Modern Session Encryption David Wong outline 3. NOISE 2. STROBE - - PowerPoint PPT Presentation

SLIDE 1

Modern Session Encryption

David Wong

SLIDE 2

• 2. STROBE
• utline
• 1. KECCAK
• 3. NOISE
• 4. ???

SLIDE 3

f

⊕ ⊕

f

⊕

f f f

squeezing

Sponge Construction

absorbing

00101 01001 01100 11001 01011 10101

SLIDE 4

f

input

⊕

init

• utput

duplexing

Duplex Construction

f

input

⊕

• utput

duplexing

f

input

• utput

duplexing

⊕

SLIDE 5

Keyed-mode

f

key

⊕

init duplexing

SLIDE 6

f

key

⊕

init duplexing

Encryption?

SLIDE 7

f

key

⊕

init duplexing

ciphertext1 plaintext1

⊕

Encryption

SLIDE 8

f

key

⊕

init duplexing

ciphertext1 plaintext1

⊕

f

⊕

tag1

duplexing

Authenticated Encryption

SLIDE 9

f

key

⊕

init duplexing

ciphertext1 plaintext1

⊕

f

⊕

tag1

duplexing

f

ciphertext2

duplexing

f

⊕

tag2

duplexing

plaintext2

⊕

Sessions

SLIDE 10

f

key ⊕

init duplexing

ciphertext1 plaintext1 ⊕

f

⊕ tag1

duplexing

f

ciphertext2

duplexing

f

⊕ tag2

duplexing

plaintext2 ⊕

f

ciphertext3

duplexing

f

⊕ tag3

duplexing

plaintext3 ⊕

f

ciphertext4

duplexing

f

⊕ tag4

duplexing

plaintext4 ⊕

SLIDE 11

• 2. STROBE
• utline
• 1. KECCAK

SLIDE 12

• peration = AD

⊕

data = 010100…

⊕

AD

• peration = KEY

⊕

data = 010100…

KEY

f

• peration = PRF

⊕

00000…

PRF

f

• utput
• peration = send_CLR

⊕

data = 010100…

⊕

send_CLR

• peration = recv_CLR

⊕

data = 010100…

⊕

recv_CLR

• peration = send_ENC

⊕

ciphertext

send_ENC

f

plaintext

⊕

• peration = send_MAC

⊕

tag

send_MAC

f

• peration = RATCHET

⊕

RATCHET

f

0000

• peration = recv_ENC

⊕

plaintext

recv_ENC

f

⊕

ciphertext

• peration = recv_MAC

⊕

recv_MAC

f

0000…

⊕

tag

Strobe functions

SLIDE 13

myProtocol = Strobe_init(“myWebsite.com”) myProtocol.AD(sharedSecret) buffer = myProtocol.send_ENC(“GET /”) buffer += myProtocol.send_MAC(len=16) // send the buffer // receive a ciphertext message = myProtocol.recv_ENC(ciphertext[:-16])

• k = myProtocol.recv_MAC(ciphertext[-16:])

if !ok { // reset the connection }

Strobe protocol example

SLIDE 14

buffer = myProtocol.send_ENC(plaintext1) buffer += myProtocol.send_MAC(len=16) // send the buffer buffer = myProtocol.send_ENC(plaintext2) buffer += myProtocol.send_MAC(len=16) // send the buffer buffer = myProtocol.send_ENC(plaintext3) buffer += myProtocol.send_MAC(len=16) // send the buffer buffer = myProtocol.send_ENC(plaintext4) buffer += myProtocol.send_MAC(len=16) // send the buffer

SLIDE 15

Strobe

• flexible framework to support a large number of protocols
• large symmetric cryptography library

SLIDE 16

myHash = Strobe_init(“david_wong_hash”) myHash.AD(“something to be hashed”) hash = myHash.PRF(outputLen=32)

Strobe as a Hash Function

SLIDE 17

• peration = AD

⊕

rate capacity

SLIDE 18

• peration = AD

⊕

data = 010100…

⊕

rate capacity

SLIDE 19

• peration = AD

⊕

data = 010100…

⊕

• peration = send_ENC

⊕

rate capacity

SLIDE 20

• peration = AD

⊕

data = 010100…

f

⊕

• peration = send_ENC

⊕

rate capacity

SLIDE 21

• peration = AD

⊕

data = 010100…

f

⊕

• peration = send_ENC

data = hello

⊕

ciphertext

⊕

rate capacity

SLIDE 22

• peration = AD

⊕

data = 010100…

f f

⊕

• peration = send_ENC

data = hello

⊕

ciphertext

len = 16 tag

⊕

• peration = send_MAC

⊕

rate capacity

SLIDE 23

• peration = AD

⊕

data = 010100…

f f

⊕

• peration = send_ENC

data = hello

⊕

ciphertext

len = 16 tag

⊕

• peration = send_MAC

send_AEAD

⊕

rate capacity

SLIDE 24

Strobe

• flexible framework to support a large number of protocols
• large symmetric cryptography library
• fits into tiny IoT devices (~300 lines of code)
• relies on strong SHA-3 standard (SHAKE-compliant)

SLIDE 25

strobe.sourceforge.io

strobe.sourceforge.io

SLIDE 26

• 2. STROBE
• utline
• 1. KECCAK
• 3. NOISE

SLIDE 27

TLS

• TLS is the de facto standard for securing communications
• complex specification (TLS 1.3 is 160-page long)
• supported by other specifications (asn.1, x509, 44 mentioned RFCs …)
• design carrying a lot of legacy decisions
• cryptographic agility and complicated state machine
• huge and scary libraries (OpenSSL is 700k LOC, 165 CVEs)
• cumbersome configuration…
• ofuen dangerously re-implemented (custom implementations)
• or re-invented (proprietary protocols)

SLIDE 28

Complexity is the enemy of security

SLIDE 29

www.noiseprotocol.org

SLIDE 30

The Noise Protocol Framework

• no need for certificates or a PKI
• many handshakes to choose from (flexible)
• it’s straight forward to implement (<1k LOC, 18kb for Arduino)
• there are already libraries that you can leverage
• minimal (or zero) configuration
• used by WhatsApp, Slack, the Bitcoin Lightning Network, …
• if you have a good excuse not to use TLS, Noise is the answer

SLIDE 31

• DH: X25519 or X448
• AEAD: Chacha20-Poly1305 or AES-GCM
• HASH: BLAKE2 or SHA-2

The crypto functions

SLIDE 32

ephemeral key ephemeral key Client Server

handshake

SLIDE 33

ephemeral key ephemeral key Client Server

handshake

Diffie-Hellman() Diffie-Hellman() keys keys

SLIDE 34

ephemeral key ephemeral key Client Server

handshake

encrypted data encrypted data

post-handshake

Diffie-Hellman() Diffie-Hellman() keys keys

SLIDE 35

e e Client Server

handshake

encrypted data encrypted data

post-handshake

ee ee keys keys

SLIDE 36

→ e ← e, ee

SLIDE 37

• e: ephemeral key
• s: static key
• ee: DH(client ephemeral key, server ephemeral key)
• es: DH(client ephemeral key, server static key)
• se: DH(client static key, server ephemeral key)
• ss: DH(client static key, server static key)
• psk: pre-shared key

Tokens

SLIDE 38

→ e ← e, ee NN(): ← s … → e, es ← e, ee NK(rs): → e ← e, ee, s, es NX(rs): → e ← e, ee → s, se XN(s): ← s → s … → e, es, ss ← e, ee, se KK(s, rs): → e ← e, ee, s, es → s, se XX(s, rs): ← s … → e, es N(rs): ← s → s … → e, es, ss K(s,rs): ← s … → e, es, s, ss X(s,rs): ← s … → e, es ← e, ee → s, se XK(s, rs): → s … → e ← e, ee, se KN(s):

Handshake Patterns

SLIDE 39

NX(rs): → e ← e, ee, s, es

Client Server

SLIDE 40

epublic Client Server

NX(rs): → e ← e, ee, s, es

SLIDE 41

payload1 epublic Client Server

NX(rs): → e ← e, ee, s, es

SLIDE 42

republic epublic Client Server payload1

NX(rs): → e ← e, ee, s, es

SLIDE 43

republic epublic Client Server payload1

NX(rs): → e ← e, ee, s, es

SLIDE 44

republic EK1(rs) epublic Client Server payload1

NX(rs): → e ← e, ee, s, es

SLIDE 45

republic EK1(rs) epublic Client Server payload1

NX(rs): → e ← e, ee, s, es

SLIDE 46

republic EK1(rs) EK2(payload2) epublic Client Server payload1

NX(rs): → e ← e, ee, s, es

SLIDE 47

SLIDE 48

SLIDE 49

HandshakeState SymmetricState CipherState

epublic payload1 republic Ek1(rspublic)

HKDF

DH(e, re)

ck n=0 k1 e

GENERATE_KEYPAIR()

Initialization

ck h

“Noise_NX_25519_AESGCM_SHA256”

HASH

h e.public_key

HASH

re.public_key

HASH

h rs

DecryptWithAd() Ek1(rspublic)

h

HASH

h

Ek1(rspublic) HASH

h

payload1

CipherState

HKDF

k k n=0 n=0 CipherState

Ek2(payload2)

re

republic HKDF

DH(e, rs)

ck n=0 k2

DecryptWithAd() Ek2(payload2)

h

payload2 HASH

h

Ek2(payload2)

SLIDE 50

• 2. STROBE
• utline
• 1. KECCAK
• 3. NOISE
• 4. DISCO

SLIDE 51

HandshakeState StrobeState

epublic payload1 republic E(rspublic) Initialization E(payload2)

InitStrobe()

“Noise_NX_25519_Strobe”

e

GENERATE_KEYPAIR() send_CLR() payload1 send_CLR()

e.public_key re.public_key

recv_CLR() republic recv_AEAD() E(payload2) payload2 AD()

DH(e, rs)

rs.public_key

recv_AEAD() E(rspublic)

StrobeState StrobeState

… …

AD()

DH(e, re)

SLIDE 52

StrobeState

send_AEAD() send_AEAD() send_AEAD() send_AEAD() send_AEAD() send_AEAD() send_AEAD()

StrobeState

recv_AEAD() recv_AEAD() recv_AEAD() recv_AEAD() recv_AEAD() recv_AEAD() recv_AEAD()

SLIDE 53

HandshakeState StrobeState

epublic payload1 republic E(rspublic), tag1 E(payload2), tag2

e

GENERATE_KEYPAIR()

Initialization

“Noise_NX_25519_Strobe”

⊕

e.public_key

⊕

payload1

⊕

DH(e, re)

⊕

DH(e, rs)

⊕

re.public_key

⊕

republic tag1

rs.public_key

E(rspublic)

⊕

rs.public_key

E(payload2)

⊕

tag2

SLIDE 54

www.discocrypto.com

SLIDE 55

700,000 LOC

disco-c libdisco (go) OpenSSL

4,000 LOC 1,000 LOC 2,000 LOC

DiscoNet* (C#)

* implementation by Artyom Makarov

SLIDE 56

DISCO STROBE X25519 KECCAK-F

Trust Graph of Disco

SLIDE 57

Trust Graph of biased SSL/TLS

TLS 1.3 HMAC X25519 SHA-256 HKDF ECDSA AES-GCM

SLIDE 58

Trust Graph of SSL/TLS

TLS 1.3 HMAC SHA-256 SHA-384 SHA-512 HKDF ECDSA AES-GCM DH ECDH CHACHA20- POLY1305 TLS 1.2 TLS 1.1 X.509 ASN.1 DER secp256r1 secp384r1 secp521r1 ffdhe2048 X25519 X448 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 RSA-PSS or RSA-PKCS#1 v1.5 AES-CCM ed25519 ed448

SLIDE 59

• Disco is a drafu specification extending Noise (experimental)
• Noise is a stable drafu (rev34)
• Strobe is alpha (v1.0.2)
• ⚠ Disco and the implementations are still experimental
• need more eyes, more interoperability testing, etc.
• looking to formally prove handshakes with Tamarin

The state of Disco

SLIDE 60

the disco is at www.discocrypto.com I write about crypto www.cryptologie.net follow me on twitter.com/cryptodavidw

(and I work here)