A Roadmap for High Assurance Cryptography

Similar documents
HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

A Roadmap for High Assurance Cryptography

VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS. Lennart Beringer, Princeton University

Formal Methods at Scale in Microsoft

Authenticated Encryption in TLS

Vale: Verifying High-Performance Cryptographic Assembly Code

Example: Adding 1000 integers on Cortex-M4F. Lower bound: 2n + 1 cycles for n LDR + n ADD. Imagine not knowing this : : :

HACL : A Verified Modern Cryptographic Library

Protecting TLS from Legacy Crypto

From Crypto to Code. Greg Morrisett

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Micro-Architectural Attacks and Countermeasures

Permutation-based symmetric cryptography

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

A roadmap to migrating the internet to quantum-safe cryptography

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Advanced Android Security APIs. KeyStore and Crypto VPN

A messy state of the union:

SP Reviewing The Standard. Stephan Müller atsec information security GmbH

Cryptography for Software and Web Developers

The libpqcrypto software library for post-quantum cryptography

State of TLS usage current and future. Dave Thompson

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cuttingedge crypto graphy

Uses of Cryptography

Open Source Internet Security

Elaine Barker and Allen Roginsky NIST June 29, 2010

API design for cryptography. Frank Denis

The transition to post-quantum cryptography. Peter Schwabe February 19, 2018

Lecture 4: Hashes and Message Digests,

Securing Network Communications

The libpqcrypto software library for post-quantum cryptography

CrypTech. October 2018 Barcelona

CSE 127: Computer Security Cryptography. Kirill Levchenko

Formal methods for software security

Standardisation efforst in lightweight cryptography

APNIC elearning: Cryptography Basics

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Cryptographic Algorithm Validation Program:

SMPTE Standards Transition Issues for NIST/FIPS Requirements

The Security Impact of HTTPS Interception

Coming of Age: A Longitudinal Study of TLS Deployment

PKCS #11 Message-Based Encryption and Decryption

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Spring 2010: CS419 Computer Security

Concrete cryptographic security in F*

The H2020 PQCRYPTO project

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

CSE484 Final Study Guide

NIAP Update. Dianne Hale National Information Assurance Partnership

Practical Experiences with crypto on 8-bit

Adam Chlipala University of California, Berkeley ICFP 2006

Introduction to Network Security Missouri S&T University CPE 5420 Exam 2 Logistics

Chapter 18: wolfcrypt API Reference

Selection of Cryptographic Algorithms, Post-Quantum Cryptography: ANSSI Views

Satisfying CC Cryptography Requirements through CAVP/CMVP Certifications. International Crypto Module Conference May 19, 2017

Lecture 1 Applied Cryptography (Part 1)

OPTIMIZED CRYPTOGRAPHY COMPONENTS FOR CONSTRAINED ENVIRONMENTS. RSA BSAFE Crypto Kernel. Solution Brief

Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski

ECE 646 Fall 2015 Term Project. Overview, comparison of open crypto libraries for application development. By Ravi Kota

Step-By-Step Guide to Master Key Management Using ICSF Loading the AES Master Key

Deep Tech Analysis to AES-GCM in TLS 1.2 and IPSec-v3. Richard Wang and Ed Morris May 20, 2016 International Crypto Module Conference

Imprivata FIPS Cryptographic Module Non-Proprietary Security Policy Version: 2.9 Date: August 10, 2016

Mobile Security Fall 2013

Progressively Securing RIOT-OS!

*the Everest VERified End-to-end Secure Transport. Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*

Presentation's title

Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1

SECURITY CRYPTOGRAPHY Cryptography Overview Brochure. Cryptography Overview

Comparison of SSL/TLS libraries based on Algorithms/languages supported, Platform, Protocols and Performance. By Akshay Thorat

Advanced Security for Systems Engineering VO 09: Applied Cryptography

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Low level security. Andrew Ruef

Kernel level AES Acceleration using GPUs

Misuse-resistant crypto for JOSE/JWT

A systematic approach to eliminating the vulnerabilities in smart cards evaluation

Lecture Embedded System Security Trusted Platform Module

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

32c3. December 28, Nick goto fail;

Browser Security Guarantees through Formal Shim Verification

Analysis, demands, and properties of pseudorandom number generators

Implementing Cryptography: Good Theory vs. Bad Practice

Configuring OpenVPN on pfsense

High-Performance Cryptography in Software

Cryptographic Engineering

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Certified compilers. Do you trust your compiler? Testing is immune to this problem, since it is applied to target code

Technological foundation

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

FIPS Security Policy UGS Teamcenter Cryptographic Module

FIPS Non-Proprietary Security Policy

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Protect Yourself Against Security Challenges with Next-Generation Encryption

Montgomery Multiplication Using Vector Instructions

Dyadic Security Enterprise Key Management

Transcription:

A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) NEXTLEAP (nextleap.eu) Harry Halpin Prosecco Thanks to Peter Schwabe (Radboud University) Harry.halpin@inria.fr @harryhalpin

High Assurance is Needed More than Ever - 2

Traditional Security Methodology Defining security goals Identifying trusted code base needed to achieve those goals Isolating the TCB from the rest of the code Implementing a well-defined interface (API) between TCB and rest of the code Assuring that the API's usag meets the security goals.

Low vs. TCB has grown organically and mixed with non-tcb code low assurance. TCB goes beyond crypto : kernels, drivers, etc. Crypto TCB implements security goals as primary function. So crypto should always be inside TCB API must maintain security goals

How to Achieve High Assurance? 1) Testing : Cheap but no guaranteed absence of vulnerabilities. 2) Auditing : Better, but requires many experts and also has no guarantees. Issues with scaling and expense. 3) Formal Verification : Guarantee of security properties via formal proofs of correctness and security.

Do you really trust experts? - 6

Goal : Replace OpenSSL - 7

Formal Verification is slow OpenSSL has hand-optimized assembly per microarchitecture. Multiple carry bugs in big-integer arithmetic! (Brumley et al., CT RSA 2012) Formal verification does not usually translate to running code, so we are proving only a model of the code (often in Coq, DeepSpec, etc.), not the running code itself.

Fstar : Creates Running Code Formal verification done via lemmas via a dependent type system. https://www.fstar-lang.org/ Uses Kremlin to compile (with verification) from F* to Ocaml to CompCert C (and eventually Javascript). HACL* Library : Initially focussed on Curve25519 DH and EdDSA, now includes stream ciphers (Chacha20, Salsa20, XSalsa20), MACs (Poly1305, HMAC) Used in Mozilla's NSS now (2017).

Mozilla and Fstar - 10

Challenge : Speed and Verification Hand-optimized code almost always faster and amount of annotations dwarfs code Solution : Formally verify a LLVM (low-level virtual machine) that can create optimized micro-code per architecture See Jasmin (descendant of Qhasm): https://github.com/jasmin-lang/jasmin Proofs of equivalence between optimized Jasmin and Compert C GVerif : https://gfverif.cryptojedi.org/

Developer-Resistant API : Cryptographic API : is used by programmers to access cryptographic primitives and control cryptographic key material as needed in their applications and higher level protocols. Security API : Set of functions that maintain security properties regardless of usage of API. 88 % of errors caused by API usage in Android (Egele et. al., 2013)

Common API Errors : Cross API : Google's Project Wycheproof collects common errors https://github.com/google/wycheproof Formal modelling of APIs discovered errors in both use of crypto (re-use of IVs, deterministic «RNGs», low amount of iterations in key derivation) as well as key management : 1) PKCS#11 (Delaune et al., 2010) 2) WebCrypto (Halpin et al., 2016) 3) YubiKeys (Kunneman and Steel, 2012)

API Problems: APIs are designed by standards committee, usually results in errors. OpenSSL has many competitors : BoringSSL, WolfSSL, PolarSSL, GNUTLS, etc. Situation gets even worse with IPSec and VPN libraries. See composable libraries such as Noise Protocol (used in WhatsApp Signal implementation) http://noiseprotocol.org/

What is the ideal API? Flexible : Can be drop-in replacement for OpenSSL if possible for legacy software Problem : Deprecating broken primitives (MD5, etc.) How to force move from RSA to ECC? Safe Defaults : If defaults are not specified, use safe defaults (box/unbox in NaCL/libsodium) with key sizes and parameters. Who decides the defaults? Issues with E-CRYPT report, NIST, CFRG updates random, etc.

Next Steps and Discussion HACL* seems most mature, but lots of other tools Trying to tackle full TLS 1.3 (including X.509) : https://project-everest.github.io/ Advanced functions needed, such as constant time verification. Note dependency on hardware.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback