A rust crate for symetric encryption

i am making an application that contains sensitive data such as passwords and keys. i want to find and encryption crate that already has a certificate and would allow me to do symmetric encryption with as little trouble as possible.

i tried looking up crates for those purposes on my own, but i mostly just found suggestions for aes and aes-gcm. which (according to their certificates) could be broken using specific combinations of bytes. other crates i found seem to have a ton of requirements (for example, openssl requires OS specific stuff, which is not good, since my application isn't dependent on the current OS at all), have no certificate, or be too low level for me to use in my application without having at least 1 major vulnerability. are there any crates other than the crates above, that could be used for symmetric encryption and have a certificate?

Certificates are usually used in the context of asymmetric encryption. You could use the crypto_box crate, if you need asymmetric encryption (you also would need code for extract public key from a certificate).

If you indeed need symmetric encryption, then the AEAD crates should be sufficient. I recommend using a "misuse resistant" algorithm (e.g. from the aes-siv crate), which does not fail catastrophically in the case of nonce reuse, like AES-GCM. But I don't see the relevancy of "certificates" in this context.

You also may need to generate cryptographic keys from user passwords. It's recommended to use password hashes for that.

I am not sure what are you talking about and how the x509-certificate crate is relevant here. As mentioned earlier, AES-GCM may be broken if you reuse the same key and nonce for encrypting two separate texts. So you either generate random nonces for each encrypted text (so probability of reuse is astronomically low), or use "misuse resistant" schemes like SIV (though even with them you still should not reuse nonces if possible).

2 Likes

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.