Crate b64_ct

Source
Expand description

This crate provides an implementation of Base64 encoding/decoding that is designed to be resistant against software side-channel attacks (such as timing & cache attacks), see below for details. On certain platforms it also uses SIMD making it very fast. This makes it suitable for e.g. decoding cryptographic private keys in PEM format.

The API is very similar to the base64 implementation in the old rustc-serialize crate, making it easy to use in existing projects.

§Resistance against Software Side-Channel Attacks

An indistinguishable-time (colloquially: constant-time) implementation of an algorithm has a runtime that’s independent of the data being processed. This indistinguishability is usually based on the control flow of the program as well as its memory access pattern. In that case, indistinguishability may be achieved by making sure the control flow and memory access pattern don’t depend on the data. Other factors, such as instruction cycle count may also be consequential.

See the BearSSL page on constant-time cryptography for more information.

The runtime of the implementations in this crate is intended to be dependent only on whitespace and the length of the valid data, not the data itself.

§Implementation

Depending on the runtime CPU architecture, this crate uses different implementations with different security properties.

  • x86 with AVX2: All lookup tables are implemented with SIMD instructions. No secret-dependent memory accceses.
  • Other platforms: Lookups are limited to 64-byte aligned lookup tables. On platforms with 64-byte cache lines this may be sufficient to prevent certain cache side-channel attacks. However, it’s known that this is [not sufficient for all platforms].

Re-exports§

Structs§

  • Contains configuration parameters for to_base64.

Enums§

Statics§

  • Configuration for RFC 2045 MIME base64 encoding
  • Configuration for RFC 4648 standard base64 encoding
  • Configuration for RFC 4648 base64url encoding

Traits§

  • A trait for converting from base64 encoded values.
  • A trait for converting a value to base64 encoding.