Regarding cipher package support
96 views
Skip to first unread message
Iván Zaera Avellón
Oct 2, 2015, 2:16:18 AM10/2/15
to misc
Hi dartisans:
It’s been long since I don’t participate in this community. The main reason is that Dart was my hobby and I’ve changed hobbies ;-). I’m not so sure of the success of Dart as I was one year ago and, as a consequence, I’m not putting more effort in deepening my knowledge in the language.
Also, in Spain, where I live, it doesn’t seem to take off. I don’t like it, but my guess is that Javascript will rule in the future and better languages like Dart, Typescript, etc. will remain niche languages like GWT. Anyway, it’s only my opinion and this was not the subject of my mail.
My mail is related to my cipher project (https://github.com/izaera/cipher). AFAIK it is the only decent cryptography support in Dart, though I may be wrong because, as I said, I’ve been disconnected from the Dart ecosystem for more than one year (just someone correct me if it’s the case).
I have to say that, from the very beginning, I felt like my project wasn’t welcome (see https://github.com/dart-lang/sdk/issues/15064#issuecomment-108403618) but I must admit that some other people at Dart project helped me too, so it is a mixed feeling.
However, the fact is that after several years, Dart is still lacking a blessed platform independent mechanism for generating secure random numbers and a decent cryptography library. I know, I know we have the web CryptoAPI and native integration in the server. But I want a dart:crypto with some real functionality so I don’t have to fight with browsers in the client and implement strange things in the server.
Look at the skinny crypto package (https://pub.dartlang.org/packages/crypto) and look at this thread for example: https://groups.google.com/a/dartlang.org/forum/#!topic/misc/2jpQAJxyxPo. It’s appalling. When did Dart development started? How many years ago? Was it so complex to add support for decent crypto during so many years? At least support for AES and RSA… Come on!
Anyway, rant finished.
I also wanted to note that, as I said, I don’t have time to maintain cipher any more and, given that some people (old and new) seem to be using it, I would like to warn them that the project has some known glitches that should be perfected and that, if the project doesn’t get any support from the community, it won’t probably be done.
So, if anyone is willing to maintain cipher I may assist by explaining how the library works and what has to be done. Also, if someone wants to spend some time optimizing it, I didn’t implement SIMD operations, but they looked like possible so it may be possible that it ends up having a good throughput if someone looks at it.
That’s all folks. Sorry for the big mail and let’s hope Dart ends up being the mainstream language for the browser :-).
Cheers,
Ivan
Vadim Tsushko
Oct 2, 2015, 8:55:50 AM10/2/15
to mi...@dartlang.org
It's too bad.
Just day ago I've looked up what is available in pub.dartlang.org to support implementation of new default authentication scheme in MongoDb 3.0. (
And at first glance cipher has all required components (crypto lack most needed features)
And not to have random number generator in dart:io at that stage is strange indeed.
Just day ago I've looked up what is available in pub.dartlang.org to support implementation of new default authentication scheme in MongoDb 3.0. (
SCRAM-SHA-1)And at first glance cipher has all required components (crypto lack most needed features)
And not to have random number generator in dart:io at that stage is strange indeed.
Iván Zaera Avellón
Oct 2, 2015, 9:29:22 AM10/2/15
to misc
Hi Vadim:
If you just need HMAC and SHA-1 go ahead and use them. I can help you if you find any bug in cipher. I wouldn’t like to stop your great mongodb implementation from working. However, this would be like a temporal fix, because still all crypto maintenance relies on a single person who has not too much time available.
Regarding the state of algorithms, and to make it clear: symmetric ciphers, digests and key derivators are more or less maintainable and seem to work fine except for some little bugs.
Public key crypto is not easily maintainable: ECDSA and RSA are big monsters and also RSA is based on dart-bignum which is unmaintained too (AFAIK) due to lack of time.
Regarding true random numbers generation I developed a proof of concept implementing Fortuna which collected entropy from keyboard, mouse, and page load times but didn’t like it too much because the entropy sources looked poor. I guess it would be much wiser using the Web CryptoAPI or asking the server (using SSL, of course) for random values.
Hope this helps.
2015-10-02 14:55 GMT+02:00 Vadim Tsushko <vadimt...@gmail.com>:
It's too bad.
Just day ago I've looked up what is available in put to support impementation of new default authentication scheme in MongoDb 3.0. (SCRAM-SHA-1)
And at first glance cipher has all required components (crypto lack most needed features)
And not to have random number generator in dart:io at that stage is.strange indeed.--
For other discussions, see https://groups.google.com/a/dartlang.org/
For HOWTO questions, visit http://stackoverflow.com/tags/dart
To file a bug report or feature request, go to http://www.dartbug.com/new
To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.
William Hesse
Oct 2, 2015, 9:56:40 AM10/2/15
to General Dart Discussion
Making a cryptographic random number generator in Dart isn't hard -
there are plenty of algorithms to choose from. The difficult thing is
finding a source of entropy (some truly random bits from the keyboard
or another source) to seed the generator with. If you are willing to
provide your own source, then an implementation shouldn't be hard.
The entropy source problem is the only reason we don't have this in
package crypto already, or in core dart.
--
William Hesse
there are plenty of algorithms to choose from. The difficult thing is
finding a source of entropy (some truly random bits from the keyboard
or another source) to seed the generator with. If you are willing to
provide your own source, then an implementation shouldn't be hard.
The entropy source problem is the only reason we don't have this in
package crypto already, or in core dart.
William Hesse
Iván Zaera Avellón
Oct 2, 2015, 9:59:57 AM10/2/15
to misc
That’s the same problem I had with my TRNG.
But, why is it so difficult to make an abstraction of /dev/random in Linux and CryptoAPI in windows? Java does it, doesn’t it? Why not having a TRNG in Dart that calls those low level facilities? Am I missing something?
Message has been deleted
Robert Åkerblom-Andersson
Oct 2, 2015, 11:35:21 AM10/2/15
to Dart Misc
Hi William,
Could not the Dart VM/platform provide this by wrapping C code that accesses the OS provided alternative. *nix can of course read from /dev/random, and as I understand it you can also access Windows crypto API from C code (http://stackoverflow.com/questions/4796590/window-c-c-crypto-api-examples-and-tips).
Is not as "simple" as it sounds or is there some other reason it can't be done like that?
Another idea, we can't get this from BoringSSL somehow? Looks like there is some Windows random stuff in there but I have not looked any closer at it (https://github.com/ljbade/boringssl/blob/master/crypto/rand/windows.c). I was thinking since BoringSSL already is used in Dart.
Iván Zaera Avellón
Oct 2, 2015, 1:00:17 PM10/2/15
to misc
Filipe:
Random is a pseudo random number generator. Once you have one number you can predict the whole future sequence! ;-)
El 02/10/2015 16:30, "Filipe Morgado" <pix...@gmail.com> escribió:
What's wrong with Random? Too restricted/previsible?
Vadim Tsushko
Oct 2, 2015, 1:19:39 PM10/2/15
to Dart Misc
Thanks for kindly words. Unfortunately I too not doing much in mongo_dart nowadays.
пятница, 2 октября 2015 г., 18:29:22 UTC+5 пользователь Iván Zaera Avellón написал:
пятница, 2 октября 2015 г., 18:29:22 UTC+5 пользователь Iván Zaera Avellón написал:
Reply all
Reply to author
Forward
0 new messages