Convert Figma logo to code with AI

tink-crypto logotink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

13,469
1,178
13,469
0
View on GitHub

Top Related Projects

google's avatar

boringssl

1,796

Mirror of BoringSSL

C2SP's avatar

wycheproof

2,757

Project Wycheproof tests crypto libraries against known attacks.

google's avatar

end-to-end

4,129

End-To-End is a crypto library to encrypt, decrypt, digital sign, and verify signed messages (implementing OpenPGP)

google's avatar

keyczar

1,098

Easy-to-use crypto toolkit

jedisct1's avatar

libsodium

12,174

A modern, portable, easy to use crypto library.

openssl's avatar

openssl

25,386

TLS/SSL and crypto library

Quick Overview

Tink is a multi-language, cross-platform cryptographic library developed by Google. It aims to provide secure, easy-to-use, and misuse-resistant APIs for common cryptographic tasks, making it easier for developers to implement cryptography correctly in their applications.

Pros

  • Simplifies cryptographic operations with high-level, easy-to-use APIs
  • Provides strong security guarantees and follows cryptographic best practices
  • Supports multiple programming languages (Java, C++, Go, Python, JavaScript)
  • Regularly updated and maintained by Google's security experts

Cons

  • Learning curve for developers unfamiliar with cryptographic concepts
  • May have limited support for some advanced or specialized cryptographic operations
  • Dependency on Google's implementation and design decisions
  • Potential performance overhead compared to low-level cryptographic libraries

Code Examples

  1. Encrypting data using AES-GCM:
import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.*;

// Initialize Tink
AeadConfig.register();

// Generate a new key
KeysetHandle keysetHandle = KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM);

// Get the primitive
Aead aead = keysetHandle.getPrimitive(Aead.class);

// Encrypt
byte[] plaintext = "Hello, Tink!".getBytes();
byte[] ciphertext = aead.encrypt(plaintext, null);
  1. Verifying a digital signature:
import com.google.crypto.tink.*;
import com.google.crypto.tink.signature.*;

// Initialize Tink
SignatureConfig.register();

// Load the public key
KeysetHandle publicKeysetHandle = KeysetHandle.readNoSecret(
    JsonKeysetReader.withFile("path/to/public_keyset.json"));

// Get the primitive
PublicKeyVerify verifier = publicKeysetHandle.getPrimitive(PublicKeyVerify.class);

// Verify the signature
byte[] message = "Message to verify".getBytes();
byte[] signature = // ... obtain signature ...
try {
    verifier.verify(signature, message);
    System.out.println("Signature is valid");
} catch (GeneralSecurityException e) {
    System.out.println("Invalid signature");
}
  1. Performing key rotation:
import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.*;

// Initialize Tink
AeadConfig.register();

// Load existing keyset
KeysetHandle oldKeysetHandle = KeysetHandle.readNoSecret(
    JsonKeysetReader.withFile("path/to/old_keyset.json"));

// Generate a new key
KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;
KeysetHandle newKey = KeysetHandle.generateNew(keyTemplate);

// Perform key rotation
KeysetHandle rotatedKeysetHandle = oldKeysetHandle.addKey(newKey.getKeysetInfo().getKeyInfo(0));

// Set the new key as primary
rotatedKeysetHandle = rotatedKeysetHandle.setPrimary(newKey.getKeysetInfo().getKeyInfo(0).getKeyId());

Getting Started

To start using Tink in your Java project:

  1. Add the Tink dependency to your pom.xml:
<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.7.0</version>
</dependency>
  1. Initialize Tink in your code:
import com.google.crypto.tink.*;

public class MyApp {
    public static void main(String[] args) throws Exception {
        // Register all primitives
        Config.register();
        
        // Your cryptographic operations here
    }
}

Competitor Comparisons

google logo

boringssl

1,796

Mirror of BoringSSL

Pros of BoringSSL

  • More established and widely used in production environments
  • Offers a broader range of cryptographic primitives and protocols
  • Actively maintained by Google with frequent updates and security patches

Cons of BoringSSL

  • Larger codebase and more complex API, potentially steeper learning curve
  • Less focus on ease of use and high-level abstractions
  • May require more cryptographic expertise to use correctly and securely

Code Comparison

BoringSSL (low-level API):

EVP_CIPHER_CTX *ctx;
EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv);
EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len);
EVP_EncryptFinal_ex(ctx, ciphertext + len, &len);

Tink (high-level API):

AeadKeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
Aead aead = keysetHandle.getPrimitive(Aead.class);
byte[] ciphertext = aead.encrypt(plaintext, associatedData);

BoringSSL provides a lower-level API requiring more manual management, while Tink offers a higher-level abstraction with built-in key management and simpler usage patterns. BoringSSL is more suitable for projects needing fine-grained control over cryptographic operations, whereas Tink is designed for easier integration and reduced risk of misuse in application-level cryptography.

C2SP logo

wycheproof

2,757

Project Wycheproof tests crypto libraries against known attacks.

Pros of Wycheproof

  • Focused on cryptographic test vectors, providing a comprehensive suite for testing implementations
  • Language-agnostic approach, allowing for broader application across different programming languages
  • Regularly updated with new test vectors for emerging cryptographic algorithms and protocols

Cons of Wycheproof

  • Limited to testing and doesn't provide a full cryptographic library implementation
  • Requires integration with existing cryptographic libraries for practical use
  • May have a steeper learning curve for developers not familiar with cryptographic testing methodologies

Code Comparison

Tink example (Java):

KeysetHandle keysetHandle = KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM);
Aead aead = keysetHandle.getPrimitive(Aead.class);
byte[] ciphertext = aead.encrypt(plaintext, associatedData);

Wycheproof example (JSON test vector):

{
  "algorithm" : "AES-GCM",
  "generatorVersion" : "0.0",
  "numberOfTests" : 15,
  "testGroups" : [
    {
      "ivSize" : 96,
      "keySize" : 128,
      "tagSize" : 128,
      "type" : "AesGcmTest",
      "tests" : [
        {
          "tcId" : 1,
          "comment" : "valid test vector",
          "key" : "5b9604fe14eadba931b0ccf34843dab9",
          "iv" : "26aa49dcfe7a79b320b66d39",
          "aad" : "",
          "msg" : "28286a321293253c3e0aa2704a278032",
          "ct" : "5a3c1cf1985dbb8bed818036fdd5ab42",
          "tag" : "23c7ab0f952b7091cd324835043b5eb5",
          "result" : "valid"
        },
        // ... more test cases ...
      ]
    }
  ]
}
google logo

end-to-end

4,129

End-To-End is a crypto library to encrypt, decrypt, digital sign, and verify signed messages (implementing OpenPGP)

Pros of End-to-End

  • Focuses specifically on end-to-end encryption for email and other communications
  • Provides a user-friendly interface for managing encrypted communications
  • Integrates well with existing email clients and web browsers

Cons of End-to-End

  • Less actively maintained compared to Tink
  • Limited to specific use cases (primarily email encryption)
  • Smaller community and fewer contributors

Code Comparison

End-to-End (JavaScript):

goog.require('e2e.openpgp.asciiArmor');
goog.require('e2e.openpgp.block.factory');

var armoredText = '-----BEGIN PGP MESSAGE-----\n...';
var block = e2e.openpgp.block.factory.parseAsciiArmored(armoredText);

Tink (Java):

import com.google.crypto.tink.*;

KeysetHandle keysetHandle = KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM);
Aead aead = keysetHandle.getPrimitive(Aead.class);
byte[] ciphertext = aead.encrypt(plaintext, associatedData);

Tink offers a more comprehensive and actively maintained cryptographic library with support for various primitives, while End-to-End focuses specifically on OpenPGP-based email encryption. Tink provides a simpler API for common cryptographic operations, whereas End-to-End offers more specialized functionality for secure communications.

google logo

keyczar

1,098

Easy-to-use crypto toolkit

Pros of Keyczar

  • Simpler API with fewer concepts to learn
  • Supports a wider range of key types, including DSA
  • Better suited for legacy systems and applications

Cons of Keyczar

  • Less actively maintained (last commit in 2018)
  • Limited language support (primarily Java and Python)
  • Lacks modern cryptographic primitives and algorithms

Code Comparison

Keyczar (Java):

Crypter crypter = new Crypter("path/to/keys");
String ciphertext = crypter.encrypt("Hello, World!");
String plaintext = crypter.decrypt(ciphertext);

Tink (Java):

KeysetHandle keysetHandle = KeysetHandle.generateNew(AeadKeyTemplates.AES128_GCM);
Aead aead = AeadFactory.getPrimitive(keysetHandle);
byte[] ciphertext = aead.encrypt("Hello, World!".getBytes(), null);
byte[] plaintext = aead.decrypt(ciphertext, null);

Tink offers a more flexible and modular approach, with stronger type safety and better support for key management. It also provides more advanced features like key rotation and multi-language support. However, Keyczar's simplicity may be preferable for smaller projects or those with simpler cryptographic needs.

jedisct1 logo

libsodium

12,174

A modern, portable, easy to use crypto library.

Pros of libsodium

  • Mature and widely adopted cryptographic library with a focus on simplicity and ease of use
  • Extensive cross-platform support, including mobile and embedded systems
  • Provides a comprehensive set of low-level cryptographic primitives

Cons of libsodium

  • Requires more cryptographic expertise to use correctly compared to Tink's higher-level abstractions
  • Less emphasis on key management and rotation features
  • Smaller ecosystem of language bindings and integrations

Code Comparison

libsodium example (encryption):

unsigned char ciphertext[crypto_secretbox_MACBYTES + MESSAGE_LEN];
crypto_secretbox_easy(ciphertext, message, MESSAGE_LEN, nonce, key);

Tink example (encryption):

Aead aead = AeadFactory.getPrimitive(keysetHandle);
byte[] ciphertext = aead.encrypt(plaintext, associatedData);

Both libraries provide cryptographic operations, but Tink offers a higher-level API with built-in key management and rotation features. libsodium provides more fine-grained control over cryptographic primitives, while Tink focuses on simplifying secure usage through abstraction. The choice between them depends on the specific requirements of the project and the level of cryptographic expertise available.

openssl logo

openssl

25,386

TLS/SSL and crypto library

Pros of OpenSSL

  • Extensive feature set covering a wide range of cryptographic operations
  • Long-standing industry standard with widespread adoption and support
  • Highly performant and optimized for various platforms

Cons of OpenSSL

  • Complex API with a steep learning curve
  • Requires careful usage to avoid security pitfalls
  • Frequent updates and patches needed to address vulnerabilities

Code Comparison

OpenSSL example (encryption):

EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv);
EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len);
EVP_EncryptFinal_ex(ctx, ciphertext + len, &len);

Tink example (encryption):

Aead aead = AeadFactory.getPrimitive(keysetHandle);
byte[] ciphertext = aead.encrypt(plaintext, associatedData);

Tink offers a simpler API with built-in security best practices, while OpenSSL provides more granular control but requires careful implementation. OpenSSL's extensive feature set and performance make it suitable for a wide range of applications, whereas Tink focuses on ease of use and reducing the risk of misuse in cryptographic operations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Tink

NOTE: Tink moved to github.com/tink-crypto and this repo is no longer active!

As planned, we have split Tink into multiple GitHub repositories that are hosted at github.com/tink-crypto. As a consequence, we made this repository read-only and it is not going to be maintained moving forward.

A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. See also: https://developers.google.com/tink.

Index

  1. Introduction
  2. Current status
  3. Getting started
  4. Learn more
  5. Contact and mailing list
  6. Maintainers

Introduction

Using crypto in your application shouldn't have to feel like juggling chainsaws in the dark. Tink is a crypto library written by a group of cryptographers and security engineers at Google. It was born out of our extensive experience working with Google's product teams, fixing weaknesses in implementations, and providing simple APIs that can be used safely without needing a crypto background.

Tink provides secure APIs that are easy to use correctly and hard(er) to misuse. It reduces common crypto pitfalls with user-centered design, careful implementation and code reviews, and extensive testing. At Google, Tink is one of the standard crypto libraries, and has been deployed in hundreds of products and systems.

To get a quick overview of Tink design please take a look at slides from a talk about Tink presented at Real World Crypto 2019.

Current status

Java/Android, C++, Obj-C, Go, and Python are field tested and ready for production. The latest version is 1.7.0, released on 2022-08-09.

Javascript/Typescript is in an alpha state and should only be used for testing. Please see the intent to remove statement here.

UbuntumacOS
Kokoro UbuntuKokoro macOS

Getting started

Documentation for the project is located at https://developers.google.com/tink. Currently, it details a variety of common usage scenarios and covers the Java and Python implementations. The site will be populated with more content over time.

Alternatively, you can look at all of the examples which demonstrate performing simple tasks using Tink in a variety of languages.

  • Python
pip3 install tink
  • Golang
go get github.com/google/tink/go/...
  • Java
<dependency>
  <groupId>com.google.crypto.tink</groupId>
  <artifactId>tink</artifactId>
  <version>1.7.0</version>
</dependency>
  • Android
dependencies {
  implementation 'com.google.crypto.tink:tink-android:1.7.0'
}
  • Objective-C/iOS
cd /path/to/your/Xcode project/
pod init
pod 'Tink', '1.7.0'
pod install

Learn more

Community-driven ports

Out of the box Tink supports a wide range of languages, but it still doesn't support every language. Fortunately, some users like Tink so much that they've ported it to their favorite languages! Below you can find notable ports.

WARNING While we usually review these ports, until further notice, we do not maintain them and have no plan to support them in the foreseeable future.

Contact and mailing list

If you want to contribute, please read CONTRIBUTING and send us pull requests. You can also report bugs or file feature requests.

If you'd like to talk to the developers or get notified about major product updates, you may want to subscribe to our mailing list.

Maintainers

Tink is maintained by (A-Z):

  • Moreno Ambrosin
  • Taymon Beal
  • Daniel Bleichenbacher
  • William Conner
  • Thai Duong
  • Thomas Holenstein
  • Stefan Kölbl
  • Charles Lee
  • Cindy Lin
  • Fernando Lobato Meeser
  • Atul Luykx
  • Rafael Misoczki
  • Sophie Schmieg
  • Laurent Simon
  • Elizaveta Tretiakova
  • Jürg Wullschleger

Alumni:

  • Haris Andrianakis
  • Tanuj Dhir
  • Quan Nguyen
  • Bartosz Przydatek
  • Enzo Puig
  • Veronika Slívová
  • Paula Vidas
  • Cathie Yun
  • Federico Zalcberg