

NaCL: Slides on DJB, Lange, Schwabe's High-Level Crypto Library - tptacek
http://cr.yp.to/talks/2011.09.28/slides.pdf

======
tptacek
Quick translation:

Daniel Bernstein (DJB) is a renowned systems programmer and a serious academic
cryptographer. Many of the SHA-3 candidates are partly derived from his work,
and he designed one of the eSTREAM finalist stream ciphers.

Bernstein, Lange, and Schwabe designed NaCl. NaCl is a high-speed crypto
library designed to correct all the things that go wrong with "low level"
crypto libraries like OpenSSL. This is a big deal, because OpenSSL is the
current "lowest common denominator" crypto implementation and thus forms the
basis for most crypto facilities in high-level languages like Python and Ruby.
OpenSSL is extraordinarily error prone and itself has a spotty track record.

NaCl provides an ultra-simple interface (crypto_box_+) that handles the
details of message signing, encryption primitives public key, formatting, &c.

It's been used by a bunch of projects already (also note that DJB software is
somewhat inherently credible; he wrote qmail and djbdns, which have the two
best security track records in all of serverside software). A bunch of very
smart people have contributed to it.

NaCl addresses a bunch of serious systemic security pitfalls:

* It's hardened, fundamentally, against the "side channel" effects we know about today that allow attackers to measure crypto operations to extract keys. For instance: "NaCl systematically avoids _all_ branch conditions".

* It authenticates messages, in constant time, before attempting to decrypt, which prevents attackers from exploring how the target is handling ciphertext (for instance, this prevents padding oracles in asymmetric and block ciphers).

* It handles the details of getting crypto-secure random numbers in a sane way, and also minimizes places in the design that require random numbers (for instance, DSA requires a random nonce in addition to a strong random key; that's something many people have screwed up).

* It makes extremely well-informed choices about ciphers and algorithms (it's designed by active contributors to the literature).

* It's crazy fast (crazy fast is basically Bernstein's current academic focus).

This thing is simple, it's fast, and it's designed to be safe by people who
know what that means.

Start building language bindings for this thing!

~~~
JoachimSchipper
Too bad it's already off the front page...

 _Some_ degree of caution is probably warranted. djb is awesome, but most of
the algorithms in NaCL are his own, rather new, ideas. You trade in fixes for
known problems in AES/RSA (implementations) for possible unknown errors. (That
said, djb _is_ pretty good.)

~~~
tptacek
Worth noting that NaCl is a couple years old now.

You are far safer using NaCl than trying to cobble together anything using
OpenSSL AES or RSA.

If you're debating between NaCl and Keyczar or cryptlib or PGP, sure, think
carefully. But if it's NaCl or homebrew: no contest.

------
m0nastic
I've watched his 27c3 talk a bunch of times over the past few months, and have
convinced myself about 80% of the way to start messing around with CurveCP.

