[Botan-announce] Botan 1.11.10 released

Jack Lloyd lloyd at randombit.net
Fri Dec 12 10:07:51 EST 2014

Good morning,

It's been too long since a botan release and 1.11.10 has something for everyone.

Most exciting for me is that cryptosource GmbH (http://cryptosource.de) has
contributed an implementation of McEliece code-based public key encryption
secured against a variety of side-channels, plus an associated CCA2-secure
scheme. Given suitable parameters, this algorithm should be safe even
against quantum computers. The implementation is based on INRIA's HyMES
scheme though modified for additional side channel security. The original
HyMES is LGPL but cryptosource has secured permission from INRIA to release
an adaptation under a BSD license.

The implementation is further described in
http://cryptosource.de/docs/mceliece_in_botan.pdf and

Many thanks to the teams at both cryptosource GmbH and INRIA for their work.

DSA and ECDSA now create RFC 6979 deterministic signatures, which insulates
the signature algorithm from PRNG weaknesses. It also makes the implementation
easier to test. EC point multiplication now uses a Montgomery ladder instead
of a 4 bit windowing algorithm, which should be somewhat more resistant to
side channel attacks. There is also a new specialized CurveGFp representation
for P-521 which implements an optimized reduction.

TLS clients and servers now have support for fallback signaling
(draft-ietf-tls-downgrade-scsv-00) which should (if both sides support
it) protect against MITMs forcing application-directed protocol downgrades
via forged TCP resets.

DTLS finally supports timeouts and retransmits during handshakes. In addition
the interface to TLS::Server has changed slightly, with a new boolean
parameter to the constructor which specifies if this instance is a TLS or DTLS
server. Previously a server could (if policy allowed) act as either protocol
depending on the client hello, but this feature added more complication to the
record handling code than it was worth.

A bug in CCM when using an L value other than 2 caused it to produce incorrect
output, so the TLS-CCM ciphersuites in botan were not compatible with other
implementations. Thanks to Manuel Pégourié-Gonnard for the report and patch.

Private keys can now be encrypted using GCM in a non-standard adaptation of
the PKCS #8 structure, though the default mode remains CBC for compatibility
with other implementations. The default PBKDF2 hash for private key encryption
has changed from SHA-1 to SHA-256.

The compression modules have changed to a new interface which allows
compression to run with significantly fewer memory allocations and buffer
copies, with a new Compression_Filter providing compression facilities for
Pipe. The zlib module now also supports gzip format.

Many other smaller bug fixes and new features are mentioned in the full
release notes at http://botan.randombit.net/relnotes/1_11_10.html

Download links are at http://botan.randombit.net/download.html

  Jack Lloyd

More information about the botan-announce mailing list