua for a production system.
> >
> > For doing this i'm exploring below 2 ways.
> >
> > 1) Use encryption library already implemented in Lua
> > 2) Use C/C++/C#/Java (or any other language) encryption library which can be called from Lua
> >
> > Can you please help me with your inputs on some encryption libraries which can be used in a Lua production system ?
> >
> > Thanks
> > Vishnu
>