Building a standard cryptography suite

help
1

Rust has become widely adapted throughout all domains, say ML, say web, of course systems and beyond. Networking companies and specially cybersecurity companies need cryptography in play, in almost everyday operations. A pal of mine, who works for a cybersecurity company (she has requested anonymity) asked me about Rust and cryptography. Well I do write web servers, I do use hashing but cryptography is not my thing. What I found is that there are not very promising projects in this arena. I'd like to make Rust strong in this field, so that Rust can be adopted in cryptography too. Now I know, Rust's aim is to keep the standard library as small as possible (as opposed to Go, which keeps stuff like JSON parsing and templating into the std), hence I am not asking for that. I want ideas on how to build a cryptographically strong library with hashing and salting functions that can be used with trust, just like some sort of 'incubation' with futures-rs and rust-lang/rust-lang-nursery, maybe a crate can be developed which provides this sort of functionality.

Who on earth needs cryptography?

  • Networking protocols (say TLS)
  • Blockchain
  • Web Development (storing passwords)
  • Banking applications
  • System applications and general applications (browsers such as Firefox, can store saved passwords by hashing them, AFAIK servo is being written in Rust)
  • And an endless number of uses (basic authentication, maybe some kind of embedded fingerprint devices that are used for authentication)

What would be ideal? (in terms of a library)

  • Bcrypt (most important I'd guess)
  • SHA-3

I'm open to inputs and people who can guide me and work with me for such an implementation

Why don't you go and write a library yourself?
I wish I had known how these algorithms work, then my first action would have been to write a lib myself

What to do you mean by 'standardized'?
I mean a stable and reliable API, something that doesn't wildly change. Everyone has a different way to think, and not all people think in the same way, hence we should have a standard, or rather stable and predictable API that is production ready.

1 Like
2

Maintainer of RustCrypto org here. Main goal of the organization is to develop an ecosystem of foundational crypto crates written in pure Rust (with optional assembly back-ends). While I would be happy to get some sort of official support (especially in reviewing crates by cryptographers), I don't think Rust teams have capacity for it right now. I've talked with developer of rustls (library which is used by a number of important crates and projects, including servo) and he has expressed an interest in an optional pure-Rust back-end in addition to currently used ring (another really widely used crate, which is a hybrid of BoringSSL bindings and pure Rust), but we don't have all necessary algorithms yet (main problem will be to securely implement NIST curves). And there other strong projects in this space like various bindings to existing crypto libraries (of course most notable are OpenSSL and NaCl) and pure Rust projects (e.g. dalek crates and orion).

So it's not easy to pick project(s) which will be "standardized" and it's debatable if it's even should be done, at least right now.

3 Likes
3

Agreed on that. I am working on bcrypt and an implementation for salting, once I'm done, maybe you can pull it into RustCrypto, as that's one great place where everything's kept. I find bcrypt to be the most needed thing right now, as on web backends, bcrypt is kinda like the 'de-facto' for hashing and salting.

4

There is already bcrypt crate. I've suggested to move it into RustCrypto, but owner is not sure about it. If there are no substantial improvements or fixes which are not merged for some reason into bcrypt, currently I do not plan on building an alternative crate.

5

Oh thanks for bringing that to notice, hadn't seen it

6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.