[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Encryption in Lua ? Lua encryption library OR C/C++/C#/Java library which can be called from Lua ?
- From: "Pierre Chapuis" <catwell@...>
- Date: Sat, 06 Feb 2021 19:31:03 +0100
I agree with Tom, if you must do crypto "online" (i.e. for instance in a Web server) then you must rely on C bindings. Pure Lua crypto can be used for "offline" things e.g. to encrypt or decrypt a file sent / received by email, since this is not vulnerable to things like timing attacks. And even then, Lua crypto library are much less audited than C libraries, so use bindings when you can. In case you really need one, the two relatively serious pure Lua crypto libraries I know are plc  and lockbox .
I agree that libsodium would be the best option, but sadly I just don't know a generic, battle-tested binding for Lua. If you go the OpenSSL route, the "openssl" and "luaossl" rocks   are reliable (or LuaSec if you just need TLS).
On Sat, Feb 6, 2021, at 18:38, Tom Sutcliffe wrote:
> Given a clean slate and no specific constraints, I'm a fan of libsodium
> https://doc.libsodium.org/ which has an approachable API that's hard to
> mess up (from a security point of view, I mean).
> I'm sure there are probably others, but there are some Lua bindings to
> a subset of the libsodium API in NodeMCU which might be useful, if only
> as an example:
> As a general rule, doing cryptography right is _extremely_ difficult
> and I would be cautious of any implementation written in Lua (or
> GnuPG/libcrypto etc are all written in C. Examples of things you might
> not realise compromise your security are things like timing attacks,
> the C implementation of libsodium (to take one example) takes care to
> avoid falling foul of CPU branch prediction by avoiding conditional
> branches on critical code paths. The odds of that kind of thing
> surviving being translated into another language are extremely low. For
> utterly destroy timing attack defences.
> So whatever solution you go with, I'd recommend one written in C with
> Lua bindings. Under no circumstances should you be tempted to "roll
> your own" cryptography. You will get it wrong.
> As others have said however, picking the "right" crypto for a
> particular situation is a bit of a minefield, it's a very complex
> subject, many solutions have tradeoffs that aren't always obvious or
> well documented, and very few people truly understand every nuance.
> Myself included! Given all that, I'm hesitant to provide any specific
> > On 4 Feb 2021, at 6:07 am, Vishnu exer <firstname.lastname@example.org> wrote:
> > Hello everyone,
> > My requirement is to do encryption in Lua for a production system.
> > For doing this i'm exploring below 2 ways.
> > 1) Use encryption library already implemented in Lua
> > 2) Use C/C++/C#/Java (or any other language) encryption library which can be called from Lua
> > Can you please help me with your inputs on some encryption libraries which can be used in a Lua production system ?
> > Thanks
> > Vishnu