a roadmap for high assurance cryptography
play

A Roadmap for High Assurance Cryptography Harry Halpin - PowerPoint PPT Presentation

Jan 01, 2024 •317 likes •490 views

A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) Thanks to Peter Schwabe (Radboud University) NEXTLEAP (nextleap.eu) Harry Halpin Harry.halpin@inria.fr Prosecco @harryhalpin High Assurance

  1. A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) Thanks to Peter Schwabe (Radboud University) NEXTLEAP (nextleap.eu) Harry Halpin Harry.halpin@inria.fr Prosecco @harryhalpin

  2. High Assurance is Needed More than Ever High Assurance Cryptography - 2

  3. Traditional Security Methodology ● Defining security goals ● Identifying trusted code base needed to achieve those goals ● Isolating the TCB from the rest of the code ● Implementing a well-defined interface (API) between TCB and rest of the code ● Assuring that the API's usag meets the security goals. High Assurance Cryptography

  4. Low vs. High Assurance Cryptography ● TCB has grown organically and mixed with non-TCB code → low assurance. ● TCB goes beyond crypto : kernels, drivers, etc. ● Crypto TCB implements security goals as primary function. ● So crypto should always be inside TCB ● API must maintain security goals High Assurance Cryptography

  5. How to Achieve High Assurance ? 1) Testing : Cheap but no guaranteed absence of vulnerabilities. 2) Auditing : Better, but requires many experts and also has no guarantees. Issues with scaling and expense. 3) Formal Verification : Guarantee of security properties via formal proofs of correctness and security. High Assurance Cryptography

  6. Do you really trust experts ? High Assurance Cryptography - 6

  7. Goal : Replace OpenSSL High Assurance Cryptography - 7

  8. Formal Verification is slow OpenSSL has hand-optimized assembly per micro- architecture. Multiple carry bugs in big-integer arithmetic ! (Brumley et al., CT RSA 2012) Formal verification does not usually translate to running code, so we are proving only a model of the code (often in Coq, DeepSpec, etc.), not the running code itself. High Assurance Cryptography

  9. Fstar : Creates Running Code Formal verification done via lemmas via a dependent type system. https://www.fstar-lang.org/ Uses Kremlin to compile (with verification) from F* to Ocaml to CompCert C (and eventually Javascript). HACL* Library : Initially focussed on Curve25519 DH and EdDSA, now includes stream ciphers (Chacha20, Salsa20, XSalsa20), MACs (Poly1305, HMAC) Used in Mozilla's NSS now (2017). High Assurance Cryptography

  10. Mozilla and Fstar High Assurance Cryptography - 10

  11. Challenge : Speed and Verification Hand-optimized code almost always faster and amount of annotations dwarfs code Solution : Formally verify a LLVM (low-level virtual machine) that can create optimized micro-code per architecture See Jasmin (descendant of Qhasm): https://github.com/jasmin-lang/jasmin Proofs of equivalence between optimized Jasmin and Compert C – GVerif : https://gfverif.cryptojedi.org/ High Assurance Cryptography ●

  12. Developer-Resistant API : Cryptographic API : is used by programmers to access cryptographic primitives and control cryptographic key material as needed in their applications and higher level protocols. Security API : Set of functions that maintain security properties regardless of usage of API. 88 % of errors caused by API usage in Android (Egele et. al., 2013) High Assurance Cryptography

  13. Common API Errors : Cross API : Google's Project Wycheproof collects common errors https://github.com/google/wycheproof Formal modelling of APIs discovered errors in both use of crypto (re-use of IVs, deterministic « RNGs », low amount of iterations in key derivation) as well as key management : 1) PKCS#11 (Delaune et al., 2010) 2) WebCrypto (Halpin et al., 2016) 3) YubiKeys (Kunneman and Steel, 2012) High Assurance Cryptography

  14. API Problems: APIs are designed by standards committee, usually results in errors. OpenSSL has many competitors : BoringSSL, WolfSSL, PolarSSL, GNUTLS, etc. Situation gets even worse with IPSec and VPN libraries. See composable libraries such as Noise Protocol (used in WhatsApp Signal implementation) http://noiseprotocol.org/ High Assurance Cryptography

  15. What is the ideal API ? ● Flexible : Can be drop-in replacement for OpenSSL if possible for legacy software ● Problem : Deprecating broken primitives (MD5, etc.) How to force move from RSA to ECC ? ● Safe Defaults : If defaults are not specified, use safe defaults (box/unbox in NaCL/libsodium) with key sizes and parameters. ● Who decides the defaults ? Issues with E-CRYPT report, NIST, CFRG updates random, etc. High Assurance Cryptography

  16. Next Steps and Discussion ● HACL* seems most mature, but lots of other tools ● Trying to tackle full TLS 1.3 (including X.509) : https://project-everest.github.io/ ● Advanced functions needed, such as constant time verification. Note dependency on hardware. High Assurance Cryptography

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

440 views • 31 slides
CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

1 CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410 Ken Birman, Cornell University High Assurance in Cloud Settings 2 A wave of applications that need high assurance is fast approaching

672 views • 40 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 3 Roadmap of the Course:

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 3 Roadmap of the Course:

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 3 Roadmap of the Course: Worlds in Crypto Cryptomania: Public-key Lecture 7-10, encryption Minicrypt: Zero- Knowledge Lecture 2-6, 11-12 proofs PRP Digital Bit

647 views • 43 slides
Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth

Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth

Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth guy.haworth@bnc.oxon.org 1 Data Assurance - ACG12, 2009-05-11 Topics Motivation Systems Engineering Cycle Definition: the Problem Domain and the

824 views • 27 slides
Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory Center for High-Assurance Computer Systems http:/ / chacs.nrl.navy.mil Xenon Xen Beyond Buffer Overflows high-assurance Policy flaws Use the

565 views • 24 slides
A High-Level Overview of Cryptography Daniel Bosk School of Computer Science and Communication,

A High-Level Overview of Cryptography Daniel Bosk School of Computer Science and Communication,

Introduction Shared-key cryptography Public-key cryptography More counter-intuitive things References A High-Level Overview of Cryptography Daniel Bosk School of Computer Science and Communication, KTH Royal Institute of Technology,

1.58k views • 145 slides
High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B. Almeida, M. Barbosa, G. Barthe, B. Grgoire, A. Koutsos , V. La- porte, T. Oliveira, P-Y. Strub Octobre 9th, 2019 1 Context 2 Context Cryptographic

985 views • 57 slides
Usable High-Assurance Operating Systems Doug McIlroy Sean Smith Sergey Bratus Alex Ferguson

Usable High-Assurance Operating Systems Doug McIlroy Sean Smith Sergey Bratus Alex Ferguson

Usable High-Assurance Operating Systems Doug McIlroy Sean Smith Sergey Bratus Alex Ferguson Motivation Available high-assurance systems have large monolithic policies Hard to write and maintain Crafted by trial and error E.g.:

455 views • 16 slides
Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the Programatica team WG2.8 08 1 Functional Languages for High- Assurance Applications Goal: rely on properties of functional languages to

774 views • 59 slides
MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

Luanna Cambas, P.E. LADOTD District 02 Lab Engineer Jason Davis, P.E. LADOTD Field Quality Assurance Administrator MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling &

1.01k views • 63 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of captured and coded data Quality assurance of downstream processes (including data security and integrity) Quality assurance of population counts,

129 views • 12 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Software Assurance Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security Bad (buggy, insecure software) comes not from discrete, unpredictable,

561 views • 18 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
Image processing & analysis with MATLAB: an overview Nicolas ROUGON ARTEMIS Department

Image processing & analysis with MATLAB: an overview Nicolas ROUGON ARTEMIS Department

IMA 4509 Visual content analysis Image processing & analysis with MATLAB: an overview Nicolas ROUGON ARTEMIS Department Motivations M ATLAB : an industry standard for rapidly testing new ideas & prototyping applications

405 views • 40 slides
Input-and-state observability of structured network systems Federica GARIN (INRIA Grenoble,

Input-and-state observability of structured network systems Federica GARIN (INRIA Grenoble,

Input-and-state observability of structured network systems Federica GARIN (INRIA Grenoble, France) Lund LCCC seminar, June 7 th , 2017 My current research interests Privacy and security of cyber-physical systems: - Input-and-state

338 views • 33 slides
Ensemble method for supervised learning Using an explicit loss function Ricco RAKOTOMALALA

Ensemble method for supervised learning Using an explicit loss function Ricco RAKOTOMALALA

Ensemble method for supervised learning Using an explicit loss function Ricco RAKOTOMALALA Universit Lumire Lyon 2 Ricco Rakotomalala 1 Tutoriels Tanagra - http://tutoriels-data-mining.blogspot.fr/ Outline 1. Preamble 2. Gradient

488 views • 28 slides
Green Days @ Toulouse Segment Routing based Traffjc Engineering for Energy Effjcient Backbone

Green Days @ Toulouse Segment Routing based Traffjc Engineering for Energy Effjcient Backbone

Green Days @ Toulouse Segment Routing based Traffjc Engineering for Energy Effjcient Backbone Networks Radu Crpa, Olivier Glck, Laurent Lefvre radu.carpa@ens-lyon.fr 16 / 03 / 2015 INRIA AVALON / LIP Ecole Normale CHIST -ERA STAR

584 views • 25 slides
Bringing ECOFEN to OMNeT++ Radu Crpa radu.carpa@ens-lyon.fr INRIA AVALON / LIP Ecole Normale

Bringing ECOFEN to OMNeT++ Radu Crpa radu.carpa@ens-lyon.fr INRIA AVALON / LIP Ecole Normale

Bringing ECOFEN to OMNeT++ Radu Crpa radu.carpa@ens-lyon.fr INRIA AVALON / LIP Ecole Normale Suprieure de Lyon ECOFEN Module for the NS-3 network simulator Energy Model: measure the energy consumption Nodes Interfaces

702 views • 8 slides
Available Processes Process Name Process Feature C18A6 0.18 CMOS H18A6 0.18 HV-CMOS

Available Processes Process Name Process Feature C18A6 0.18 CMOS H18A6 0.18 HV-CMOS

C ircuits M ulti- P rojets Technology Processes & Runs in 2015 MPW Services Center for IC / MEMS Prototyping http://cmp.imag.fr Grenoble - France CMP annual users meeting, 4 Feb. 2016, PARIS Available Processes Process Name Process

440 views • 15 slides
analyses in teacher-training Ciara R. Wigham & Thierry Chanier ICAR, Universit Lyon 2 LRL,

analyses in teacher-training Ciara R. Wigham & Thierry Chanier ICAR, Universit Lyon 2 LRL,

Pedagogical corpora as a means to reuse research data and analyses in teacher-training Ciara R. Wigham & Thierry Chanier ICAR, Universit Lyon 2 LRL, Clermont Universit 16th International CALL Conference, 7-10 July2014, Antwerp -

592 views • 18 slides
Timing analysis of sensors voting using IF Omega workshop Grenoble February 17, 2005 Meir

Timing analysis of sensors voting using IF Omega workshop Grenoble February 17, 2005 Meir

OMEGA OMEGA IST-2001 - Project 33522 IST-2001-33522 Timing analysis of sensors voting using IF Omega workshop Grenoble February 17, 2005 Meir Zenou 1 OMEGA Workshop - Grenoble, February 17, 2005 OMEGA OMEGA System overview

531 views • 17 slides

More recommend