Cryptography is the process of transforming information into a secure format, mostly by encryption. Encryption ensures that data passing through the web is safe and reliable.
Although Rust has a random number generator, the main suite in use today is OpenSSL. As you’ll see in this guide, the Rust ecosystem offers an expansive range of rich-featured cryptography libraries to help you keep data safe in transit to and from your applications.
In this guide, we’ll review the state of cryptography in Rust and compare some open-source encryption libraries, including:
With cryptography suites, you can secure a network connection that uses TLS or SSL. In this section, we’ll look at some open-source Rust suites, evaluating each for stability and production readiness.
openssl
openssl
provides a safe interface to the popular OpenSSL cryptography library. This library has 123 versions published, with the latest stable version being 0.10.30. openssl
is licensed under Apache 2.0.
To use openssl
, add the code below to your cargo.toml
file.
openssl = "0.10.30"
orion
orion
aims to minimize the use of unsafe code. The library supports Rust 1.41 or later and the following crypto methods.
This library is licensed under MIT and currently has 68 versions published, the of which is 0.15.4. To use the current version of this library, add the following codes to your cargo.toml
file:
orion = "0.15.4"
By default, orion uses STD. To use orion in a no_std
context, you need to specify the dependency by writing the code below.
orion = { version = "*", default-features = false } # Replace * with the most recent version
Argon2i will not be available with no_std
. To allow Argon2i, you have to enable the alloc
feature.
[dependencies.orion] version = "*" # Replace * with the most recent version default-features = false features = ["alloc"]
libsodium-sys
libsodium-sys is an open-source Rust bindings to the sodium library. This library has 24 versions published. Its latest stable version is 0.2.6. The library is licensed under Apache-2.0/MIT.
The bind functions that can be used for libsodium-sys are as follows:
crypto::box_
and crypto::sign
for public-key cryptographycrypto::sealedbox
for sealed boxescrypto::secretbox
, crypto::stream
, crypto::auth
, and crypto::onetimeauth
for secret-key cryptographycrypto::hash
, crypto::verify
, and crypto::shorthash
for low-level functionsgpgme
This is a GnuPG Made Easy (GPGME) library for Rust. Using GnuPG directly from an application can be complicated; GPGME makes access to GnuPG (GNU Privacy Guard) much easier.
The most stable version of this library, 0.9.2, does not support the bundling of the gpgme
library source to attempt build via the buildscript.
To use gpgme
, add the following to your cargo.toml
file.
gpgme = "0.9.2"
This library is licensed under LGPL-2.1
and has 14 versions published.
ring
This open-source library allows us to build safe, fast, and small crypto applications using Rust with BoringSSL’s cryptography primitives. ring
has 94 versions published. Its most recent and stable version is ring
0.16.15.
Ring has the following features.
alloc
(default), which enables features that require use of the heap, RSA in particulardev_urandom_fallback
(default), which causes ring::rand::SystemRandom
to fall back to /dev/urandom
by default when the getrandom()
syscall isn’t supported at runtime. dev_urandom_fallback
is only currently supported by Linux OSstd
, which enables features that use libstd
, especially the std::error::Error
featureTo use the latest version of this library, add the following code to your cargo.toml
file.
ring = "0.16.15"
Do you ever wonder how information can be secure given the inherent predictability of computer/programming algorithms (e.g., you could determine an output by feeding in an input)? Random number generators take in nondeterministic inputs (such as phase noise or clock signals) and generate unpredictable numbers as the output.
Below are some of the best and most production-ready random number generators for Rust.
rand
rand
is a Rust library for random number generation. Random numbers are generated and converted to useful types, distributions, and some randomness-related algorithms.
rand
version 0.7 requires rustc
version 1.32 or greater. Meanwhile, rand
0.5 requires rustc
1.22 or greater and versions 0.4 and 0.3 require rustc
version 1.15 or greater (since approx. June 2017).
Some of the rand
code may work with older Rust versions, but it is not recommended to use it. rand
has 62 versions published, with one version yanked (unreleased) version, 0.7.1.
To use the current version of rand
, add the following to your cargo.toml
file.
[dependencies] rand = "0.7"
uuid
uuid
creates and parses universally unique identifiers (UUIDs), which are unique 128-bit numbers stored as 16 octets. With UUIDs, unique identifiers can be assigned to entities without requiring a central allocating authority.
This library has 45 versions published, the latest being 0.8.1.
To use uuid
, add the following to your cargo.toml
file.
[dependencies] uuid = "0.8"
Passwords are a form of encryption that help us create strong cryptographic keys. With password-based encryption, users can create strong secret keys based on the password they provide.
bcrypt
bcrypt
is an open-source library that lets you easily hash and verify passwords on Rust. This library has 21 versions; the latest is version 0.8.2
.
To use bcrypt
, add the following to your cargo.toml
file.
bcrypt = "0.8.2"
This version of bcrypt
supports version 1.36.0 as the minimum version of Rust.
djangohashers
djangohashers
is a Rust port of the password primitives that are used in Django projects. Although Django has the django.contrib.auth.models.User
class, which consists of a few methods to deal with passwords, such as set_password()
and check_password()
, djangohashers
executes the primitive functions behind those methods. You can use the password hash algorithm of this library in any Rust project.
djangohashers
has 23 versions published. The most recent stable version is 1.3.1.
To install djangohashers
, add the dependency to your cargo.toml
file.
[dependencies] djangohashers = "^1.3"
pwhash
This Rust open-source library consists of a collection of password hashing and verification routines.
With pwhash
, you can verify a password against a hash with the verify()
function. You can also hash a password with default algorithm-specific parameters or customized parameters with the hash()
and hash_with()
functions, respectively.
This library has published five versions at the time of writing, with the most stable version being 0.3.1.
With Transport Layer Security (TLS), data sent over the internet is encrypted to keep private and sensitive information safe from bad actors.
The following libraries offer the TLS protocol for Rust-based applications.
rustls
rustls
, pronounced “rustless,” is a modern library that implements TLS for Rust. It uses the ring
library for cryptography libwebpki
for certificate verification.
rustls
assures of high level cryptographic security with no configuration required. It has 29 published versions; the most stable is version 0.18.1.
To use the current version of rustls
, add the following to your cargo.toml
file.
rustls = "0.18.1"
tokio-openssl
tokio-openssl
is an implementation of SSL streams for Tokio, an asynchronous runtime for Rust, backed by OpenSSL.
tokio-openssl
is licensed under MIT/Apache-2.0, and the latest stable version is 0.4.0.
To use this version, add the following to your cargo.toml
file.
tokio-openssl = "0.4.0"
tokio-rustls
tokio-rustls
is an asynchronous TLS/SSL stream for Tokio using the rustls
library. This library currently has 56 versions, with the current stable version being 0.14.1. tokio-rustls
started as a fork from the Tokio-TLS project.
webpki
With webpki
, you can validate Web PKI (TLS/SSL) certificates. This library uses ring
for signature verification.
With webpki
, there’s no dispute to efficiency and safety because it uses Rust’s borrow checker to validate that its zero-copy parsing strategy is safe and efficient. webpki
maintains a tight restriction on the amount of stack memory it uses, so it never allocates memory on the heap.
webpki
has 40 versions released, the latest of which is 0.21.3. This library is not licensed and offers no warranty.
The importance of tools cannot be overemphasized in cryptography. The best ones make securing information between peers almost seamless.
Let’s zoom in on some of the most popular encryption tools for Rust, including services ranging from token management, to file management, to cookie management.
tempfile
Imagine you want to create a file but don’t care about its name or location since it’s a temporal file that you wish to urgently work on and delete later. The tempfile
library deletes the file once you’re done.
This tool enables you to delete temporary files and directories with the tempfile()
and tempdir()
function.
tempfile
is licensed under MIT/Apache 2.0 and has 35 versions; the most recent is 3.1.0.
cookie
To put it simply, cookie
enhances HTTP cookie parsing and cookie jar management. This library is licensed under MIT or Apache 2.0 and has 62 versions (the most recent version is 0.14.2). cookie
has been downloaded nearly 6 million times.
frank_jwt
Ever heard of JSON Web Token (JWT)? You can pass claims securely between two parties by decoding, verifying, and generating encoded credentials called JWT. frank_jwt
is an implementation of JSON Web Tokens in Rust.
This library supports cryptographic algorithm and is licensed under Apache 2.0 and has 14 versions at the time of writing.
Hashing in cryptography means converting data into unique strings that are undecipherable to humans. Here’s a simple example of data and its equivalent hash string:
Data: Hello Hash: f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0
Let’s zoom in on some libraries that offer hashing in Rust.
Note: Many of the libraries mentioned in the “Password-based encryption for Rust” section can also be used for hashing in Rust.
rust-fnv
FNV (Fowler/Noll/Vo) is a custom hasher implementation that is fast and has good dispersion. While the default hasher implementation, SipHash
, is good in many cases, it’s usually slower than other algorithms with short keys.
rust-fnv
performs faster on algorithms with short keys. The disadvantage of rust-fnv
is that it performs poorly on larger inputs and provides no protection against collision attack.
This library is licensed under Apache 2.0/MIT, it has eight published versions.
twox-hash
This library is a Rust implementation of XXHash algorithm, a fast Hash algorithm that runs at RAM speed limits.
To use this twox-hash
, add the following to your cargo.toml
file.
twox-hash = "1.5.0"
twox-hash
has 13 versions with two versions yanked (unreleased). The most stable version of twox-hash
, at the time of writing, is 1.5.0
.
blake2-rfc
If you want a hash function that’s faster than MD5, SHA-1, SHA-2, and secure as the latest version of SHA-3, look no further than blake2-rfc
.
blake2-rfc
is a pure Rust implementation of BLAKE2, which is based on RFC 7693. It has 20 versions, the most recent being 0.2.18.
Algorithms are among the most widely used privacy protection methods. These are usually designed for data encryption, authentication, and digital signatures.
bulletproofs
This library enacts Bulletproofs using Ristretto. Ristretto is a technique for compressing curves (ellipse); it divides the curve’s cofactor by 4 or 8 to implement the prime-order group.
bulletproofs
has eight versions published at the time of writing, with version 1.0.3
yanked.
curve25519-dalek
This open-source library is a Rust implementation of operations on Ristretto and Curve25519.
curve25519-dalek
is built to provide a clean and safe mid-level API, executing ECC-based crypto protocols such as zero-knowledge proof systems, key agreement, signatures, and anonymous credentials.
This library is licensed under the BSD 3-Clause and has 64 versions published at the time of writing. Version 2.0.0
was yanked.
To use the latest released version of this library in your application, add the following code to your cargo.toml
file.
curve25519-dalek = "3.0.0"
ed25519-dalek
This library is a fast and efficient Rust implementation of ed25519 key generation, signing, and verification in Rust.
With ed25519-dalek
, ed25519 key generation, signing, and verification become easier and faster in Rust.
This library is licensed under the BSD 3-Clause and has over 28 versions published.
merlin
merlin
provides a transcript-based RNG as defense-in-depth against bad-entropy attacks. merlin
is a transcript construction for zero-knowledge proofs.
If you use merlin
in your application, you can execute noninteractive protocols as if they were interactive. This is because merlin
automates the Fiat-Shamir transform.
rust-secp256k1
rust-secp256k1
is a wrapper around libsecp256k1
, a library that can be used for producing ECDSA signatures using the SECG curve secp256k1
.
You’ll love how efficient this library is; it makes no allocations (except in unit tests) for efficiency and use in freestanding implementations.
This library is licensed under CC0-1.0 and has 63 versions published.
subtle
This is an open-source library for constant-time cryptographic implementations.
subtle
supports a minimum of Rust version 1.41. There have been 24 versions published, the latest being 2.3.0; version 2.2.0 has been yanked.
x25519-dalek
This is a pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek.
x25519-dalek
has 17 versions published; 1.1.0 is the most recent.
To use x25519-dalek
in your application, add the following to your cargo.toml
file.
x25519-dalek = "1.1.0"
zkp
This library implements the zero-knowledge proof according to Schnorr style. That means zkp
can verify the validity of a statement without releasing any knowledge aside from the validity of a statement (sensitive information).
zkp
provides two levels of API: a higher-level, declarative API based on the define_proof
macro and a lower-level, imperative API inspired by Bellman, which provides a constraint system for Schnorr-style statements.
zkp
is licensed under CC0-1.0. It has 12 versions, of which four have been yanked.
Whether you’re writing in Rust or some other programming language, you should always use encryption when transferring information over the internet. As you can tell by the wide variety of popular, production-ready cryptography suites, random number generators, password solutions, TLS, tools, and algorithms available, the state of crypto in Rust is quite strong.
We have seen the different sections housing different methods cryptography can be performed and libraries that help secure parsing of data in Rust based applications.
If you would love to read more about cryptography as pertains to Rust, check out Rust Cryptography.
Thank you for your time! Please do contact me on twitter if you have any questions or suggestions concerning this article.
Debugging Rust applications can be difficult, especially when users experience issues that are hard to reproduce. If you’re interested in monitoring and tracking the performance of your Rust apps, automatically surfacing errors, and tracking slow network requests and load time, try LogRocket.
LogRocket is like a DVR for web and mobile apps, recording literally everything that happens on your Rust application. Instead of guessing why problems happen, you can aggregate and report on what state your application was in when an issue occurred. LogRocket also monitors your app’s performance, reporting metrics like client CPU load, client memory usage, and more.
Modernize how you debug your Rust apps — start monitoring for free.
Hey there, want to help make our blog better?
Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.
Sign up nowMatcha, a famous green tea, is known for its stress-reducing benefits. I wouldn’t claim that this tea necessarily inspired the […]
Backdrop and background have similar meanings, as they both refer to the area behind something. The main difference is that […]
AI tools like IBM API Connect and Postbot can streamline writing and executing API tests and guard against AI hallucinations or other complications.
Explore DOM manipulation patterns in JavaScript, such as choosing the right querySelector, caching elements, improving event handling, and more.