HACL* in Mozilla Firefox Formal methods and high assurance applications for the web

Similar documents
A Roadmap for High Assurance Cryptography

Authenticated Encryption in TLS

State of TLS usage current and future. Dave Thompson

Formal Methods at Scale in Microsoft

VERIFICATION OF CRYPTO PRIMITIVES MIND THE GAPS. Lennart Beringer, Princeton University

Verifying Real-World Security Protocols from finding attacks to proving security theorems

Coming of Age: A Longitudinal Study of TLS Deployment

HACL : A Verified Modern Cryptographic Library

Ref:

CSE 127: Computer Security Cryptography. Kirill Levchenko

History. TLS 1.3 Draft 26 Supported in TMOS v14.0.0

APNIC elearning: Cryptography Basics

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Satisfying CC Cryptography Requirements through CAVP/CMVP Certifications. International Crypto Module Conference May 19, 2017

Uses of Cryptography

The libpqcrypto software library for post-quantum cryptography

WAP Security. Helsinki University of Technology S Security of Communication Protocols

NIST Cryptographic Toolkit

What s new in TLS 1.3 (and OpenSSL as a result) Rich Salz

From Crypto to Code. Greg Morrisett

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Protocol Integration and Implementation Problems

Deploying a New Hash Algorithm. Presented By Archana Viswanath

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Protecting TLS from Legacy Crypto

Cryptographic Concepts

Updates: 2409 May 2005 Category: Standards Track. Algorithms for Internet Key Exchange version 1 (IKEv1)

The libpqcrypto software library for post-quantum cryptography

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

*the Everest VERified End-to-end Secure Transport. Verified Secure Implementations for the HTTPS Ecosystem mitls & Everest*

Crypto Background & Concepts SGX Software Attestation

SMPTE Standards Transition Issues for NIST/FIPS Requirements

Update on NIST Post-Quantum Cryptography Standardization. Lily Chen National Institute of Standards and Technology USA

IPSec Transform Set Configuration Mode Commands

Cryptography (Overview)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

A messy state of the union:

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski

Security with VA Smalltalk

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Comparison of SSL/TLS libraries based on Algorithms/languages supported, Platform, Protocols and Performance. By Akshay Thorat

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

ECE 646 Fall 2015 Term Project. Overview, comparison of open crypto libraries for application development. By Ravi Kota

CS Computer Networks 1: Authentication

Implementing Cryptography: Good Theory vs. Bad Practice

FIPS Security Policy

IPSec Transform Set Configuration Mode Commands

(2½ hours) Total Marks: 75

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

for Compound Authentication

Lecture 1 Applied Cryptography (Part 1)

Post-Quantum Cryptography A Collective Challenge

DROWN - Breaking TLS using SSLv2

Cipher Suite Configuration Mode Commands

OPTIMIZED CRYPTOGRAPHY COMPONENTS FOR CONSTRAINED ENVIRONMENTS. RSA BSAFE Crypto Kernel. Solution Brief

FIPS Security Policy UGS Teamcenter Cryptographic Module

Information Security CS 526

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Chapter 8 Web Security

Introduction to Public-Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 7 - Applied Cryptography

32c3. December 28, Nick goto fail;

Technological foundation

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

CrypTech. October 2018 Barcelona

Spring 2010: CS419 Computer Security

IEEE Std and IEEE Std 1363a Ashley Butterworth Apple Inc.

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Cryptography: More Primitives

Computer Security: Principles and Practice

CS408 Cryptography & Internet Security

FIPS Non-Proprietary Security Policy

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Securing Internet Communication: TLS

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Introduction and Overview. Why CSCI 454/554?

Lecture 2 Applied Cryptography (Part 2)

8/30/17. Introduction to Post-Quantum Cryptography. Features Required from Today s Ciphers. Secret-key (Symmetric) Ciphers

Requirements from the. Functional Package for Transport Layer Security (TLS)

Automotive Security An Overview of Standardization in AUTOSAR

E-commerce security: SSL/TLS, SET and others. 4.1

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has

Cryptography Functions

PKCS #11 Message-Based Encryption and Decryption

Selection of Cryptographic Algorithms, Post-Quantum Cryptography: ANSSI Views

no more downgrades: protec)ng TLS from legacy crypto

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Overview of TLS v1.3 What s new, what s removed and what s changed?

Encryption Everywhere

Decentralised Communication: The challenge of balancing interoperability and privacy.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Transcription:

HACL* in Mozilla Firefox Formal methods and high assurance applications for the web B. Beurdouche K. Bhargavan J. Protzenko J-K. Zinzindohoué (Project Everest) F. Kiefer E. Rescorla T. Taubert M. Thomson (Mozilla) Real World Crypto 2018

Let s focus on Crypto[graphy]!

Implementing cryptography is difficult Memory Safety (think Heartbleed) Side channels (think Lucky 13) Functional correctness

Functional correctness is difficult [2016] Integer overflow in OpenSSL s Poly1305

Implementing is hard for everyone [2014] TweetNaCl [2014] Curve25519-Donna Even for very skilled programmers or cryptographers!

Network Security Services (NSS) library Multi product security library Joint effort from Mozilla, RedHat Security Library for Firefox in C/C++ Used in RHEL, Fedora, BSDs Large number of primitives Both recent and legacy primitives for interoperability Higher level components Protocols (TLS ) Cryptographic APIs (WebCrypto, PKCS...) 6

Redesigning NSS NSS is old, there is a lot of legacy code How can we make NSS more modern and get higher confidence in its correctness? There was no clear way on how to get there... - Clean room redesign à la BoringSSL - More money?! More hiring?! Decision - Improve step-by-step the confidence in code correctness using formal verification 7

Research challenge from the OpenSSL team Emilia Kasper, Real World Crypto (2015)

Formal methods inbound Recent academic developments for Cryptography "Automated Verification of Real-World Cryptographic Implementations", Aaron Tomb, IEEE Security & Privacy, vol. 14, no., pp. 26-33, Nov.-Dec. 2016

What kind of verification and how? Assembly, C or High-Level Languages? Code generation or Verification of existing code? 10

CCS 2017 - https://eprint.iacr.org/2017/536

F* verification workflow Trusted Library (F*) Crypto Standard (RFC, NIST ) Spec (F*) Code (F*) State-of-the-art code (C) Memory safety Functional correctness Secret independence Verify (F*) failure Potential bug success Compile (KreMLin) failure Cannot be compiled to C success Verified Code (C) Correctness theorem [ICFP2017]

HACL* - High Assurance Crypto Library CCS 2017 - https://eprint.iacr.org/2017/536 Formal verification can scale up! Low* Functionalities Hash function (SHA-2) Message authentication (HMAC, Poly1305) Symmetric ciphers (Chacha20, Salsa20) Key Exchange algorithm (Curve25519) Signature scheme (Ed25519) AEAD (Chacha20Poly1305) 13

Specification for Poly1305

How does the stateful code and proofs look like? 15

Low* code C code Low* Poly1305 compiled to C

HACL* in Mozilla Firefox

HACL* in Mozilla Firefox Firefox 57 "Quantum" was a major release for Mozilla Includes verified cryptography from HACL* (Curve25519) Firefox Nightly already has more Chacha20 and Poly1305 Next batch of primitives on its way Vectorized Chacha20Poly1305 + Ed25519 SHA2 + HMAC + HKDF RSA_PSS + P256

How does one go from an academic project to production code in the industry?? 19

Integration process constraints Performance Reducing performance is not acceptable (in general) Code integration Readable, reviewable code Toolchain integration Insert verification into the current dev. workflow Deployment and support NSS runs on almost everything API and ABI stability 20

HACL* Performance (C code) CPU cycles/byte Lower is better Encrypt, Hash, or MAC 16KB 1 Diffie-Hellman Sign, verify 16KB +20 % faster than previous NSS code

Code review (Phabricator) Removing empty branches, unreachable code 22

Improving code quality Better variable naming Removing intermediate variables 23

HACL* verification toolchain in NSS CI (treeherder)

Supporting multiple platforms Large number of supported platforms CI does not support all platforms Trusted code base is a problem Some bugs can be introduced by contributors

A common workflow Write F* spec & code success success Prove Low* code Extract to C and Test success Verified Code (C) failure failure success Format and Audit CI Verification and Tests success Production failure failure

What s next? The future of NSS Removing more obsolete code Mixing-in other formal methods Integrate formally verified assembly Verifying parsers and protocols The future of HACL* Implement new primitives Reduce proof effort and verification time Reduce trust in our tools (verify KreMLin, F* ) Support more platforms (WASM, RIOT ) 27

Use it! Test it! Break it! (NSS crypto is eligible to Mozilla s bug bounty program) Project Everest Get in touch! @beurdouche benjamin.beurdouche@inria.fr 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback