Go语言中的加密库与OpenSSL相比如何?

huangapple go评论84阅读模式
英文:

How does crypto library in Go compare to OpenSSL?

问题

这是要翻译的内容:

这个实现在生产代码中使用是否足够安全?特别是作为TLS客户端。

如果不安全,是否有文档记录了如何从Go中调用OpenSSL库的方法?

英文:

Is it secure enough implementation to use in production code? Particularly as TLS client.

If not, is there documented method of calling OpenSSL library from Go?

答案1

得分: 12

从http://blog.golang.org/a-conversation-with-the-go-team中:

> 在邮件列表中,Adam Langley表示TLS代码尚未经过外部团体的审查,因此不应在生产环境中使用。是否有计划对代码进行审查?一个良好安全的并发TLS实现将非常好。
>
> Adam:密码学在微妙和令人惊讶的方式上很容易出错,而我只是一个人。我觉得我不能保证Go的TLS代码是完美无缺的,我也不想误导别人。
>
> 代码中有几个已知存在侧信道问题的地方:RSA代码是有盲点的,但不是恒定时间的;除了P-224之外的椭圆曲线也不是恒定时间的,而且Lucky13攻击可能会生效。我希望在Go 1.2版本中解决后两个问题,采用恒定时间的P-256实现和AES-GCM。
>
> 然而,目前还没有人愿意对TLS堆栈进行审查,我也没有调查过是否可以请Matasano或类似的公司来进行审查。这取决于Google是否愿意提供资金。

众所周知,它容易受到某些侧信道攻击的影响,所以不,它可能还不够好。

英文:

From http://blog.golang.org/a-conversation-with-the-go-team:

> In the mailing lists Adam Langley has stated that the TLS code has not
> been reviewed by outside groups, and thus should not be used in
> production. Are there plans to have the code reviewed? A good secure
> implementation of concurrent TLS would be very nice.

>
> Adam: Cryptography is notoriously easy to botch in subtle and
> surprising ways and I’m only human. I don’t feel that I can warrant
> that Go’s TLS code is flawless and I wouldn’t want to misrepresent it.
>
> There are a couple of places where the code is known to have
> side-channel issues: the RSA code is blinded but not constant time,
> elliptic curves other than P-224 are not constant time and the Lucky13
> attack might work. I hope to address the latter two in the Go 1.2
> timeframe with a constant-time P-256 implementation and AES-GCM.
>
> Nobody has stepped forward to do a review of the TLS stack however and
> I’ve not investigated whether we could get Matasano or the like to do
> it. That depends on whether Google wishes to fund it.

It's known to be susceptible to certain side channel attacks, so no, it's probably not good enough yet.

答案2

得分: 4

FWIW,现在Go语言已经有了与OpenSSL高性能绑定的库:https://github.com/spacemonkeygo/openssl

英文:

FWIW, there are now high-performance bindings to OpenSSL from Go: https://github.com/spacemonkeygo/openssl

huangapple
  • 本文由 发表于 2013年9月12日 10:06:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/18754190.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定