The state of crypto in Python

Posted May 1, 2014 18:34 UTC (Thu) by Wummel (guest, #7591)
In reply to: The state of crypto in Python by nmav
Parent article: The state of crypto in Python

I'm not sure a new library is needed as well. What I sorely miss is a complete real-world example showing how to use any of those libraries in a secure manner. Especially for libraries who claim to be easy to use this provokes unsecure usage.

If a library claims to be easy to use it attracts programmers without a strong security background who most likely copy-and-paste from the examples, perhaps with one or two peeks at the documentation.
Here are some things I encountered when looking at examples of the mentioned libraries:

The example ignores all errors and therefore does not show how errors should be handled. This is especially true for languages with exception handling (C++, Python).
The example does not show how to generate, store or transfer generated keys securely. Eg. the Botan example code reads the password from a command line parameter which is not a secure way to do it.
The example has a short "this is a secret" string to encrypt. Why not show how to encrypt a complete file and store the encrypted data? I am always wondering how potentially large files can/should be encrypted.

The state of crypto in Python

Posted May 2, 2014 17:28 UTC (Fri) by nmav (guest, #34036) [Link]

This is pretty much true. We have quite many crypto primitives libraries (libgcrypt, botan, nettle, libcrypto/openssl), and their authors are pretty much overwhelmed by the amount of maintenance needed. Helping them to improve the documentation, or the weak spots of their libraries would benefit all. Creating yet another library most probably would result to the current situation, solely with the addition of a new library in the list above.