libsodium: A Misuse-Resistant Crypto Library
Explore libsodium's opinionated API that makes it hard to choose insecure parameters.
libsodium Philosophy and Origin
libsodium was created by Frank Denis as a portable, cross-platform build of the NaCl (Networking and Cryptography library) library developed by Daniel Bernstein, Tanja Lange, and Peter Schwabe. The core philosophy is making correct cryptographic usage as easy as possible and incorrect usage as hard as possible. Secure defaults, simple APIs, and opinionated algorithm choices prevent the common mistakes that plague lower-level libraries.
Secret-Key Authenticated Encryption
crypto_secretbox provides secret-key authenticated encryption using XSalsa20-Poly1305. The API takes a message, a 24-byte nonce (randomly generated), and a 32-byte key. The output is a ciphertext that is both encrypted and authenticated. crypto_secretbox_open decrypts and verifies the authentication tag atomically, returning an error if tampering is detected. This prevents decryption of corrupted or maliciously modified ciphertexts.
All lessons in this course
- libsodium: A Misuse-Resistant Crypto Library
- OpenSSL API: Core Structures and Pitfalls
- Google Tink: Safe High-Level Crypto
- Auditing and Selecting Cryptographic Dependencies