The Monocypher crypto library now has been audited

栏目: IT技术 · 发布时间: 4年前

After spending six days on the Monocypher scope during this June 2020 project, two members of the Cure53 team can confirm that the provided C code held well to their scrutiny. Few findings with limited severities evidence a good security premise of Monocypher. What is more, the code is exceptionally clean and demonstrates a clear focus on security features. It relates to typical targets around embedded environments, for instance by avoiding unnecessary memory allocations.

The findings highlight some exceptions linked to undocumented behavior (MON-01-001) and a minor lack of rigor in test vectors (MON-01-004). Beyond these, no serious issues were found in the Monocypher code itself. However, some issues were spotted in the cryptographic library design (see MON-01-005 and MON-01-002). Finally, the Monokex protocol suite’s specification was found to be lacking critical details on the behavior of its Message Authentication Codes (MON-01-006). In the same realm, Cure53 also points out the necessity to justify its relatively bareboned key derivation mechanism (MON-01- 003).

In conclusion, while the Monocypher code is well-written and supported by clean, documented code and a suitable amount of test vectors, the high-level design of the Monocypher’s developer-exposed API could use more refinement (MON-01-005), as could the specification of the Monokex suite of protocols (MON-01-006, MON-01-003). Since no issues of High- or Critical- severity could be spotted in the timeframe available for this audit, Cure53 concludes this 2020 assessment on a positive note.

Cure53 would like to thank Loup Vaillant-David who maintains Monocypher for his excellent project coordination, support and assistance, both before and during this assignment. Special gratitude needs to be extended to Open Technology Fund Washington for sponsoring this project.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

独角兽之路

独角兽之路

三节课产品社区 / 电子工业出版社 / 2016-7 / 79.00元

对2~3年以上经验的互联网人来说,最好的学习可能不是听课,而是分析各类真实的产品和运营案例。而《独角兽之路:20款快速爆发且极具潜力的互联网产品深度剖析(全彩)》正好提供了对滴滴出行、百度外卖、懂球帝、快手App等20款极具代表性的准独角兽产品的发展路径的深度分析。 通过阅读《独角兽之路:20款快速爆发且极具潜力的互联网产品深度剖析(全彩)》,你可以发现互联网产品发展的背后,或许存在着某些共......一起来看看 《独角兽之路》 这本书的介绍吧!

HTML 压缩/解压工具
HTML 压缩/解压工具

在线压缩/解压 HTML 代码

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

SHA 加密
SHA 加密

SHA 加密工具