
Show HN: The Lua Lockbox - jlarsen
https://github.com/somesocks/lua-lockbox
======
njohnson41
This is definitely a nice reference implementation of crypto algorithms in
pure Lua, but please, please do not use it for production encryption. Anything
written in an interpreted (or worse, JIT-ted) language will be almost
definitely vulnerable to timing attacks. Lua already has bindings to C/C++
crypto libraries if you need to encrypt or create MACs.

------
PeterWhittaker
Interesting idea. But I question the overall security philosophy of a project
that includes so many suspected to be weak, known to be weak, or provably weak
algorithms, e.g., MD2, MD4, MD5, SHA-1, and DES.

If this is for serious security, DROP THOSE NOW. Sorry to scream, but the
sooner we stop using them, the better.

I also wouldn't spend a lot of time on AES 256, given some of the recently
described weaknesses that reduce it to by many bits of strength. Better to
work on CAST5, e.g.

Better yet, work on the RNG. Make sure the RNG is cryptographically secure.
Without a cryptographically secure RNG, all the key derivation algorithms are
pretty much useless.

~~~
andrewfong
Per the README, it appears these are disabled by default:

> Several weak or broken primitives are implemented in this library, for
> research or legacy reasons. These should not be used under normal
> circumstances! To restrict their usage, they have been marked as insecure,
> with the Lockbox.insecure() method. This will cause a failed assertion when
> you attempt to import the module, unless you set Lockbox.ALLOW_INSECURE to
> true before the import.

------
fit2rule
This is very useful - thanks! I've got a project that I could use this in - so
I'll be spending this week getting familiar with this codebase .. see you on
github!

------
zer01
That is some very clean-written Lua. Kudos!

I'm excited to pull this into nginx's lua bindings and come up with something
cool (and extremely performant)

~~~
bungle
Nginx Lua bindings does have direct access to OpenSSL primitives (or LibreSSL,
or BoringSSL). I have also created (LuaJIT) binding to libnettle [1] that you
can find from here [2]. (libhogweed, aka rsa/dsa bindings, and documentation
are still a work in progress).

[1]
[http://www.lysator.liu.se/~nisse/nettle/](http://www.lysator.liu.se/~nisse/nettle/)
[2] [https://github.com/bungle/lua-resty-
nettle](https://github.com/bungle/lua-resty-nettle)

