cryptographic software engineering part 1 daniel j
play

Cryptographic software engineering, part 1 Daniel J. Bernstein - PDF document

Aug 19, 2023 •166 likes •810 views

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

  1. 1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Let’s try some examples : : :

  2. 2 1972 Parnas “On the criteria to be used in decomposing systems into modules”: “We propose instead that one begins with a list of difficult design decisions or design decisions which are likely to change. Each module is then designed to hide such a decision from the others.” e.g. If number of cipher rounds is properly modularized as #define ROUNDS 20 then it is easy to change.

  3. 3 Another general principle of software engineering: Make the right thing simple and the wrong thing complex.

  4. 3 Another general principle of software engineering: Make the right thing simple and the wrong thing complex. e.g. Make it difficult to ignore invalid authenticators.

  5. 3 Another general principle of software engineering: Make the right thing simple and the wrong thing complex. e.g. Make it difficult to ignore invalid authenticators. Do not design APIs like this: “The sample code used in this manual omits the checking of status values for clarity, but when using cryptlib you should check return values, particularly for critical functions : : : ”

  6. 4 Not so easy: Timing attacks 1970s: TENEX operating system compares user-supplied string against secret password one character at a time, stopping at first difference: • AAAAAA vs. FRIEND : stop at 1. • FAAAAA vs. FRIEND : stop at 2. • FRAAAA vs. FRIEND : stop at 3.

  7. 4 Not so easy: Timing attacks 1970s: TENEX operating system compares user-supplied string against secret password one character at a time, stopping at first difference: • AAAAAA vs. FRIEND : stop at 1. • FAAAAA vs. FRIEND : stop at 2. • FRAAAA vs. FRIEND : stop at 3. Attacker sees comparison time, deduces position of difference. A few hundred tries reveal secret password.

  8. 5 How typical software checks 16-byte authenticator: for (i = 0;i < 16;++i) if (x[i] != y[i]) return 0; return 1;

  9. 5 How typical software checks 16-byte authenticator: for (i = 0;i < 16;++i) if (x[i] != y[i]) return 0; return 1; Fix, eliminating information flow from secrets to timings: diff = 0; for (i = 0;i < 16;++i) diff |= x[i] ^ y[i]; return 1 & ((diff-1) >> 8); Notice that the language makes the wrong thing simple and the right thing complex.

  10. 6 Language designer’s notion of “right” is too weak for security. So mistakes continue to happen.

  11. 6 Language designer’s notion of “right” is too weak for security. So mistakes continue to happen. One of many examples, part of the reference software for one of the CAESAR candidates: /* compare the tag */ int i; for(i = 0;i < CRYPTO_ABYTES;i++) if(tag[i] != c[(*mlen) + i]){ return RETURN_TAG_NO_MATCH; } return RETURN_SUCCESS;

  12. 7 Do timing attacks really work? Objection: “Timings are noisy!”

  13. 7 Do timing attacks really work? Objection: “Timings are noisy!” Answer #1: Does noise stop all attacks? To guarantee security, defender must block all information flow.

  14. 7 Do timing attacks really work? Objection: “Timings are noisy!” Answer #1: Does noise stop all attacks? To guarantee security, defender must block all information flow. Answer #2: Attacker uses statistics to eliminate noise.

  15. 7 Do timing attacks really work? Objection: “Timings are noisy!” Answer #1: Does noise stop all attacks? To guarantee security, defender must block all information flow. Answer #2: Attacker uses statistics to eliminate noise. Answer #3, what the 1970s attackers actually did: Cross page boundary, inducing page faults, to amplify timing signal.

  16. 8 Defenders don’t learn Some of the literature: 1996 Kocher pointed out timing attacks on cryptographic key bits. Briefly mentioned by Kocher and by 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, 2003 Tsunoo–Saito– Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  17. 9 “Guaranteed” countermeasure: load entire table into cache.

  18. 9 “Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices.

  19. 9 “Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2005 Tromer–Osvik–Shamir: 65ms to steal Linux AES key used for hard-disk encryption.

  20. 10 Intel recommends, and OpenSSL integrates, cheaper countermeasure: always loading from known lines of cache.

  21. 10 Intel recommends, and OpenSSL integrates, cheaper countermeasure: always loading from known lines of cache. 2013 Bernstein–Schwabe “A word of warning”: This countermeasure isn’t safe. Variable-time lab experiment. Same issues described in 2004.

  22. 10 Intel recommends, and OpenSSL integrates, cheaper countermeasure: always loading from known lines of cache. 2013 Bernstein–Schwabe “A word of warning”: This countermeasure isn’t safe. Variable-time lab experiment. Same issues described in 2004. 2016 Yarom–Genkin–Heninger “CacheBleed” steals RSA secret key via timings of OpenSSL.

  23. 11 2008 RFC 5246 “The Transport Layer Security (TLS) Protocol, Version 1.2”: “This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.”

  24. 11 2008 RFC 5246 “The Transport Layer Security (TLS) Protocol, Version 1.2”: “This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal.” 2013 AlFardan–Paterson “Lucky Thirteen: breaking the TLS and DTLS record protocols”: exploit these timings; steal plaintext.

  25. 12 How to write constant-time code If possible, write code in asm to control instruction selection. Look for documentation identifying variability: e.g., “Division operations terminate when the divide operation completes, with the number of cycles required dependent on the values of the input operands.” Measure cycles rather than trusting CPU documentation.

  26. 13 Cut off all data flow from secrets to branch conditions. Cut off all data flow from secrets to array indices. Cut off all data flow from secrets to shift/rotate distances. Prefer logic instructions. Prefer vector instructions. Watch out for CPUs with variable-time multipliers: e.g., Cortex-M3 and most PowerPCs.

  27. 14 Suppose we know (some) const-time machine instructions. Suppose programming language has “ secret ” types. Easy for compiler to guarantee that secret types are used only by const-time instructions. Proofs of concept: Valgrind (uninitialized data as secret ), ctgrind, ct-verif, FlowTracker.

  28. 14 Suppose we know (some) const-time machine instructions. Suppose programming language has “ secret ” types. Easy for compiler to guarantee that secret types are used only by const-time instructions. Proofs of concept: Valgrind (uninitialized data as secret ), ctgrind, ct-verif, FlowTracker. How can we implement, e.g., sorting of a secret array?

  29. 15 Eliminating branches Let’s try sorting 2 integers. Assume int32 is secret .

  30. 15 Eliminating branches Let’s try sorting 2 integers. Assume int32 is secret . void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; if (x1 < x0) { x[0] = x1; x[1] = x0; } }

  31. 15 Eliminating branches Let’s try sorting 2 integers. Assume int32 is secret . void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; if (x1 < x0) { x[0] = x1; x[1] = x0; } } Unacceptable: not constant-time.

  32. 16 void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; if (x1 < x0) { x[0] = x1; x[1] = x0; } else { x[0] = x0; x[1] = x1; } }

  33. 16 void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; if (x1 < x0) { x[0] = x1; x[1] = x0; } else { x[0] = x0; x[1] = x1; } } Safe compiler won’t allow this. Branch timing leaks secrets.

  34. 17 void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; int32 c = (x1 < x0); x[0] = (c ? x1 : x0); x[1] = (c ? x0 : x1); }

  35. 17 void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; int32 c = (x1 < x0); x[0] = (c ? x1 : x0); x[1] = (c ? x0 : x1); } Syntax is different but “ ?: ” is a branch by definition: if (x1 < x0) x[0] = x1; else x[0] = x0; if (x1 < x0) x[1] = x0; else x[1] = x1;

  36. 18 void sort2(int32 *x) { int32 x0 = x[0]; int32 x1 = x[1]; int32 c = (x1 < x0); x[c] = x0; x[1 - c] = x1; }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General

Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General

1 Cryptographic software engineering, part 2 Daniel J. Bernstein Previous part: General software engineering. Using const-time instructions. 2 Software optimization Almost all software is much slower than it could be. 2 Software

1.03k views • 100 slides
Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take

1 Cryptographic software engineering, part 1 Daniel J. Bernstein This is easy, right? 1. Take general principles of software engineering. 2. Apply principles to crypto. Lets try some examples : : : 2 1972 Parnas On the criteria to

1.15k views • 86 slides
Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing

Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing

1 2 Cryptographic 1972 Parnas On the criteria software engineering, to be used in decomposing part 1 systems into modules: Daniel J. Bernstein We propose instead that one begins with a list of difficult design decisions or This

1.6k views • 143 slides
Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein

Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein

Does cryptographic software work correctly? 1. The scale of the problem Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp

1.32k views • 106 slides
Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes

1 2 Usable verification of terminal fast cryptographic software Daniel J. Bernstein processes files University of Illinois at Chicago &amp; Technische Universiteit Eindhoven RAM disk Operating-system kernel divides RAM among processes,

1.32k views • 100 slides
Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit

670 views • 44 slides
Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Developer at the company Tieto Recently done Master Thesis on the

940 views • 82 slides
Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and

A Family of Fast Syndrome Based Cryptographic Hash Functions Daniel Augot, Matthieu Finiasz and Nicolas Sendrier Part I General Facts about Hash Functions The Merkle-Damg ard construction D Padding + length n n n o o o i i i s s

393 views • 25 slides
Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing your Experiment Massimiliano Di Penta University of Sannio, Italy Outline Empirical studies in software engineering Different kinds of

1.62k views • 146 slides
EECS 4314 Advanced Software Engineering Topic 13: Software Performance Engineering Zhen Ming

EECS 4314 Advanced Software Engineering Topic 13: Software Performance Engineering Zhen Ming

EECS 4314 Advanced Software Engineering Topic 13: Software Performance Engineering Zhen Ming (Jack) Jiang Acknowledgement Adam Porter Ahmed Hassan Daniel Menace David Lilja Derek Foo Dharmesh Thakkar James Holtman

1.5k views • 81 slides
Using software trails to recover the evolution of software 3rd ELISA 2003 Daniel M. German

Using software trails to recover the evolution of software 3rd ELISA 2003 Daniel M. German

Using software trails to recover the evolution of software 3rd ELISA 2003 Daniel M. German Software Engineering Group University of Victoria, Canada September 23, 2003 Version: 1.0.0 1 Introduction By using tools that become vital to the

490 views • 23 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July 18, 2014 Motivation Cryptography is a small but important part of security Proofs are a small but important part of cryptography Hard to

402 views • 17 slides
Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is

Software Engineering Software Applications A.Y. 2020/2021 What is software engineering? What is software engineering? An engineering discipline that is concerned with all aspects of software production from the early stages of system

676 views • 29 slides
eXtended eXternal Benchmarking eXtension (XXBX) Jens-Peter Kaps Cryptographic Engineering

eXtended eXternal Benchmarking eXtension (XXBX) Jens-Peter Kaps Cryptographic Engineering

Introduction &amp; Motivation XXBX Hardware XXBX Software Conclusions and Future Work eXtended eXternal Benchmarking eXtension (XXBX) Jens-Peter Kaps Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu Department of

738 views • 42 slides
Automata and nested recurrences Jeffrey Shallit School of Computer Science University of

Automata and nested recurrences Jeffrey Shallit School of Computer Science University of

Automata and nested recurrences Jeffrey Shallit School of Computer Science University of Waterloo Waterloo, Ontario N2L 3G1 Canada shallit@cs.uwaterloo.ca http://www.cs.uwaterloo.ca/~shallit Joint work with Jean-Paul Allouche. 1 / 22

378 views • 22 slides
JUST THE MATHS SLIDES NUMBER 16.10 Z-TRANSFORMS 3 (Solution of linear difference

JUST THE MATHS SLIDES NUMBER 16.10 Z-TRANSFORMS 3 (Solution of linear difference

JUST THE MATHS SLIDES NUMBER 16.10 Z-TRANSFORMS 3 (Solution of linear difference equations) by A.J.Hobson 16.10.1 First order linear difference equations 16.10.2 Second order linear difference equations UNIT 16.10 - Z TRANSFORMS 3

217 views • 8 slides
Combining Difference-in-difference and Matching for Panel Data Analysis Weihua An Departments of

Combining Difference-in-difference and Matching for Panel Data Analysis Weihua An Departments of

Combining Difference-in-difference and Matching for Panel Data Analysis Weihua An Departments of Sociology and Statistics Indiana University July 28, 2016 1 / 15 Research Interests Network Analysis Social influence and networks

290 views • 15 slides
Direct and Partial Variation MPM1D: Principles of Mathematics Recap Classify each graph as a

Direct and Partial Variation MPM1D: Principles of Mathematics Recap Classify each graph as a

p r o p e r t i e s o f l i n e a r r e l a t i o n s p r o p e r t i e s o f l i n e a r r e l a t i o n s Direct and Partial Variation MPM1D: Principles of Mathematics Recap Classify each graph as a direct or partial variation, and determine

58 views • 3 slides
EI331 Signals and Systems Lecture 4 Bo Jiang John Hopcroft Center for Computer Science Shanghai

EI331 Signals and Systems Lecture 4 Bo Jiang John Hopcroft Center for Computer Science Shanghai

EI331 Signals and Systems Lecture 4 Bo Jiang John Hopcroft Center for Computer Science Shanghai Jiao Tong University March 7, 2019 Contents 1. CT Unit Impulse Function 2. Systems 3. Basic System Properties 3.1 Memory 3.2 Invertibility

641 views • 31 slides
Gerrymand ndering of C City B Borders Noah J. Durst School of Planning, Design and

Gerrymand ndering of C City B Borders Noah J. Durst School of Planning, Design and

MUNICIPAL ANNEXATION AND THE Gerrymand ndering of C City B Borders Noah J. Durst School of Planning, Design and Construction Michigan State University Annexation from 2011 to 2018 The Gerrymanderi ring o of City Borders Selective ve A

103 views • 6 slides
Introduction to Graphs V = nodes. E = edges between pairs of nodes. Captures pairwise

Introduction to Graphs V = nodes. E = edges between pairs of nodes. Captures pairwise

Undirected graphs Notation. G = ( V , E ) Introduction to Graphs V = nodes. E = edges between pairs of nodes. Captures pairwise relationship between objects. Tyler Moore Graph size parameters: n = | V |, m = | E | . CS 2123, The

491 views • 10 slides
Static Analysis of OpenStream Programs Using polyhedral techniques to analyze interesting language

Static Analysis of OpenStream Programs Using polyhedral techniques to analyze interesting language

Static Analysis of OpenStream Programs Using polyhedral techniques to analyze interesting language subsets Alain Darte With Albert Cohen and Paul Feautrier CNRS, Compsys Laboratoire de lInformatique du Paralllisme cole normale

527 views • 26 slides

More recommend