secured 1.0.0
A cryptography library for D that encourages secure implementations through simple interfaces.
To use this package, run the following command in your project's root directory:
Manual usage
Put the following dependency into your project's dependences section:
SecureD
SecureD is a cryptography library for D that is designed to make working with cryptography simple. Simplicity encourages developers to use cryptography in a safe and correct manner.
Design Philosophy
Developer-Friendly Misuse-Resistant API
One of the largest problems with most cryptography libraries available today is that their API's practically encourage broken implementations.
Focus on Data Storage
The primary intended use case for this library is for long-term data storage. It is not intended to be used as an SSL or streaming communications cryptography library.
Safe by Design
Use only safe algorithms with safe modes. Make conservative choices in the implementation.
Do no re-implement Cryptography Algorithms
Use industry standard libraries instead. SecureD is based on OpenSSL.
Minimal Code
Keep the code to a minimum. This ensures high-maintainability and eases understanding of the code.
Unittesting
All API's are unittested using D's built in unittests. Any developer can verify the implementation with a simple 'dub test' command. This ensures that the library will perform as advertised.
Algorithms
- HASH: SHA2-384
- HMAC: SHA2-384
- KDF: PBKDF2 (HMAC/SHA2-384)
- AE Symmetric: AES-256-CTR-HMAC384
- Asymmetric: ECC-P384 (Key Derivation + Sign/Verify with SHA2-384)
- Asymmetric: RSA-AES-256-CTR Seal/Open, RSA only Encrypt/Decrypt and RSA only Sign/Verify
- RNG: System RNG on POSIX and Windows
- OTHER: Constant Time Equality
Why these Algorithms?
SHA2-384 is as fast as SHA2-512 but it's truncated design serves as an effective defense against length extensions attacks.
AES-256-CTR is an alternative for GCM that offers greater security for cold-stored data when paired with a strong HMAC. GCM use a 96-bit authentication tag where the HMAC tag is a full 384 bits.
Examples
Hashing/HMAC
import secured;
ubyte[48] key = [0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF ];
ubyte[] data = cast(ubyte[])"The quick brown fox jumps over the lazy dog.";
string filePath = "/usr/local/bin/dmd";
ubyte[] result1 = hash(key, data);
ubyte[] result2 = hash(key, filePath);
ubyte[] result3 = hmac(key, data);
ubyte[] result4 = hmac(key, filePath);
PBKDF2
import secured.kdf;
ubyte[48] key = [0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF ];
string password = "Test";
uint iterations = 25000; //Defaut value
uint outputLength = 48; //Default value, must be 48 bytes or less
ubyte[] key = pbkdf2(key, password, iterations, outputLength);
Encryption/Decryption
import secured.aes;
ubyte[48] key = [0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF ];
ubyte[] data = cast(ubyte[])"The quick brown fox jumps over the lazy dog.";
ubyte[] enc = encrypt(key, data);
if (validate(key, enc))
{
//Note that decrypt performs a validation and will throw an exception if the validation fails.
ubyte[] dec = decrypt(key, enc);
}
ECC Key Derivation
import secured.ecc;
EllipticCurve eckey1 = new EllipticCurve();
EllipticCurve eckey2 = new EllipticCurve();
string pubKey1 = eckey1.getPublicKey();
string pubKey2 = eckey2.getPublicKey();
ubyte[] key1 = eckey1.derive(pubKey2);
ubyte[] key2 = eckey2.derive(pubKey1);
assert(constantTimeEquality(key1, key2));
Random Number Generation
import secured.random;
uint numBytes = 128;
ubyte[] randomBytes = random(numBytes);
Constant Time Equality
import secured.util;
ubyte[] a = [ 0x01 ];
ubyte[] b = [ 0x01 ];
bool isEqual = constantTimeEquality(a, b);
NOTE: SecureD is built against OpenSSL 1.1.0 or greater. If you need to use OpenSSL 1.0.x add version 'OpenSSL10' to your command line.
- Registered by Adam Wilson
- 1.0.0 released 6 years ago
- LightBender/SecureD
- BSL-1.0
- Copyright © 2016-2018, Adam Wilson
- Authors:
- Dependencies:
- none
- Versions:
-
3.0.0 2024-Mar-06 2.0.3 2023-Nov-27 2.0.2 2019-Aug-07 2.0.1 2019-May-07 2.0.0 2018-Dec-31 - Download Stats:
-
-
0 downloads today
-
0 downloads this week
-
4 downloads this month
-
444 downloads total
-
- Score:
- 2.2
- Short URL:
- secured.dub.pm