From bd0742e66a86f219d93d029ae385688a9b0a6eb8 Mon Sep 17 00:00:00 2001 From: Paul Miller Date: Tue, 29 Aug 2023 12:29:03 +0000 Subject: [PATCH] README: update security section --- README.md | 43 ++++++++++++++++++++++++++++++++++++++++++- SECURITY.md | 2 ++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a3bf7fb..c768036 100644 --- a/README.md +++ b/README.md @@ -301,7 +301,48 @@ Format-preserving encryption algorithm (FPE-FF1) specified in NIST Special Publi ## Security -The library is experimental. Use at your own risk. +The library has not been independently audited yet. + +It is tested against property-based, cross-library and Wycheproof vectors, +and has fuzzing by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz). + +### Constant-timeness + +_JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to +achieve [timing attack](https://en.wikipedia.org/wiki/Timing_attack) resistance +in a scripting language. Which means _any other JS library can't have +constant-timeness_. Even statically typed Rust, a language without GC, +[makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security) +for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. +Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time. + +### Supply chain security + +1. **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures. +2. **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs +3. **Rare releasing** is followed. + The less often it is done, the less code dependents would need to audit +4. **Dependencies** are minimal: + - All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff` + - Updates themselves are rare, to ensure rogue updates are not catched accidentally +5. devDependencies are only used if you want to contribute to the repo. They are disabled for end-users: + - scure-base, micro-bmark and micro-should are developed by the same author and follow identical security practices + - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully + +We consider infrastructure attacks like rogue NPM modules very important; +that's why it's crucial to minimize the amount of 3rd-party dependencies & native bindings. +If your app uses 500 dependencies, any dep could get hacked and you'll be +downloading malware with every install. Our goal is to minimize this attack vector. + +If you see anything unusual: investigate and report. + +### Randomness + +We're deferring to built-in +[crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) +which is considered cryptographically secure (CSPRNG). + +In the past, browsers had bugs that made it weak: it may happen again. ### How to encrypt properly diff --git a/SECURITY.md b/SECURITY.md index b98b6d1..f9c7a4f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,7 @@ # Security Policy +See [README's Security section](./README.md#security) for detailed description of internal security practices. + ## Supported Versions | Version | Supported |