why require("lockbox").insecure()

somesocks / lua-lockbox

A collection of cryptographic primitives written in pure Lua

MIT License

357 stars 74 forks source link

why require("lockbox").insecure() #27

Closed huangting closed 4 years ago

huangting commented 4 years ago

There is an error about require("lockbox").insecure() in ecb.lua,sha1.... i can't find lockbox.lua or any other lib. why require("lockbox").insecure()? i'm using lua 5.1.4

greatwolf commented 4 years ago

Security Concerns in the readme explains it. You just need to have require 'lockbox'.ALLOW_INSECURE = true in your script.

Also make sure you have a bitops library available. Lua 5.1 doesn't come with bitops and Lockbox doesn't provide an implementation to emulate it.

huangting commented 4 years ago

Thank you very much~ i want to use cipher mode ecb , but why it is insercue? Is there any bugs in ecb?

tst2005 commented 4 years ago

ECB is insecure by design, see wikipedia. If you use for security, use at least CBC or any more modern ciphers.