Randomize contexts by default? #225
Comments
|
well we could randomize in this will be a change in direction though, because right now our only ever use of BUT because only a handful of people know the importance of randomizing the context in practice we can see a lot(most?) of our users not calling it just because they don't know/understand, so I agree that a better default is a great idea |
Indeed, this is my main concern. |
|
Taking a step back, I believe that even given the problems with C, upstream's API is not optimal here. A better API would be to ask the user to provide entropy already in (This does not help us here but I wanted to share the thought.) |
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 25, 2022
If a context is created and not randomized then it is susceptible to sidechannel attacks (quoting what I've read). Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called. We can better assist users by making APIs that are hard to mis-use. If the `rand` feature is enabled we can optimistically call `randomize` when creating a context as we do for the global context. Also, add documentation highlighting the benefit of using the `rand` feature. Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 25, 2022
If a context is created and not randomized then it is susceptible to sidechannel attacks (quoting what I've read). Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called. We can better assist users by making APIs that are hard to mis-use. If the `rand` feature is enabled we can optimistically call `randomize` when creating a context as we do for the global context. Also, add documentation highlighting the benefit of using the `rand` feature. Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 25, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add an enum to the context constructor that forces the use to make a decision on the additional side channel attack protection we provide. This makes the API a little harder to use because users must now read the docs but this cost offsets the likely-hood of users ignoring this important feature. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 25, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add an enum to the context constructor that forces the use to make a decision on the additional side channel attack protection we provide. This makes the API a little harder to use because users must now read the docs but this cost offsets the likely-hood of users ignoring this important feature. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add an enum to the context constructor that forces the use to make a decision on the additional side channel attack protection we provide. This makes the API a little harder to use because users must now read the docs but this cost offsets the likely-hood of users ignoring this important feature. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add an enum to the context constructor that forces the use to make a decision on the additional side channel attack protection we provide. This makes the API a little harder to use because users must now read the docs but this cost offsets the likely-hood of users ignoring this important feature. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add an enum to the context constructor that forces the use to make a decision on the additional side channel attack protection we provide. This makes the API a little harder to use because users must now read the docs but this cost offsets the likely-hood of users ignoring this important feature. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add an enum to the context constructor that forces the use to make a decision on the additional side channel attack protection we provide. This makes the API a little harder to use because users must now read the docs but this cost offsets the likely-hood of users ignoring this important feature. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add functions that make explicit the randomization of the context during construction. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add functions that make explicit the randomization of the context during construction. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add functions that make explicit the randomization of the context during construction. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add functions that make explicit the randomization of the context during construction. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 26, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add functions that make explicit the randomization of the context during construction. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
tcharding
added a commit
to tcharding/rust-secp256k1
that referenced
this issue
Jan 27, 2022
Currently it is easy for users to mis-use our API because they may not know that `randomize()` should be called after context creation for maximum defence against side channel attacks. We can better assist users by making APIs that are hard to mis-use. Add functions that make explicit the randomization of the context during construction. This is quite an invasive change because every user of the secp256k1 library will have to update the context constructor call sites and read what this enum does. Is this worth it? Resolves: rust-bitcoin#225
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given that getting entropy is easy in Rust (
thread_rngat least withstd), we could optimistically callrandomize()on every new context that we give to the user. I believe the reason why upstream doesn't do this is because it's just not clear how to obtain entropy in C.An issue is that we'll need to disable this without
std, which will be a subtle loss of security if you switchstdoff. Ignoring the current API, I think the proper way to do this is to letnewcreate randomized contexts and make this only available withstd, and have a verbose functionnew_no_randomize. But that's a pretty large API break. Hm.If we don't want to do any of this, we should at least add
randomizeour examples.Related to #224 and rust-random/rand#313.
The text was updated successfully, but these errors were encountered: