Botan 1.8.10 has been released.
This release changes a number of aspects of how private keys are encrypted. The default encryption algorithm has changed from 3DES to AES-256; botan has supported AES for this purpose for many years but 3DES was chosen as the default for compatibility with other libraries. However supporting AES should not be a problem any longer in recent libraries, so moving to a safer default seems reasonable. In addition, the default iteration count for PBES1 and PBES2 encryption schemes (which are used primarily to encrypt asymmetric keys like RSA or DSA) has increased from 2048 to 10000, which should make brute force key cracking substantially harder.
The first round of AES now uses a smaller set of lookup tables; this only reduces performance slightly but some timing and cache analysis attacks against AES are substantially harder when AES is implemented this way.
The class known as S2K was renamed PBKDF in 1.9, with a typedef for backwards compatibility. For providing an equivalent forward compatibility path, 1.8.10 includes a typedef for PBKDF and a new accessor function get_pbkdf. It also includes a new interface for deriving keys with a passphrase which takes both the passphrase and desired output length as well as the salt and iteration count; in many cases this call is actually significantly more convenient than the older API.
Posted 2010/08/31 in releases; no comments
Botan 1.9.10: Constant time AES-128 using SSSE3, dynamic Engines
This new release adds a constant-time AES implementation using SSSE3. This code is based on public domain assembly written by Mike Hamburg and described in his CHES 2009 paper "Accelerating AES with Vector Permute Instructions". In addition to being constant time, it is also significantly faster than the table-based implementation on some processors. The current code has been tested with GCC 4.5, Visual C++ 2008, and Clang 2.8.
Support for dynamically loading Engine objects at runtime was also added. This will be especially useful for algorithm implementations which are in some way hardware dependent (for instance using CUDA). Currently only system that use dlopen-style dynamic linking are supported but a future release should also support Windows.
GCC 4.3 and later support new builtins for byte swapping values which work on a variety of processors. These builtins are now used when possible; this allows for fast byte swapping on platforms which were not previously supported (for instance ARM, PowerPC, and IA-64), and allows better scheduling on x86 processors as well.
This releases drops support for configuring the build with Python 2.4; Python 2.5 or later is now required. At this time, the only current distro that still ships with 2.4 is RedHat Enterprise 5, so this hopefully should not affect too many users.
The class previously named S2K has been renamed PBKDF. This matches the general terminology for algorithms which transform passphrases into keys; the old S2K naming is historical and due to the fact that the first such algorithm added to botan was the one used in PGP, which is called S2K; the algorithms included in PKCS #5, which use the somewhat more conventional PBKDF term, were not added until version 1.1.0.
A bug in 1.9.9 that prevented benchmarking of ECB-mode ciphers was fixed.
If you have 10 minutes, please fill out the user survey. Knowing what users think of the library, how they are using it, and what the trouble spots are will greatly help in terms of improving future releases.
Posted 2010/08/12 in releases; no comments
Botan 1.9.9 has been released.
New functions in the Filter infrastructure include Filter::name (which simply returns the name of the filter as a std::string), and Keyed_Filter::valid_iv_length, which allows querying the IV length(s) a filter supports. Previously, partially because there was no such query mechanism, if a filter did not support IVs at all, then calls to set_iv would be silently ignored. Now an exception about the invalid IV length will be thrown.
The most recent release on the stable tree, 1.8.9, added a couple of new functions for doing BER encoding/decoding of public and private keys. These functions had not made it into the previous 1.9 release, and are added here.
The default iteration count for the password based encryption schemes has been increased from 2048 to 10000. This should make password-guessing attacks against private keys encrypted with versions after this release somewhat harder.
The Doxygen documentation comments were substantially updated and expanded in this release. As of the 1.9.9 spin, a total of 961 functions and variables remain undocumented. The goal is to get this number to zero before the next stable release series; patches assisting this would be most welcome.
Problems preventing compilation under Apple's GCC 4.2.1, and on 64-bit MIPS systems using GCC 4.4 or later were fixed.
Posted 2010/06/28 in releases; no comments
Botan 1.8.9: Timing attack fixes, Windows DLL, new encoder functions
The latest release in the stable branch, botan 1.8.9, has been released.
The main driver for this release is a couple of security related fixes; possible timing channels that could be used against OAEP decoding and the IDEA block cipher were removed. If you use either OAEP (EME1) or IDEA, you should upgrade as soon as possible.
Three new functions were added in this release; X509::BER_encode and two variants of PKCS8::BER_encode. Previously, the only way to BER encode a key as raw binary, without PEM encoding, was using X509::encode, PKCS8::encode, or PKCS8::encrypt_key, all of which required using a Pipe which would receive the key data. A number of uses I found of these functions simply started a Pipe with no filters and immediately read out the contents as a bitstring. So these functions provide this functionality directly. The previous encode functions are reduced to just:
if(encoding == PEM)
pipe.write(PEM_encode(key));
else
pipe.write(BER_encode(key));
X509::encode, PKCS8::encode, and PKCS8::encrypt_key are now deprecated, and may be removed in a future release. Simply call PEM_encode or BER_encode instead, depending on whatever you were using for the encoding argument.
A bug in the FIPS 186-3 kosherizer prevented creating DSA groups that had 512 or 768 bit p values. Not that using a 512 or 768 bit (or 1024 bit, for that matter) DSA key is a particularly good idea anymore.
The GNU MP backend engine would crash if the library was initialized then shutdown and reinitialized and a PK algorithm was used after the second init.
This release has a number of build changes. Perhaps most noticeable for Windows users is that a DLL is now built by default; if you want a static library, use the option --disable-shared. A Windows installer script (for use with InnoSetup) is created during configuration on Windows. Prebuilt binaries for 1.8.9 for 32 and 64 bit Windows should be available soon.
Botan 1.8 currently has two scripts that can be used to configure the build - one in Perl that traces back to the first release, and a newer one written in Python. For the last year, the Perl version has warned that it was deprecated and recommended migration to the Python script. As of this release, the Perl script is no longer maintained, tested, or supported in any way. Additionally, it will not run at all by default; you must pass the option --i-know-this-is-broken first.
Some bugs that prevented compiling with the LLVM/Clang compiler, GCC 3.4, and with very recent versions of GNU binutils (x86-64 only) were also fixed.
Posted 2010/06/16 in releases; no comments
1.9.8 Released: Windows x64 optimizations, timing attack countermeasures
Botan 1.9.8 has been released.
Botan now makes use of 64 bit multiplications under Visual C++ on 64 bit platforms. This has only been tested on x86-64 but should also work on IA-64 machines. This optimization can easily double the performance of public key algorithms on 64 bit Windows.
Possible timing attacks against OAEP decoding and in the IDEA block cipher were addressed in changes in this release.
The --use-boost-python option was renamed --with-boost-python; this makes it easier to integrate with some packaging systems. There is also a --without-boost-python if you want to be explicit about not building the Python wrappers.
The FORK-256 hash function has been removed; it was definitively broken in papers published over the last couple of years, and was never widely used.
A bug that prevented creating DSA kosherized groups with p being 512 or 768 bits long was fixed. Do note though that using DSA keys of this size is quite unwise, as they can probably be broken with only relatively minimal effort.
Minor problems that prevented out of the box compilation with LLVM's Clang compiler, and with GCC versions before 4.3 on x86, were fixed.
Posted 2010/06/14 in releases; no comments
[1] 2 3 4 5 6 7 8 9 10 11 12 >>