So Many Crypto Libraries

In general I’m in favor of people running with ideas of how to make a better software library or app. The more ideas that are manifest the more data people have to identify what works best. However, especially in the open source world, I sometimes feel like there is too much effort being spread around when it could be focused to greater effect. I’ve been feeling this way about crypto libraries for some time. Here are a few.

  • SSL/TLS
    • OpenSSL – C
    • GnuTLS – FSF, C
    • BoringSSL – Google, C
    • LibreSSL – OpenBSD, C
    • S2n – Amazon, C
    • NSS – C
    • Also
  • Crypto
    • NaCl
    • libsodium – API compatible with NaCL
    • zinc – linux kernel
    • Tink – Google
    • Libgcrypt
    • Also
      • TweetNaCl – API compatible with NaCL but seemingly unmaintained
      • underlock – Ruby
      • many others

I understand that people feel this problem has not been solved well and that API’s and implementation goals and needs shift over time. Still, a common goal in software security is reducing the attack surface. It would be nice to see some coalescing in this space.

Update: Further Reading:

Leave a Reply

Your email address will not be published. Required fields are marked *