Re: [boost] Cryptography for Boost. +1!

27 Feb 2020

      On 26.02.20 23:26, degski via Boost wrote:
...
On Wed, 26 Feb 2020 at 11:07, Rainer Deyke via Boost 
wrote:
...
On 26.02.20 16:14, degski via Boost wrote:
...
I don't think this is a good idea. Crypto is very hard and 'generic'
crypto
is not useful to amateurs (that's the intended audience for this
Boost-component), imho (unless one insists on doing it wrongly). A
crypto-lib should not be generic, but should be guiding and advising
(this
is not a Boost-approach to things, in general), like 'libsodium' does.
There are two categories of cryptography usage.  In the first category,
one can choose the algorithm because one controls both endpoints.  In
the second category, the algorithm is already decided by the other
endpoint.  The guidance provided by libsodium is great for the first
category.  The large selection of algorithms provided by Crypto++ is
great for the second category.
I like and use libsodium, but I am under no illusions that it is
sufficient for everybody's, or even every amateur's, cryptography needs.
An amateur should not use that second category of lib in my view (and a
non-amateur won't), the number of ways to f-it-up is just too many. I can
agree that it's not sufficient for all, but whatever comes out at the other
end, should be made up of building blocks that are libsodium like.
Looks like you missed the point of my two categories.  These are not 
categories of libraries, but categories of needs that users have, which 
an individual library may or may not meet.

For example: Let's say I want to write a program that reads encrypted 
zip files.  I therefore need a library that provides an 
implementation(s) of the specific algorithm(s) used to by encrypted zip 
files, or I need to provide my own.

It doesn't matter for the purpose of my program that the default 
ZipCrypto used by zip files is a terrible, terrible encryption algorithm 
that should never be used.  The file is already encrypted, the damage is 
already done, and I just want to decrypt it.

Crypto++ doesn't provide a ZipCrypto implementation, but it does provide 
several other algorithms that can also be used to encrypt zip files. 
libsodium, on the other hand, treats encryption as a black box - it only 
provides one secret-key encryption algorithm, and you have to search the 
documentation thoroughly to even find out which algorithm that is.

-- 
Rainer Deyke (rainerd@eldwood.com)