英文:
How does crypto library in Go compare to OpenSSL?
问题
这是要翻译的内容:
这个实现在生产代码中使用是否足够安全?特别是作为TLS客户端。
如果不安全,是否有文档记录了如何从Go中调用OpenSSL库的方法?
英文:
Is it secure enough implementation to use in production code? Particularly as TLS client.
If not, is there documented method of calling OpenSSL library from Go?
答案1
得分: 12
从http://blog.golang.org/a-conversation-with-the-go-team中:
> 在邮件列表中,Adam Langley表示TLS代码尚未经过外部团体的审查,因此不应在生产环境中使用。是否有计划对代码进行审查?一个良好安全的并发TLS实现将非常好。
>
> Adam:密码学在微妙和令人惊讶的方式上很容易出错,而我只是一个人。我觉得我不能保证Go的TLS代码是完美无缺的,我也不想误导别人。
>
> 代码中有几个已知存在侧信道问题的地方:RSA代码是有盲点的,但不是恒定时间的;除了P-224之外的椭圆曲线也不是恒定时间的,而且Lucky13攻击可能会生效。我希望在Go 1.2版本中解决后两个问题,采用恒定时间的P-256实现和AES-GCM。
>
> 然而,目前还没有人愿意对TLS堆栈进行审查,我也没有调查过是否可以请Matasano或类似的公司来进行审查。这取决于Google是否愿意提供资金。
众所周知,它容易受到某些侧信道攻击的影响,所以不,它可能还不够好。
英文:
From http://blog.golang.org/a-conversation-with-the-go-team:
> In the mailing lists Adam Langley has stated that the TLS code has not
> been reviewed by outside groups, and thus should not be used in
> production. Are there plans to have the code reviewed? A good secure
> implementation of concurrent TLS would be very nice.
>
> Adam: Cryptography is notoriously easy to botch in subtle and
> surprising ways and I’m only human. I don’t feel that I can warrant
> that Go’s TLS code is flawless and I wouldn’t want to misrepresent it.
>
> There are a couple of places where the code is known to have
> side-channel issues: the RSA code is blinded but not constant time,
> elliptic curves other than P-224 are not constant time and the Lucky13
> attack might work. I hope to address the latter two in the Go 1.2
> timeframe with a constant-time P-256 implementation and AES-GCM.
>
> Nobody has stepped forward to do a review of the TLS stack however and
> I’ve not investigated whether we could get Matasano or the like to do
> it. That depends on whether Google wishes to fund it.
It's known to be susceptible to certain side channel attacks, so no, it's probably not good enough yet.
答案2
得分: 4
FWIW,现在Go语言已经有了与OpenSSL高性能绑定的库:https://github.com/spacemonkeygo/openssl
英文:
FWIW, there are now high-performance bindings to OpenSSL from Go: https://github.com/spacemonkeygo/openssl
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论