On Fri, Apr 25, 2014 at 7:24 PM, Antoni Grzymała antoni@grzymala.info wrote:
Tako rzecze Nathan Froyd (2014-04-25, 16:42):
Ironclad has many deficiencies that make it unsuitable for serious cryptographic software.
I'm curious what they would be – would you be able to outline that in more detail?
Sure. In no particular order, and with no claim of exhaustiveness:
- Many ciphers are not safe against timing attacks due to the use of lookup tables. - There's nothing like Go's crypto.subtle (http://golang.org/pkg/crypto/subtle/) package for ensuring that various checks are safe against timing attacks. - The public key algorithms are definitely not production ready: they will give you the correct answers, but the implementations are not cryptographically robust. Part of this is potentially intractable, given that they rely on bignums, and the bignum implementations in Common Lisp implementations are probably not implemented with the needs of public key algorithms in mind. - The DSA signature algorithm doesn't use high-quality random numbers, which makes it unsafe. - I know there are a whole host of issues with implementing RSA safely; Ironclad has not paid attention to any of these. - There's no implementation of padding and all the subtleties that come with it for block cipher algorithms or public key algorithms.
The hash algorithm implementations are pretty solid (assuming that you choose cryptographically secure ones, of course); everything else isn't suitable for security-conscious software.
I would like to fix some of these deficiencies, of course, but I haven't sat down and taken the time to do so. Patches welcome.
-Nathan