rodolphe/coffio
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Abstraction layer for symmetric data encryption, primarily designed for database column encryption.
74 commits 1 branch 1 tag 7.2 MiB
Rust 100%
Find a file
Rodolphe Bréard 0aac6402eb Change the randomly generated benchmark input 
The xz backdoor relied on obfuscated test files that contained malicious
code instead of a real test. Since then, test and benchmark input that
cannot be explained should be considered suspicious.

Out of laziness, the input for the xl test (05) was generated through
the `openssl rand -hex` command, which outputs random data as an
hexadecimal string. Although I generated it myself and know there is
nothing hidden in there, I cannot prove it to someone else. Therefore, I
chose to stop using random data for this test and changed it to a
readable "lorem ipsum" string of the same size, like the other tests.

For more information about the xz backdoor and the context in which this
commit take place, please read:
CVE-2024-3094
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://gynvael.coldwind.pl/?lang=en&id=782
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
2024-04-01 16:25:37 +02:00
benches Change the randomly generated benchmark input 2024-04-01 16:25:37 +02:00
src Document the reason for the AES-GCM noce size 2024-03-29 22:11:39 +01:00
.gitignore First commit 2024-02-14 18:16:45 +01:00
Cargo.toml Add support for AES128-GCM using HKDF-SHA256 to derive keys 2024-03-24 12:16:54 +01:00
deny.toml Update cargo-deny 2024-03-23 11:41:45 +01:00
README.md Update the readme 2024-02-25 23:05:22 +01:00
rustfmt.toml First commit 2024-02-14 18:16:45 +01:00

README.md

Coffio

License MIT OR Apache 2.0

Abstraction layer for symmetric data encryption, primarily designed for database column encryption.

Disclaimer

⚠️ DANGER: DRAGONS A(H)EAD! 🐲

This crate is experimental and has never been audited by an independent security professional. You should therefore NOT use it in production.

Although this crate aim to reduce the risk of misuse, it is still possible to use it in such a way that the cryptography it uses does not provides all the security guaranties you need. Ask your cryptographer if this crate is relevant to your use case and if you are using it correctly.

Frequently Asked Questions

Should I use this crate?

Although it may work, some parts are not stabilized yet. Expect breaking change that may result in the total loss of previously encrypted data.

Why should I use this crate instead of a symmetric encryption function?

  1. Strong algorithms only. If you don't know which one to chose, Coffio provides strong defaults.
  2. Key management is hard. Coffio largely simplifies it in a way it becomes largely accessible.

Why has this crate not been audited by a security professional?

Such an audit cost a lot of money. If you really care about this crate being audited, you may help financing it.

Where does the name coffio comes from?

It is a french slang for a safe or a strongbox. See coffio on the french Wiktionary.