modern session encryption
play

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE - PowerPoint PPT Presentation

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge Construction 00101 01001 01100 11001 01011 10101 0 0 0 0 f f f f f 0 0 0 0 absorbing squeezing Duplex Construction input


  1. Modern Session Encryption David Wong

  2. outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK

  3. Sponge Construction 00101 01001 01100 11001 01011 10101 0 0 ⊕ ⊕ ⊕ 0 0 f f f f f 0 0 0 0 absorbing squeezing

  4. Duplex Construction input output input output input output 0 0 ⊕ ⊕ ⊕ 0 0 f f f 0 0 0 0 init duplexing duplexing duplexing

  5. Keyed-mode key 0 0 ⊕ 0 0 f 0 0 0 init 0 duplexing

  6. Encryption? key 0 0 ⊕ 0 0 f 0 0 0 init 0 duplexing

  7. Encryption key ciphertext1 plaintext1 ⊕ 0 0 ⊕ 0 0 f 0 0 0 init 0 duplexing

  8. Authenticated Encryption key tag1 ciphertext1 plaintext1 ⊕ 0 0 ⊕ ⊕ 0 0 f f 0 0 0 init 0 duplexing duplexing

  9. Sessions key tag1 ciphertext2 tag2 ciphertext1 plaintext2 plaintext1 ⊕ ⊕ 0 0 ⊕ ⊕ ⊕ 0 0 f f f f 0 0 0 init 0 duplexing duplexing duplexing duplexing

  10. key tag1 ciphertext2 tag2 ciphertext1 ciphertext3 tag3 ciphertext4 tag4 plaintext2 plaintext1 ⊕ plaintext3 plaintext4 ⊕ ⊕ ⊕ 0 0 ⊕ ⊕ ⊕ 0 ⊕ ⊕ f f f f f f f f 0 0 0 0 init 0 duplexing duplexing duplexing duplexing duplexing duplexing duplexing duplexing

  11. outline 2. STROBE 1. KECCAK

  12. Strobe functions AD KEY PRF send_CLR recv_CLR operation = send_CLR operation = recv_CLR operation = AD operation = KEY operation = PRF output data = 010100… data = 010100… data = 010100… data = 010100… 00000… ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ f f send_ENC recv_ENC send_MAC recv_MAC RATCHET operation = send_ENC operation = recv_ENC operation = send_MAC operation = recv_MAC operation = RATCHET plaintext 0000 plaintext 0000… ciphertext tag ⊕ ⊕ ciphertext tag ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ f f f f f

  13. Strobe protocol example myProtocol = Strobe_init (“myWebsite.com”) myProtocol. AD (sharedSecret) buffer = myProtocol. send_ENC (“GET /”) buffer += myProtocol. send_MAC (len=16) // send the buffer // receive a ciphertext message = myProtocol. recv_ENC (ciphertext[:-16]) ok = myProtocol. recv_MAC (ciphertext[-16:]) if !ok { // reset the connection }

  14. buffer = myProtocol. send_ENC (plaintext1) buffer += myProtocol. send_MAC (len=16) // send the buffer buffer = myProtocol. send_ENC (plaintext2) buffer += myProtocol. send_MAC (len=16) // send the buffer buffer = myProtocol. send_ENC (plaintext3) buffer += myProtocol. send_MAC (len=16) // send the buffer buffer = myProtocol. send_ENC (plaintext4) buffer += myProtocol. send_MAC (len=16) // send the buffer

  15. Strobe • flexible framework to support a large number of protocols • large symmetric cryptography library

  16. Strobe as a Hash Function myHash = Strobe_init (“david_wong_hash”) myHash. AD (“something to be hashed”) hash = myHash. PRF (outputLen=32)

  17. operation = AD ⊕ rate capacity

  18. operation = AD data = 010100… ⊕ ⊕ rate capacity

  19. operation = send_ENC operation = AD data = 010100… ⊕ ⊕ ⊕ rate capacity

  20. operation = send_ENC operation = AD data = 010100… ⊕ ⊕ ⊕ rate f capacity

  21. operation = send_ENC operation = AD data = 010100… data = hello ciphertext ⊕ ⊕ ⊕ ⊕ rate f capacity

  22. operation = send_ENC operation = send_MAC operation = AD data = 010100… data = hello tag ciphertext len = 16 ⊕ ⊕ ⊕ ⊕ ⊕ rate f f capacity

  23. send_AEAD operation = send_ENC operation = send_MAC operation = AD data = 010100… data = hello tag ciphertext len = 16 ⊕ ⊕ ⊕ ⊕ ⊕ rate f f capacity

  24. Strobe • flexible framework to support a large number of protocols • large symmetric cryptography library • fits into tiny IoT devices ( ~300 lines of code) • relies on strong SHA-3 standard ( SHAKE -compliant)

  25. strobe.sourceforge.io strobe.sourceforge.io

  26. outline 3. NOISE 2. STROBE 1. KECCAK

  27. TLS • TLS is the de facto standard for securing communications • complex specification (TLS 1.3 is 160-page long) • supported by other specifications (asn.1, x509, 44 mentioned RFCs …) • design carrying a lot of legacy decisions • cryptographic agility and complicated state machine • huge and scary libraries (OpenSSL is 700k LOC, 165 CVEs) • cumbersome configuration… • o fu en dangerously re-implemented (custom implementations) • or re-invented (proprietary protocols)

  28. Complexity is the enemy of security

  29. www.noiseprotocol.org

  30. The Noise Protocol Framework • no need for certificates or a PKI • many handshakes to choose from ( flexible ) • it’s straight forward to implement (<1k LOC, 18kb for Arduino) • there are already libraries that you can leverage • minimal (or zero) configuration • used by WhatsApp , Slack , the Bitcoin Lightning Network , … • if you have a good excuse not to use TLS, Noise is the answer

  31. The crypto functions • DH: X25519 or X448 • AEAD: Chacha20-Poly1305 or AES-GCM • HASH : BLAKE2 or SHA-2

  32. ephemeral key Client Server ephemeral key handshake

  33. ephemeral key Client Server ephemeral key Di ff ie-Hellman() Di ff ie-Hellman() handshake keys keys

  34. ephemeral key Client Server ephemeral key Di ff ie-Hellman() Di ff ie-Hellman() handshake encrypted data keys keys encrypted data post-handshake

  35. e Client Server e ee ee handshake encrypted data keys keys encrypted data post-handshake

  36. → e ← e, ee

  37. Tokens • e : ephemeral key • s : static key • ee : DH (client ephemeral key, server ephemeral key) • es : DH (client ephemeral key, server static key) • se : DH (client static key, server ephemeral key) • ss : DH (client static key, server static key) • psk : pre-shared key

  38. Handshake Patterns N (rs): K (s,rs): X (s,rs): NN (): NK (rs): NX (rs): ← s ← s ← s → e ← s → e … → s … ← e, ee … ← e, ee, s, es → e, es … → e, es, s, ss → e, es → e, es, ss ← e, ee XN (s): XK (s, rs): XX (s, rs): KN (s): KK (s, rs): → e ← s → e → s ← s ← e, ee … ← e, ee, s, es … → s → s, se → e, es → s, se → e … ← e, ee ← e, ee, se → e, es, ss → s, se ← e, ee, se

  39. NX (rs): → e ← e, ee, s, es Client Server

  40. NX (rs): → e ← e, ee, s, es Client Server e public

  41. NX (rs): → e ← e, ee, s, es Client Server e public payload1

  42. NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public

  43. NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public

  44. NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public E K1 (rs)

  45. NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public E K1 (rs)

  46. NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public E K1 (rs) E K2 (payload2)

  47. Cipher State Symmetric State Handshake State Initialization ck h HASH “Noise_NX_25519_AESGCM_SHA256” DH (e, re) e GENERATE_KEYPAIR() e public e.public_key HKDF HASH n=0 k1 payload1 h ck re public DH (e, rs) payload1 HASH re public re h HKDF E k1 (rs public ) n=0 k2 re.public_key HASH h ck E k2 (payload2) h rs DecryptWithAd() E k1 (rs public ) Cipher State HKDF HASH E k1 (rs public ) h k n=0 h payload2 DecryptWithAd() E k2 (payload2) Cipher State HASH E k2 (payload2) n=0 k h

  48. outline 3. NOISE 2. STROBE 4. DISCO 1. KECCAK

  49. Strobe State Handshake State Initialization InitStrobe() “Noise_NX_25519_Strobe” e GENERATE_KEYPAIR() e public send_CLR() e.public_key payload1 send_CLR() payload1 re public re.public_key recv_CLR() re public E(rs public ) AD() DH (e, re) rs.public_key E(rs public ) recv_AEAD() E(payload2) AD() DH (e, rs) payload2 E(payload2) recv_AEAD() Strobe State Strobe State … …

  50. Strobe State Strobe State send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD()

  51. Strobe State Handshake State ⊕ Initialization “Noise_NX_25519_Strobe” e GENERATE_KEYPAIR() ⊕ e public e.public_key ⊕ payload1 payload1 ⊕ re public re.public_key re public ⊕ DH (e, re) E(rs public ) , tag1 ⊕ rs.public_key E(rs public ) E(payload2), tag2 tag1 ⊕ DH (e, rs) ⊕ rs.public_key E(payload2) tag2

  52. www.discocrypto.com

  53. OpenSSL disco-c libdisco (go) 2,000 LOC 700,000 LOC 1,000 LOC 4,000 LOC DiscoNet* (C#) * implementation by Artyom Makarov

  54. Trust Graph of Disco DISCO STROBE X25519 KECCAK-F

  55. Trust Graph of biased SSL/TLS TLS 1.3 AES-GCM HKDF HMAC X25519 ECDSA SHA-256

  56. Trust Graph of SSL/TLS DER TLS 1.1 TLS 1.2 ASN.1 ffdhe2048 CHACHA20- ffdhe3072 POLY1305 X.509 DH ffdhe4096 TLS 1.3 AES-CCM ffdhe6144 ffdhe8192 RSA-PSS or ECDH AES-GCM HKDF HMAC RSA-PKCS#1 ECDSA X448 v1.5 secp256r1 X25519 SHA-256 secp521r1 SHA-384 SHA-512 ed25519 secp384r1 ed448

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend