nacl a new crypto library aes 128 rsa 2048 etc are widely
play

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely - PowerPoint PPT Presentation

May 08, 2023 •124 likes •1.46k views

NaCl: a new crypto library AES-128, RSA-2048, etc. are widely accepted standards. D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Obviously infeasible to break Tanja Lange, T. U. Eindhoven by best attacks in literature. Joint work

  1. Most of the Internet Alice using a is cryptographically unprotected. typical cryptographic library: Primary goal of NaCl: Fix this. Generate random AES key. Main task: public-key Use AES key to encrypt packet. authenticated encryption . Hash encrypted packet. Read RSA key from wire format. Alice has a message m for Bob. Use key to sign hash. Uses Bob’s public key and Read Bob’s key from wire format. Alice’s secret key to compute Use key to encrypt signature etc. authenticated ciphertext c . Convert to wire format. Sends c to Bob. Plus more code: Bob uses Alice’s public key allocate storage, and Bob’s secret key handle errors, etc. to verify and recover m .

  2. of the Internet Alice using a Alice using cryptographically unprotected. typical cryptographic library: c = crypto_box(m,n,pk,sk) ry goal of NaCl: Fix this. Generate random AES key. task: public-key Use AES key to encrypt packet. authenticated encryption . Hash encrypted packet. Read RSA key from wire format. has a message m for Bob. Use key to sign hash. Bob’s public key and Read Bob’s key from wire format. secret key to compute Use key to encrypt signature etc. authenticated ciphertext c . Convert to wire format. c to Bob. Plus more code: uses Alice’s public key allocate storage, Bob’s secret key handle errors, etc. verify and recover m .

  3. Internet Alice using a Alice using NaCl: cryptographically unprotected. typical cryptographic library: c = crypto_box(m,n,pk,sk) NaCl: Fix this. Generate random AES key. Use AES key to encrypt packet. public-key encryption . Hash encrypted packet. Read RSA key from wire format. message m for Bob. Use key to sign hash. public key and Read Bob’s key from wire format. ey to compute Use key to encrypt signature etc. ciphertext c . Convert to wire format. Plus more code: public key allocate storage, ecret key handle errors, etc. recover m .

  4. Alice using a Alice using NaCl: rotected. typical cryptographic library: c = crypto_box(m,n,pk,sk) this. Generate random AES key. Use AES key to encrypt packet. encryption . Hash encrypted packet. Read RSA key from wire format. Bob. Use key to sign hash. Read Bob’s key from wire format. compute Use key to encrypt signature etc. . Convert to wire format. Plus more code: y allocate storage, handle errors, etc.

  5. Alice using a Alice using NaCl: typical cryptographic library: c = crypto_box(m,n,pk,sk) Generate random AES key. Use AES key to encrypt packet. Hash encrypted packet. Read RSA key from wire format. Use key to sign hash. Read Bob’s key from wire format. Use key to encrypt signature etc. Convert to wire format. Plus more code: allocate storage, handle errors, etc.

  6. Alice using a Alice using NaCl: typical cryptographic library: c = crypto_box(m,n,pk,sk) Generate random AES key. 32-byte secret key sk . Use AES key to encrypt packet. 32-byte public key pk . Hash encrypted packet. 24-byte nonce n . Read RSA key from wire format. c is 16 bytes longer than m . Use key to sign hash. All objects are C++ Read Bob’s key from wire format. std::string variables Use key to encrypt signature etc. represented in wire format, Convert to wire format. ready for storage/transmission. Plus more code: C NaCl: similar, using pointers; allocate storage, no memory allocation, no failures. handle errors, etc.

  7. using a Alice using NaCl: Bob verifying, ypical cryptographic library: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) Generate random AES key. 32-byte secret key sk . Initial key AES key to encrypt packet. 32-byte public key pk . pk = crypto_box_keypair(&sk) encrypted packet. 24-byte nonce n . RSA key from wire format. c is 16 bytes longer than m . ey to sign hash. All objects are C++ Bob’s key from wire format. std::string variables ey to encrypt signature etc. represented in wire format, Convert to wire format. ready for storage/transmission. more code: C NaCl: similar, using pointers; cate storage, no memory allocation, no failures. errors, etc.

  8. Alice using NaCl: Bob verifying, decryptin phic library: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) AES key. 32-byte secret key sk . Initial key generation: encrypt packet. 32-byte public key pk . pk = crypto_box_keypair(&sk) packet. 24-byte nonce n . from wire format. c is 16 bytes longer than m . hash. All objects are C++ from wire format. std::string variables encrypt signature etc. represented in wire format, format. ready for storage/transmission. C NaCl: similar, using pointers; no memory allocation, no failures. etc.

  9. Alice using NaCl: Bob verifying, decrypting: ry: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) . 32-byte secret key sk . Initial key generation: packet. 32-byte public key pk . pk = crypto_box_keypair(&sk) 24-byte nonce n . format. c is 16 bytes longer than m . All objects are C++ format. std::string variables signature etc. represented in wire format, ready for storage/transmission. C NaCl: similar, using pointers; no memory allocation, no failures.

  10. Alice using NaCl: Bob verifying, decrypting: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) 32-byte secret key sk . Initial key generation: 32-byte public key pk . pk = crypto_box_keypair(&sk) 24-byte nonce n . c is 16 bytes longer than m . All objects are C++ std::string variables represented in wire format, ready for storage/transmission. C NaCl: similar, using pointers; no memory allocation, no failures.

  11. Alice using NaCl: Bob verifying, decrypting: c = crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) 32-byte secret key sk . Initial key generation: 32-byte public key pk . pk = crypto_box_keypair(&sk) 24-byte nonce n . Can instead use signatures c is 16 bytes longer than m . for public messages: All objects are C++ pk = crypto_sign_keypair(&sk) std::string variables 64-byte secret key, represented in wire format, 32-byte public key. ready for storage/transmission. sm = crypto_sign(m,sk) C NaCl: similar, using pointers; 64 bytes overhead. no memory allocation, no failures. m = crypto_sign_open(sm,pk)

  12. using NaCl: Bob verifying, decrypting: “This sounds Don’t applications crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) yte secret key sk . Initial key generation: yte public key pk . pk = crypto_box_keypair(&sk) yte nonce n . Can instead use signatures bytes longer than m . for public messages: objects are C++ pk = crypto_sign_keypair(&sk) std::string variables 64-byte secret key, resented in wire format, 32-byte public key. for storage/transmission. sm = crypto_sign(m,sk) NaCl: similar, using pointers; 64 bytes overhead. memory allocation, no failures. m = crypto_sign_open(sm,pk)

  13. NaCl: Bob verifying, decrypting: “This sounds too simple! Don’t applications crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) ey sk . Initial key generation: ey pk . pk = crypto_box_keypair(&sk) . Can instead use signatures longer than m . for public messages: C++ pk = crypto_sign_keypair(&sk) riables 64-byte secret key, wire format, 32-byte public key. rage/transmission. sm = crypto_sign(m,sk) using pointers; 64 bytes overhead. cation, no failures. m = crypto_sign_open(sm,pk)

  14. Bob verifying, decrypting: “This sounds too simple! Don’t applications need more?” crypto_box(m,n,pk,sk) m=crypto_box_open(c,n,pk,sk) Initial key generation: pk = crypto_box_keypair(&sk) Can instead use signatures . for public messages: pk = crypto_sign_keypair(&sk) 64-byte secret key, rmat, 32-byte public key. rage/transmission. sm = crypto_sign(m,sk) ointers; 64 bytes overhead. failures. m = crypto_sign_open(sm,pk)

  15. Bob verifying, decrypting: “This sounds too simple! Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Initial key generation: pk = crypto_box_keypair(&sk) Can instead use signatures for public messages: pk = crypto_sign_keypair(&sk) 64-byte secret key, 32-byte public key. sm = crypto_sign(m,sk) 64 bytes overhead. m = crypto_sign_open(sm,pk)

  16. Bob verifying, decrypting: “This sounds too simple! Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Initial key generation: Examples of applications using NaCl’s crypto_box : pk = crypto_box_keypair(&sk) Can instead use signatures DNSCurve and DNSCrypt, for public messages: high-security authenticated encryption for DNS queries; pk = crypto_sign_keypair(&sk) deployed by OpenDNS. 64-byte secret key, 32-byte public key. QUIC, Google’s TLS replacement. MinimaLT in Ethos OS, sm = crypto_sign(m,sk) 64 bytes overhead. faster TLS replacement. Threema, encrypted-chat app. m = crypto_sign_open(sm,pk)

  17. verifying, decrypting: “This sounds too simple! Related p Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Various p key generation: Examples of applications language using NaCl’s crypto_box : crypto_box_keypair(&sk) github.com/jedisct1/libsodium instead use signatures DNSCurve and DNSCrypt, TweetNaCl: public messages: high-security authenticated on the path encryption for DNS queries; Bernstein, crypto_sign_keypair(&sk) deployed by OpenDNS. Lange, Schw yte secret key, tweetnacl.cr.yp.to yte public key. QUIC, Google’s TLS replacement. twitter.com/tweetnacl MinimaLT in Ethos OS, crypto_sign(m,sk) Benchma ytes overhead. faster TLS replacement. implementations Threema, encrypted-chat app. crypto_sign_open(sm,pk) bench.cr.yp.to

  18. ecrypting: “This sounds too simple! Related projects Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Various ports, repack generation: Examples of applications language bindings, using NaCl’s crypto_box : crypto_box_keypair(&sk) github.com/jedisct1/libsodium DNSCurve and DNSCrypt, TweetNaCl: NaCl signatures messages: high-security authenticated on the path towards encryption for DNS queries; Bernstein, van Gas crypto_sign_keypair(&sk) deployed by OpenDNS. Lange, Schwabe, S ey, tweetnacl.cr.yp.to ey. QUIC, Google’s TLS replacement. twitter.com/tweetnacl MinimaLT in Ethos OS, crypto_sign(m,sk) Benchmarking of > overhead. faster TLS replacement. implementations using Threema, encrypted-chat app. crypto_sign_open(sm,pk) bench.cr.yp.to

  19. “This sounds too simple! Related projects Don’t applications need more?” m=crypto_box_open(c,n,pk,sk) Various ports, repackaging, Examples of applications language bindings, etc.: e.g., using NaCl’s crypto_box : crypto_box_keypair(&sk) github.com/jedisct1/libsodium DNSCurve and DNSCrypt, TweetNaCl: NaCl in 100 tweets; signatures high-security authenticated on the path towards full audit. encryption for DNS queries; Bernstein, van Gastel, Janssen, crypto_sign_keypair(&sk) deployed by OpenDNS. Lange, Schwabe, Smetsers. tweetnacl.cr.yp.to QUIC, Google’s TLS replacement. twitter.com/tweetnacl MinimaLT in Ethos OS, Benchmarking of > 1000 crypto faster TLS replacement. implementations using same Threema, encrypted-chat app. crypto_sign_open(sm,pk) bench.cr.yp.to

  20. “This sounds too simple! Related projects Don’t applications need more?” Various ports, repackaging, Examples of applications language bindings, etc.: e.g., using NaCl’s crypto_box : github.com/jedisct1/libsodium DNSCurve and DNSCrypt, TweetNaCl: NaCl in 100 tweets; high-security authenticated on the path towards full audit. encryption for DNS queries; Bernstein, van Gastel, Janssen, deployed by OpenDNS. Lange, Schwabe, Smetsers. tweetnacl.cr.yp.to QUIC, Google’s TLS replacement. twitter.com/tweetnacl MinimaLT in Ethos OS, Benchmarking of > 1000 crypto faster TLS replacement. implementations using same API: Threema, encrypted-chat app. bench.cr.yp.to

  21. sounds too simple! Related projects No secre applications need more?” Various ports, repackaging, 2005 Osvik–Shamir–T Examples of applications language bindings, etc.: e.g., 65ms to NaCl’s crypto_box : used for github.com/jedisct1/libsodium Attack p DNSCurve and DNSCrypt, TweetNaCl: NaCl in 100 tweets; but without high-security authenticated on the path towards full audit. encryption for DNS queries; Bernstein, van Gastel, Janssen, Almost all ed by OpenDNS. Lange, Schwabe, Smetsers. use fast Kernel’s tweetnacl.cr.yp.to Google’s TLS replacement. influences twitter.com/tweetnacl MinimaLT in Ethos OS, influencing Benchmarking of > 1000 crypto TLS replacement. influencing implementations using same API: of the attack Threema, encrypted-chat app. bench.cr.yp.to 65ms to

  22. o simple! Related projects No secret load addresses applications need more?” Various ports, repackaging, 2005 Osvik–Shamir–T applications language bindings, etc.: e.g., 65ms to steal Linux crypto_box : used for hard-disk github.com/jedisct1/libsodium Attack process on DNSCrypt, TweetNaCl: NaCl in 100 tweets; but without privileges. authenticated on the path towards full audit. DNS queries; Bernstein, van Gastel, Janssen, Almost all AES implementations enDNS. Lange, Schwabe, Smetsers. use fast lookup tables. Kernel’s secret AES tweetnacl.cr.yp.to TLS replacement. influences table-load twitter.com/tweetnacl Ethos OS, influencing CPU cache Benchmarking of > 1000 crypto lacement. influencing measurable implementations using same API: of the attack process. encrypted-chat app. bench.cr.yp.to 65ms to compute influence

  23. Related projects No secret load addresses more?” Various ports, repackaging, 2005 Osvik–Shamir–Tromer: language bindings, etc.: e.g., 65ms to steal Linux AES key : used for hard-disk encryption. github.com/jedisct1/libsodium Attack process on same CPU DNSCrypt, TweetNaCl: NaCl in 100 tweets; but without privileges. authenticated on the path towards full audit. queries; Bernstein, van Gastel, Janssen, Almost all AES implementations Lange, Schwabe, Smetsers. use fast lookup tables. Kernel’s secret AES key tweetnacl.cr.yp.to replacement. influences table-load addresses, twitter.com/tweetnacl influencing CPU cache state, Benchmarking of > 1000 crypto influencing measurable timings implementations using same API: of the attack process. app. bench.cr.yp.to 65ms to compute influence −

  24. Related projects No secret load addresses Various ports, repackaging, 2005 Osvik–Shamir–Tromer: language bindings, etc.: e.g., 65ms to steal Linux AES key used for hard-disk encryption. github.com/jedisct1/libsodium Attack process on same CPU TweetNaCl: NaCl in 100 tweets; but without privileges. on the path towards full audit. Bernstein, van Gastel, Janssen, Almost all AES implementations Lange, Schwabe, Smetsers. use fast lookup tables. Kernel’s secret AES key tweetnacl.cr.yp.to influences table-load addresses, twitter.com/tweetnacl influencing CPU cache state, Benchmarking of > 1000 crypto influencing measurable timings implementations using same API: of the attack process. bench.cr.yp.to 65ms to compute influence − 1 .

  25. Related projects No secret load addresses Most cryptographic still use secret rious ports, repackaging, 2005 Osvik–Shamir–Tromer: but add language bindings, etc.: e.g., 65ms to steal Linux AES key intended used for hard-disk encryption. github.com/jedisct1/libsodium upon the Attack process on same CPU eetNaCl: NaCl in 100 tweets; Not confidence- but without privileges. path towards full audit. likely to Bernstein, van Gastel, Janssen, Almost all AES implementations Lange, Schwabe, Smetsers. use fast lookup tables. Kernel’s secret AES key tweetnacl.cr.yp.to influences table-load addresses, twitter.com/tweetnacl influencing CPU cache state, Benchmarking of > 1000 crypto influencing measurable timings implementations using same API: of the attack process. bench.cr.yp.to 65ms to compute influence − 1 .

  26. No secret load addresses Most cryptographic still use secret load repackaging, 2005 Osvik–Shamir–Tromer: but add “countermeasures” bindings, etc.: e.g., 65ms to steal Linux AES key intended to obscure used for hard-disk encryption. github.com/jedisct1/libsodium upon the CPU cache Attack process on same CPU NaCl in 100 tweets; Not confidence-ins but without privileges. ards full audit. likely to be breakable. Gastel, Janssen, Almost all AES implementations e, Smetsers. use fast lookup tables. Kernel’s secret AES key tweetnacl.cr.yp.to influences table-load addresses, twitter.com/tweetnacl influencing CPU cache state, of > 1000 crypto influencing measurable timings using same API: of the attack process. 65ms to compute influence − 1 .

  27. No secret load addresses Most cryptographic libraries still use secret load addresses aging, 2005 Osvik–Shamir–Tromer: but add “countermeasures” .g., 65ms to steal Linux AES key intended to obscure influence used for hard-disk encryption. github.com/jedisct1/libsodium upon the CPU cache state. Attack process on same CPU tweets; Not confidence-inspiring; but without privileges. audit. likely to be breakable. Janssen, Almost all AES implementations etsers. use fast lookup tables. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, crypto influencing measurable timings same API: of the attack process. 65ms to compute influence − 1 .

  28. No secret load addresses Most cryptographic libraries still use secret load addresses 2005 Osvik–Shamir–Tromer: but add “countermeasures” 65ms to steal Linux AES key intended to obscure influence used for hard-disk encryption. upon the CPU cache state. Attack process on same CPU Not confidence-inspiring; but without privileges. likely to be breakable. Almost all AES implementations use fast lookup tables. Kernel’s secret AES key influences table-load addresses, influencing CPU cache state, influencing measurable timings of the attack process. 65ms to compute influence − 1 .

  29. No secret load addresses Most cryptographic libraries still use secret load addresses 2005 Osvik–Shamir–Tromer: but add “countermeasures” 65ms to steal Linux AES key intended to obscure influence used for hard-disk encryption. upon the CPU cache state. Attack process on same CPU Not confidence-inspiring; but without privileges. likely to be breakable. Almost all AES implementations NaCl systematically avoids use fast lookup tables. all loads from addresses Kernel’s secret AES key that depend on secret data. influences table-load addresses, Eliminates this type of disaster. influencing CPU cache state, influencing measurable timings Timing attack+defense tutorial: of the attack process. Schwabe talk tomorrow 11:00. 65ms to compute influence − 1 .

  30. ret load addresses Most cryptographic libraries No secre still use secret load addresses Osvik–Shamir–Tromer: 2011 Brumley–T but add “countermeasures” to steal Linux AES key minutes intended to obscure influence for hard-disk encryption. machine’s upon the CPU cache state. process on same CPU Secret branch Not confidence-inspiring; without privileges. influence likely to be breakable. Almost all AES implementations Most cryptographic NaCl systematically avoids fast lookup tables. has many all loads from addresses Kernel’s secret AES key variations that depend on secret data. influences table-load addresses, e.g., memcmp Eliminates this type of disaster. influencing CPU cache state, influencing measurable timings Timing attack+defense tutorial: attack process. Schwabe talk tomorrow 11:00. to compute influence − 1 .

  31. addresses Most cryptographic libraries No secret branch conditions still use secret load addresses Osvik–Shamir–Tromer: 2011 Brumley–Tuveri: but add “countermeasures” Linux AES key minutes to steal another intended to obscure influence rd-disk encryption. machine’s OpenSSL upon the CPU cache state. on same CPU Secret branch conditions Not confidence-inspiring; rivileges. influence timings. likely to be breakable. implementations Most cryptographic NaCl systematically avoids tables. has many more small-scale all loads from addresses AES key variations in timing: that depend on secret data. table-load addresses, e.g., memcmp for IPsec Eliminates this type of disaster. cache state, measurable timings Timing attack+defense tutorial: cess. Schwabe talk tomorrow 11:00. compute influence − 1 .

  32. Most cryptographic libraries No secret branch conditions still use secret load addresses romer: 2011 Brumley–Tuveri: but add “countermeasures” ey minutes to steal another intended to obscure influence encryption. machine’s OpenSSL ECDSA upon the CPU cache state. CPU Secret branch conditions Not confidence-inspiring; influence timings. likely to be breakable. implementations Most cryptographic software NaCl systematically avoids has many more small-scale all loads from addresses variations in timing: that depend on secret data. addresses, e.g., memcmp for IPsec MACs. Eliminates this type of disaster. state, timings Timing attack+defense tutorial: Schwabe talk tomorrow 11:00. influence − 1 .

  33. Most cryptographic libraries No secret branch conditions still use secret load addresses 2011 Brumley–Tuveri: but add “countermeasures” minutes to steal another intended to obscure influence machine’s OpenSSL ECDSA key. upon the CPU cache state. Secret branch conditions Not confidence-inspiring; influence timings. likely to be breakable. Most cryptographic software NaCl systematically avoids has many more small-scale all loads from addresses variations in timing: that depend on secret data. e.g., memcmp for IPsec MACs. Eliminates this type of disaster. Timing attack+defense tutorial: Schwabe talk tomorrow 11:00.

  34. Most cryptographic libraries No secret branch conditions still use secret load addresses 2011 Brumley–Tuveri: but add “countermeasures” minutes to steal another intended to obscure influence machine’s OpenSSL ECDSA key. upon the CPU cache state. Secret branch conditions Not confidence-inspiring; influence timings. likely to be breakable. Most cryptographic software NaCl systematically avoids has many more small-scale all loads from addresses variations in timing: that depend on secret data. e.g., memcmp for IPsec MACs. Eliminates this type of disaster. NaCl systematically avoids Timing attack+defense tutorial: all branch conditions Schwabe talk tomorrow 11:00. that depend on secret data. Eliminates this type of disaster.

  35. cryptographic libraries No secret branch conditions No padding use secret load addresses 2011 Brumley–Tuveri: 1998 Bleichenbacher: add “countermeasures” minutes to steal another Decrypt intended to obscure influence machine’s OpenSSL ECDSA key. by observing the CPU cache state. to ≈ 10 6 Secret branch conditions confidence-inspiring; influence timings. SSL first to be breakable. Most cryptographic software then checks systematically avoids has many more small-scale (which many loads from addresses variations in timing: Subsequent depend on secret data. e.g., memcmp for IPsec MACs. more serious Eliminates this type of disaster. NaCl systematically avoids Server resp Timing attack+defense tutorial: all branch conditions pattern of abe talk tomorrow 11:00. that depend on secret data. pattern reveals Eliminates this type of disaster.

  36. cryptographic libraries No secret branch conditions No padding oracles load addresses 2011 Brumley–Tuveri: 1998 Bleichenbacher: rmeasures” minutes to steal another Decrypt SSL RSA obscure influence machine’s OpenSSL ECDSA key. by observing server cache state. to ≈ 10 6 variants of Secret branch conditions inspiring; influence timings. SSL first inverts RSA, reakable. Most cryptographic software then checks for “PK ally avoids has many more small-scale (which many forgeries addresses variations in timing: Subsequent processing secret data. e.g., memcmp for IPsec MACs. more serious integrit ype of disaster. NaCl systematically avoids Server responses re attack+defense tutorial: all branch conditions pattern of PKCS fo tomorrow 11:00. that depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  37. ries No secret branch conditions No padding oracles addresses 2011 Brumley–Tuveri: 1998 Bleichenbacher: rmeasures” minutes to steal another Decrypt SSL RSA ciphertext influence machine’s OpenSSL ECDSA key. by observing server responses state. to ≈ 10 6 variants of ciphertext. Secret branch conditions influence timings. SSL first inverts RSA, Most cryptographic software then checks for “PKCS padding” has many more small-scale (which many forgeries have). variations in timing: Subsequent processing applies data. e.g., memcmp for IPsec MACs. more serious integrity checks. disaster. NaCl systematically avoids Server responses reveal tutorial: all branch conditions pattern of PKCS forgeries; 11:00. that depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  38. No secret branch conditions No padding oracles 2011 Brumley–Tuveri: 1998 Bleichenbacher: minutes to steal another Decrypt SSL RSA ciphertext machine’s OpenSSL ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. Secret branch conditions influence timings. SSL first inverts RSA, Most cryptographic software then checks for “PKCS padding” has many more small-scale (which many forgeries have). variations in timing: Subsequent processing applies e.g., memcmp for IPsec MACs. more serious integrity checks. NaCl systematically avoids Server responses reveal all branch conditions pattern of PKCS forgeries; that depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  39. ret branch conditions No padding oracles Typical defense try to hide Brumley–Tuveri: 1998 Bleichenbacher: between minutes to steal another Decrypt SSL RSA ciphertext subsequent machine’s OpenSSL ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. branch conditions But hard influence timings. see, e.g., SSL first inverts RSA, cryptographic software then checks for “PKCS padding” many more small-scale (which many forgeries have). riations in timing: Subsequent processing applies memcmp for IPsec MACs. more serious integrity checks. systematically avoids Server responses reveal ranch conditions pattern of PKCS forgeries; depend on secret data. pattern reveals plaintext. Eliminates this type of disaster.

  40. conditions No padding oracles Typical defense strategy: try to hide differences uveri: 1998 Bleichenbacher: between padding checks another Decrypt SSL RSA ciphertext subsequent integrit enSSL ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. conditions But hard to get this timings. see, e.g., Lucky 13 SSL first inverts RSA, cryptographic software then checks for “PKCS padding” small-scale (which many forgeries have). timing: Subsequent processing applies IPsec MACs. more serious integrity checks. ally avoids Server responses reveal conditions pattern of PKCS forgeries; secret data. pattern reveals plaintext. ype of disaster.

  41. conditions No padding oracles Typical defense strategy: try to hide differences 1998 Bleichenbacher: between padding checks and Decrypt SSL RSA ciphertext subsequent integrity checks. ECDSA key. by observing server responses to ≈ 10 6 variants of ciphertext. But hard to get this right: see, e.g., Lucky 13 and POODLE. SSL first inverts RSA, re then checks for “PKCS padding” (which many forgeries have). Subsequent processing applies Cs. more serious integrity checks. Server responses reveal pattern of PKCS forgeries; data. pattern reveals plaintext. disaster.

  42. No padding oracles Typical defense strategy: try to hide differences 1998 Bleichenbacher: between padding checks and Decrypt SSL RSA ciphertext subsequent integrity checks. by observing server responses to ≈ 10 6 variants of ciphertext. But hard to get this right: see, e.g., Lucky 13 and POODLE. SSL first inverts RSA, then checks for “PKCS padding” (which many forgeries have). Subsequent processing applies more serious integrity checks. Server responses reveal pattern of PKCS forgeries; pattern reveals plaintext.

  43. No padding oracles Typical defense strategy: try to hide differences 1998 Bleichenbacher: between padding checks and Decrypt SSL RSA ciphertext subsequent integrity checks. by observing server responses to ≈ 10 6 variants of ciphertext. But hard to get this right: see, e.g., Lucky 13 and POODLE. SSL first inverts RSA, then checks for “PKCS padding” NaCl does not decrypt (which many forgeries have). unless message is authenticated. Subsequent processing applies Verification procedure rejects more serious integrity checks. all forgeries in constant time. Attacks are further constrained Server responses reveal by per-nonce key separation pattern of PKCS forgeries; and standard nonce handling. pattern reveals plaintext.

  44. padding oracles Typical defense strategy: Centralizing try to hide differences Bleichenbacher: 2008 Bello: between padding checks and Decrypt SSL RSA ciphertext OpenSSL subsequent integrity checks. observing server responses had only 10 6 variants of ciphertext. But hard to get this right: Debian develop see, e.g., Lucky 13 and POODLE. first inverts RSA, a subtle checks for “PKCS padding” NaCl does not decrypt randomness-generating many forgeries have). unless message is authenticated. Subsequent processing applies Verification procedure rejects serious integrity checks. all forgeries in constant time. Attacks are further constrained responses reveal by per-nonce key separation pattern of PKCS forgeries; and standard nonce handling. pattern reveals plaintext.

  45. racles Typical defense strategy: Centralizing randomness try to hide differences Bleichenbacher: 2008 Bello: Debian/Ubuntu between padding checks and RSA ciphertext OpenSSL keys for subsequent integrity checks. server responses had only 15 bits of riants of ciphertext. But hard to get this right: Debian developer had see, e.g., Lucky 13 and POODLE. RSA, a subtle line of Op “PKCS padding” NaCl does not decrypt randomness-generating rgeries have). unless message is authenticated. cessing applies Verification procedure rejects integrity checks. all forgeries in constant time. Attacks are further constrained reveal by per-nonce key separation forgeries; and standard nonce handling. plaintext.

  46. Typical defense strategy: Centralizing randomness try to hide differences 2008 Bello: Debian/Ubuntu between padding checks and ciphertext OpenSSL keys for 1.5 years subsequent integrity checks. onses had only 15 bits of entropy. ciphertext. But hard to get this right: Debian developer had removed see, e.g., Lucky 13 and POODLE. a subtle line of OpenSSL padding” NaCl does not decrypt randomness-generating code. have). unless message is authenticated. applies Verification procedure rejects hecks. all forgeries in constant time. Attacks are further constrained by per-nonce key separation rgeries; and standard nonce handling.

  47. Typical defense strategy: Centralizing randomness try to hide differences 2008 Bello: Debian/Ubuntu between padding checks and OpenSSL keys for 1.5 years subsequent integrity checks. had only 15 bits of entropy. But hard to get this right: Debian developer had removed see, e.g., Lucky 13 and POODLE. a subtle line of OpenSSL NaCl does not decrypt randomness-generating code. unless message is authenticated. Verification procedure rejects all forgeries in constant time. Attacks are further constrained by per-nonce key separation and standard nonce handling.

  48. Typical defense strategy: Centralizing randomness try to hide differences 2008 Bello: Debian/Ubuntu between padding checks and OpenSSL keys for 1.5 years subsequent integrity checks. had only 15 bits of entropy. But hard to get this right: Debian developer had removed see, e.g., Lucky 13 and POODLE. a subtle line of OpenSSL NaCl does not decrypt randomness-generating code. unless message is authenticated. NaCl uses /dev/urandom , Verification procedure rejects the OS random-number generator. all forgeries in constant time. Reviewing this kernel code Attacks are further constrained is much more tractable than by per-nonce key separation reviewing separate RNG code and standard nonce handling. in every security library.

  49. ypical defense strategy: Centralizing randomness Centralization hide differences merge many 2008 Bello: Debian/Ubuntu een padding checks and pool feeding OpenSSL keys for 1.5 years subsequent integrity checks. had only 15 bits of entropy. Merging rd to get this right: auditable. Debian developer had removed e.g., Lucky 13 and POODLE. bad/failing/malicious a subtle line of OpenSSL if there is does not decrypt randomness-generating code. message is authenticated. NaCl uses /dev/urandom , erification procedure rejects the OS random-number generator. rgeries in constant time. Reviewing this kernel code ttacks are further constrained is much more tractable than er-nonce key separation reviewing separate RNG code standard nonce handling. in every security library.

  50. strategy: Centralizing randomness Centralization allows differences merge many entrop 2008 Bello: Debian/Ubuntu checks and pool feeding many OpenSSL keys for 1.5 years integrity checks. had only 15 bits of entropy. Merging is deterministic this right: auditable. Can survive Debian developer had removed 13 and POODLE. bad/failing/malicious a subtle line of OpenSSL if there is one good decrypt randomness-generating code. is authenticated. NaCl uses /dev/urandom , edure rejects the OS random-number generator. constant time. Reviewing this kernel code further constrained is much more tractable than ey separation reviewing separate RNG code nonce handling. in every security library.

  51. Centralizing randomness Centralization allows OS to merge many entropy sources 2008 Bello: Debian/Ubuntu and pool feeding many applications. OpenSSL keys for 1.5 years checks. had only 15 bits of entropy. Merging is deterministic and auditable. Can survive many Debian developer had removed POODLE. bad/failing/malicious sources a subtle line of OpenSSL if there is one good source. randomness-generating code. authenticated. NaCl uses /dev/urandom , rejects the OS random-number generator. time. Reviewing this kernel code constrained is much more tractable than ration reviewing separate RNG code handling. in every security library.

  52. Centralizing randomness Centralization allows OS to merge many entropy sources into 2008 Bello: Debian/Ubuntu pool feeding many applications. OpenSSL keys for 1.5 years had only 15 bits of entropy. Merging is deterministic and auditable. Can survive many Debian developer had removed bad/failing/malicious sources a subtle line of OpenSSL if there is one good source. randomness-generating code. NaCl uses /dev/urandom , the OS random-number generator. Reviewing this kernel code is much more tractable than reviewing separate RNG code in every security library.

  53. Centralizing randomness Centralization allows OS to merge many entropy sources into 2008 Bello: Debian/Ubuntu pool feeding many applications. OpenSSL keys for 1.5 years had only 15 bits of entropy. Merging is deterministic and auditable. Can survive many Debian developer had removed bad/failing/malicious sources a subtle line of OpenSSL if there is one good source. randomness-generating code. Huge step backwards: NaCl uses /dev/urandom , Intel’s RDRAND in applications. the OS random-number generator. Single entropy source; no backup; Reviewing this kernel code likely to be poorly cloned; is much more tractable than backdoorable (CHES 2013); reviewing separate RNG code non-auditable. Not used in NaCl. in every security library.

  54. Centralizing randomness Centralization allows OS to Avoiding merge many entropy sources into Bello: Debian/Ubuntu 2010 Bushing–Ma pool feeding many applications. enSSL keys for 1.5 years Sven: Sony only 15 bits of entropy. Merging is deterministic and requirement auditable. Can survive many for each developer had removed bad/failing/malicious sources leaked PS3 subtle line of OpenSSL if there is one good source. randomness-generating code. Huge step backwards: uses /dev/urandom , Intel’s RDRAND in applications. random-number generator. Single entropy source; no backup; Reviewing this kernel code likely to be poorly cloned; much more tractable than backdoorable (CHES 2013); reviewing separate RNG code non-auditable. Not used in NaCl. every security library.

  55. randomness Centralization allows OS to Avoiding unnecessa merge many entropy sources into Debian/Ubuntu 2010 Bushing–Marcan–Segher– pool feeding many applications. for 1.5 years Sven: Sony ignored of entropy. Merging is deterministic and requirement of new auditable. Can survive many for each signature. er had removed bad/failing/malicious sources leaked PS3 code-signing OpenSSL if there is one good source. randomness-generating code. Huge step backwards: /dev/urandom , Intel’s RDRAND in applications. random-number generator. Single entropy source; no backup; ernel code likely to be poorly cloned; tractable than backdoorable (CHES 2013); rate RNG code non-auditable. Not used in NaCl. library.

  56. Centralization allows OS to Avoiding unnecessary randomness merge many entropy sources into Debian/Ubuntu 2010 Bushing–Marcan–Segher– pool feeding many applications. rs Sven: Sony ignored ECDSA y. Merging is deterministic and requirement of new randomness auditable. Can survive many for each signature. ⇒ Signatures removed bad/failing/malicious sources leaked PS3 code-signing key. if there is one good source. de. Huge step backwards: , Intel’s RDRAND in applications. generator. Single entropy source; no backup; likely to be poorly cloned; than backdoorable (CHES 2013); code non-auditable. Not used in NaCl.

  57. Centralization allows OS to Avoiding unnecessary randomness merge many entropy sources into 2010 Bushing–Marcan–Segher– pool feeding many applications. Sven: Sony ignored ECDSA Merging is deterministic and requirement of new randomness auditable. Can survive many for each signature. ⇒ Signatures bad/failing/malicious sources leaked PS3 code-signing key. if there is one good source. Huge step backwards: Intel’s RDRAND in applications. Single entropy source; no backup; likely to be poorly cloned; backdoorable (CHES 2013); non-auditable. Not used in NaCl.

  58. Centralization allows OS to Avoiding unnecessary randomness merge many entropy sources into 2010 Bushing–Marcan–Segher– pool feeding many applications. Sven: Sony ignored ECDSA Merging is deterministic and requirement of new randomness auditable. Can survive many for each signature. ⇒ Signatures bad/failing/malicious sources leaked PS3 code-signing key. if there is one good source. NaCl has deterministic Huge step backwards: crypto_box and crypto_sign . Intel’s RDRAND in applications. Randomness only for keypair . Single entropy source; no backup; Eliminates this type of disaster. likely to be poorly cloned; Also simplifies testing. NaCl uses backdoorable (CHES 2013); automated test battery from non-auditable. Not used in NaCl. bench.cr.yp.to .

  59. Centralization allows OS to Avoiding unnecessary randomness Avoiding many entropy sources into 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– feeding many applications. Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molna Merging is deterministic and requirement of new randomness Osvik–de auditable. Can survive many for each signature. ⇒ Signatures MD5 ⇒ bad/failing/malicious sources leaked PS3 code-signing key. there is one good source. NaCl has deterministic step backwards: crypto_box and crypto_sign . RDRAND in applications. Randomness only for keypair . entropy source; no backup; Eliminates this type of disaster. to be poorly cloned; Also simplifies testing. NaCl uses backdoorable (CHES 2013); automated test battery from non-auditable. Not used in NaCl. bench.cr.yp.to .

  60. allows OS to Avoiding unnecessary randomness Avoiding pure crypto entropy sources into 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– many applications. Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molna deterministic and requirement of new randomness Osvik–de Weger exploited survive many for each signature. ⇒ Signatures MD5 ⇒ rogue CA bad/failing/malicious sources leaked PS3 code-signing key. od source. NaCl has deterministic ards: crypto_box and crypto_sign . in applications. Randomness only for keypair . source; no backup; Eliminates this type of disaster. rly cloned; Also simplifies testing. NaCl uses (CHES 2013); automated test battery from Not used in NaCl. bench.cr.yp.to .

  61. to Avoiding unnecessary randomness Avoiding pure crypto failures sources into 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– applications. Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– and requirement of new randomness Osvik–de Weger exploited many for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. sources leaked PS3 code-signing key. source. NaCl has deterministic crypto_box and crypto_sign . applications. Randomness only for keypair . backup; Eliminates this type of disaster. Also simplifies testing. NaCl uses 2013); automated test battery from in NaCl. bench.cr.yp.to .

  62. Avoiding unnecessary randomness Avoiding pure crypto failures 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– requirement of new randomness Osvik–de Weger exploited for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. leaked PS3 code-signing key. NaCl has deterministic crypto_box and crypto_sign . Randomness only for keypair . Eliminates this type of disaster. Also simplifies testing. NaCl uses automated test battery from bench.cr.yp.to .

  63. Avoiding unnecessary randomness Avoiding pure crypto failures 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– requirement of new randomness Osvik–de Weger exploited for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. leaked PS3 code-signing key. 2012 Flame: new MD5 attack. NaCl has deterministic crypto_box and crypto_sign . Randomness only for keypair . Eliminates this type of disaster. Also simplifies testing. NaCl uses automated test battery from bench.cr.yp.to .

  64. Avoiding unnecessary randomness Avoiding pure crypto failures 2010 Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Sven: Sony ignored ECDSA Appelbaum–Lenstra–Molnar– requirement of new randomness Osvik–de Weger exploited for each signature. ⇒ Signatures MD5 ⇒ rogue CA cert. leaked PS3 code-signing key. 2012 Flame: new MD5 attack. NaCl has deterministic Fact: By 1996, a few years crypto_box and crypto_sign . after the introduction of MD5, Randomness only for keypair . Preneel and Dobbertin were Eliminates this type of disaster. calling for MD5 to be scrapped. Also simplifies testing. NaCl uses NaCl pays attention to automated test battery from cryptanalysis and makes bench.cr.yp.to . very conservative choices of cryptographic primitives.

  65. Avoiding unnecessary randomness Avoiding pure crypto failures Speed Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Crypto p Sony ignored ECDSA Appelbaum–Lenstra–Molnar– often lead requirement of new randomness Osvik–de Weger exploited cryptographic h signature. ⇒ Signatures MD5 ⇒ rogue CA cert. or give up PS3 code-signing key. 2012 Flame: new MD5 attack. Example has deterministic Fact: By 1996, a few years used RSA-1024 crypto_box and crypto_sign . after the introduction of MD5, Security Randomness only for keypair . Preneel and Dobbertin were Analyses Eliminates this type of disaster. calling for MD5 to be scrapped. that RSA-1024 simplifies testing. NaCl uses NaCl pays attention to e.g., 2003 automated test battery from cryptanalysis and makes estimated bench.cr.yp.to . very conservative choices RSA Labs of cryptographic primitives. Move to

  66. unnecessary randomness Avoiding pure crypto failures Speed Bushing–Marcan–Segher– 2008 Stevens–Sotirov– Crypto performance red ECDSA Appelbaum–Lenstra–Molnar– often lead users to new randomness Osvik–de Weger exploited cryptographic securit signature. ⇒ Signatures MD5 ⇒ rogue CA cert. or give up on cryptography de-signing key. 2012 Flame: new MD5 attack. Example 1: Google Fact: By 1996, a few years used RSA-1024 until deterministic and crypto_sign . after the introduction of MD5, Security note: only for keypair . Preneel and Dobbertin were Analyses in 2003 concluded ype of disaster. calling for MD5 to be scrapped. that RSA-1024 was testing. NaCl uses NaCl pays attention to e.g., 2003 Shamir–T battery from cryptanalysis and makes estimated 1 year, ≈ . very conservative choices RSA Labs and NIST of cryptographic primitives. Move to RSA-2048

  67. randomness Avoiding pure crypto failures Speed rcan–Segher– 2008 Stevens–Sotirov– Crypto performance problems ECDSA Appelbaum–Lenstra–Molnar– often lead users to reduce randomness Osvik–de Weger exploited cryptographic security levels Signatures MD5 ⇒ rogue CA cert. or give up on cryptography. ey. 2012 Flame: new MD5 attack. Example 1: Google SSL Fact: By 1996, a few years used RSA-1024 until 2013. crypto_sign . after the introduction of MD5, Security note: keypair . Preneel and Dobbertin were Analyses in 2003 concluded disaster. calling for MD5 to be scrapped. that RSA-1024 was breakable; NaCl uses NaCl pays attention to e.g., 2003 Shamir–Tromer estimated 1 year, ≈ 10 7 USD. from cryptanalysis and makes very conservative choices RSA Labs and NIST response: of cryptographic primitives. Move to RSA-2048 by 2010.

  68. Avoiding pure crypto failures Speed 2008 Stevens–Sotirov– Crypto performance problems Appelbaum–Lenstra–Molnar– often lead users to reduce Osvik–de Weger exploited cryptographic security levels MD5 ⇒ rogue CA cert. or give up on cryptography. 2012 Flame: new MD5 attack. Example 1: Google SSL Fact: By 1996, a few years used RSA-1024 until 2013. after the introduction of MD5, Security note: Preneel and Dobbertin were Analyses in 2003 concluded calling for MD5 to be scrapped. that RSA-1024 was breakable; NaCl pays attention to e.g., 2003 Shamir–Tromer estimated 1 year, ≈ 10 7 USD. cryptanalysis and makes very conservative choices RSA Labs and NIST response: of cryptographic primitives. Move to RSA-2048 by 2010.

  69. Avoiding pure crypto failures Speed Example until 2013 Stevens–Sotirov– Crypto performance problems elbaum–Lenstra–Molnar– often lead users to reduce Example Osvik–de Weger exploited cryptographic security levels 1024: “tradeoff ⇒ rogue CA cert. or give up on cryptography. risk of key Flame: new MD5 attack. performance Example 1: Google SSL By 1996, a few years used RSA-1024 until 2013. Example the introduction of MD5, uses secret Security note: Preneel and Dobbertin were Analyses in 2003 concluded Example for MD5 to be scrapped. that RSA-1024 was breakable; https://sourceforge.net/account e.g., 2003 Shamir–Tromer is protected pays attention to estimated 1 year, ≈ 10 7 USD. cryptanalysis and makes https://sourceforge.net/develop conservative choices RSA Labs and NIST response: turns off cryptographic primitives. Move to RSA-2048 by 2010. http://sourceforge.net/develop

  70. crypto failures Speed Example 2: Tor use until 2013 switch to Stevens–Sotirov– Crypto performance problems elbaum–Lenstra–Molnar– often lead users to reduce Example 3: DNSSEC exploited cryptographic security levels 1024: “tradeoff bet CA cert. or give up on cryptography. risk of key compromise new MD5 attack. performance : : : ” Example 1: Google SSL a few years used RSA-1024 until 2013. Example 4: OpenSSL duction of MD5, uses secret AES load Security note: Dobbertin were Analyses in 2003 concluded Example 5: to be scrapped. that RSA-1024 was breakable; https://sourceforge.net/account e.g., 2003 Shamir–Tromer is protected by SSL attention to estimated 1 year, ≈ 10 7 USD. and makes https://sourceforge.net/develop conservative choices RSA Labs and NIST response: turns off crypto: redirects primitives. Move to RSA-2048 by 2010. http://sourceforge.net/develop

  71. failures Speed Example 2: Tor used RSA-1024 until 2013 switch to Curve25519. Crypto performance problems elbaum–Lenstra–Molnar– often lead users to reduce Example 3: DNSSEC uses RSA- cryptographic security levels 1024: “tradeoff between the or give up on cryptography. risk of key compromise and attack. performance : : : ” Example 1: Google SSL rs used RSA-1024 until 2013. Example 4: OpenSSL on ARM MD5, uses secret AES load addresses. Security note: ere Analyses in 2003 concluded Example 5: pped. that RSA-1024 was breakable; https://sourceforge.net/account e.g., 2003 Shamir–Tromer is protected by SSL but estimated 1 year, ≈ 10 7 USD. https://sourceforge.net/develop RSA Labs and NIST response: turns off crypto: redirects to rimitives. Move to RSA-2048 by 2010. http://sourceforge.net/develop

  72. Speed Example 2: Tor used RSA-1024 until 2013 switch to Curve25519. Crypto performance problems often lead users to reduce Example 3: DNSSEC uses RSA- cryptographic security levels 1024: “tradeoff between the or give up on cryptography. risk of key compromise and performance : : : ” Example 1: Google SSL used RSA-1024 until 2013. Example 4: OpenSSL on ARM uses secret AES load addresses. Security note: Analyses in 2003 concluded Example 5: that RSA-1024 was breakable; https://sourceforge.net/account e.g., 2003 Shamir–Tromer is protected by SSL but estimated 1 year, ≈ 10 7 USD. https://sourceforge.net/develop RSA Labs and NIST response: turns off crypto: redirects to Move to RSA-2048 by 2010. http://sourceforge.net/develop .

  73. Example 2: Tor used RSA-1024 NaCl has until 2013 switch to Curve25519. e.g. crypto_box performance problems encrypts lead users to reduce Example 3: DNSSEC uses RSA- e.g. no RSA-1024; cryptographic security levels 1024: “tradeoff between the not up on cryptography. risk of key compromise and performance : : : ” Example 1: Google SSL RSA-1024 until 2013. Example 4: OpenSSL on ARM uses secret AES load addresses. Security note: Analyses in 2003 concluded Example 5: RSA-1024 was breakable; https://sourceforge.net/account 2003 Shamir–Tromer is protected by SSL but estimated 1 year, ≈ 10 7 USD. https://sourceforge.net/develop Labs and NIST response: turns off crypto: redirects to to RSA-2048 by 2010. http://sourceforge.net/develop .

  74. Example 2: Tor used RSA-1024 NaCl has no low-securit until 2013 switch to Curve25519. e.g. crypto_box alw rmance problems encrypts and to reduce Example 3: DNSSEC uses RSA- e.g. no RSA-1024; security levels 1024: “tradeoff between the not even RSA-2048. cryptography. risk of key compromise and performance : : : ” ogle SSL until 2013. Example 4: OpenSSL on ARM uses secret AES load addresses. concluded Example 5: was breakable; https://sourceforge.net/account Shamir–Tromer is protected by SSL but r, ≈ 10 7 USD. https://sourceforge.net/develop NIST response: turns off crypto: redirects to RSA-2048 by 2010. http://sourceforge.net/develop .

  75. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always roblems encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; levels 1024: “tradeoff between the not even RSA-2048. cryptography. risk of key compromise and performance : : : ” 2013. Example 4: OpenSSL on ARM uses secret AES load addresses. concluded Example 5: ble; https://sourceforge.net/account is protected by SSL but USD. https://sourceforge.net/develop onse: turns off crypto: redirects to 2010. http://sourceforge.net/develop .

  76. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; 1024: “tradeoff between the not even RSA-2048. risk of key compromise and performance : : : ” Example 4: OpenSSL on ARM uses secret AES load addresses. Example 5: https://sourceforge.net/account is protected by SSL but https://sourceforge.net/develop turns off crypto: redirects to http://sourceforge.net/develop .

  77. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; 1024: “tradeoff between the not even RSA-2048. risk of key compromise and performance : : : ” Remaining risk: Users find NaCl too slow ⇒ Example 4: OpenSSL on ARM switch to low-security libraries uses secret AES load addresses. or disable crypto entirely. Example 5: https://sourceforge.net/account is protected by SSL but https://sourceforge.net/develop turns off crypto: redirects to http://sourceforge.net/develop .

  78. Example 2: Tor used RSA-1024 NaCl has no low-security options. until 2013 switch to Curve25519. e.g. crypto_box always encrypts and authenticates. Example 3: DNSSEC uses RSA- e.g. no RSA-1024; 1024: “tradeoff between the not even RSA-2048. risk of key compromise and performance : : : ” Remaining risk: Users find NaCl too slow ⇒ Example 4: OpenSSL on ARM switch to low-security libraries uses secret AES load addresses. or disable crypto entirely. Example 5: How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. is protected by SSL but Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. turns off crypto: redirects to http://sourceforge.net/develop .

  79. Example 2: Tor used RSA-1024 NaCl has no low-security options. NaCl operations 2013 switch to Curve25519. e.g. crypto_box always for any common encrypts and authenticates. using AMD Example 3: DNSSEC uses RSA- e.g. no RSA-1024; CPU ($190 “tradeoff between the not even RSA-2048. key compromise and crypto_box rmance : : : ” Remaining risk: crypto_box_open Users find NaCl too slow ⇒ Example 4: OpenSSL on ARM crypto_sign_open switch to low-security libraries secret AES load addresses. or disable crypto entirely. crypto_sign Example 5: How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. rotected by SSL but Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. off crypto: redirects to http://sourceforge.net/develop .

  80. used RSA-1024 NaCl has no low-security options. NaCl operations per switch to Curve25519. e.g. crypto_box always for any common pack encrypts and authenticates. using AMD Phenom DNSSEC uses RSA- e.g. no RSA-1024; CPU ($190 in 2011): between the not even RSA-2048. romise and crypto_box : > 80000. Remaining risk: crypto_box_open Users find NaCl too slow ⇒ enSSL on ARM crypto_sign_open switch to low-security libraries load addresses. or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. SSL but Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. redirects to http://sourceforge.net/develop .

  81. RSA-1024 NaCl has no low-security options. NaCl operations per second Curve25519. e.g. crypto_box always for any common packet size, encrypts and authenticates. using AMD Phenom II X6 1100T RSA- e.g. no RSA-1024; CPU ($190 in 2011): the not even RSA-2048. and crypto_box : > 80000. Remaining risk: crypto_box_open : > 80000. Users find NaCl too slow ⇒ ARM crypto_sign_open : > 70000. switch to low-security libraries addresses. or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: https://sourceforge.net/account NaCl is exceptionally fast. Much faster than other libraries. https://sourceforge.net/develop Keeps up with the network. to http://sourceforge.net/develop .

  82. NaCl has no low-security options. NaCl operations per second e.g. crypto_box always for any common packet size, encrypts and authenticates. using AMD Phenom II X6 1100T e.g. no RSA-1024; CPU ($190 in 2011): not even RSA-2048. crypto_box : > 80000. Remaining risk: crypto_box_open : > 80000. Users find NaCl too slow ⇒ crypto_sign_open : > 70000. switch to low-security libraries or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: NaCl is exceptionally fast. Much faster than other libraries. Keeps up with the network.

  83. NaCl has no low-security options. NaCl operations per second e.g. crypto_box always for any common packet size, encrypts and authenticates. using AMD Phenom II X6 1100T e.g. no RSA-1024; CPU ($190 in 2011): not even RSA-2048. crypto_box : > 80000. Remaining risk: crypto_box_open : > 80000. Users find NaCl too slow ⇒ crypto_sign_open : > 70000. switch to low-security libraries or disable crypto entirely. crypto_sign : > 180000. How NaCl avoids this risk: Handles arbitrary packet floods NaCl is exceptionally fast. up to ≈ 30 Mbps per CPU, Much faster than other libraries. depending on protocol details. Keeps up with the network.

  84. has no low-security options. NaCl operations per second But wait crypto_box always for any common packet size, 1. Pure encrypts and authenticates. using AMD Phenom II X6 1100T for any pack no RSA-1024; CPU ($190 in 2011): 80000 1500-b not even RSA-2048. crypto_box : > 80000. fill up a Remaining risk: crypto_box_open : > 80000. 2. Pure find NaCl too slow ⇒ for many crypto_sign_open : > 70000. to low-security libraries from same ble crypto entirely. crypto_sign : > 180000. if application NaCl avoids this risk: crypto_box Handles arbitrary packet floods is exceptionally fast. crypto_box_beforenm up to ≈ 30 Mbps per CPU, faster than other libraries. crypto_box_afternm depending on protocol details. up with the network.

  85. w-security options. NaCl operations per second But wait, it’s even always for any common packet size, 1. Pure secret-key and authenticates. using AMD Phenom II X6 1100T for any packet size: RSA-1024; CPU ($190 in 2011): 80000 1500-byte pack RSA-2048. crypto_box : > 80000. fill up a 1 Gbps link. crypto_box_open : > 80000. 2. Pure secret-key too slow ⇒ for many packets crypto_sign_open : > 70000. w-security libraries from same public k entirely. crypto_sign : > 180000. if application splits avoids this risk: crypto_box into Handles arbitrary packet floods exceptionally fast. crypto_box_beforenm up to ≈ 30 Mbps per CPU, than other libraries. crypto_box_afternm depending on protocol details. the network.

  86. options. NaCl operations per second But wait, it’s even faster! for any common packet size, 1. Pure secret-key crypto authenticates. using AMD Phenom II X6 1100T for any packet size: CPU ($190 in 2011): 80000 1500-byte packets/second crypto_box : > 80000. fill up a 1 Gbps link. crypto_box_open : > 80000. 2. Pure secret-key crypto ⇒ for many packets crypto_sign_open : > 70000. ries from same public key, crypto_sign : > 180000. if application splits risk: crypto_box into Handles arbitrary packet floods crypto_box_beforenm and up to ≈ 30 Mbps per CPU, raries. crypto_box_afternm . depending on protocol details. rk.

  87. NaCl operations per second But wait, it’s even faster! for any common packet size, 1. Pure secret-key crypto using AMD Phenom II X6 1100T for any packet size: CPU ($190 in 2011): 80000 1500-byte packets/second crypto_box : > 80000. fill up a 1 Gbps link. crypto_box_open : > 80000. 2. Pure secret-key crypto for many packets crypto_sign_open : > 70000. from same public key, crypto_sign : > 180000. if application splits crypto_box into Handles arbitrary packet floods crypto_box_beforenm and up to ≈ 30 Mbps per CPU, crypto_box_afternm . depending on protocol details.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja

NaCl: a new crypto library D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

874 views • 50 slides
The security impact AES-128, RSA-2048, etc. of a new cryptographic library are widely accepted

The security impact AES-128, RSA-2048, etc. of a new cryptographic library are widely accepted

The security impact AES-128, RSA-2048, etc. of a new cryptographic library are widely accepted standards. D. J. Bernstein, U. Illinois Chicago Obviously infeasible to break & T. U. Eindhoven by best attacks in literature. Tanja Lange, T.

1.65k views • 142 slides
(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg

(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg

(Tweet)NaCl Daniel J. Bernstein, Tanja Lange, Peter Schwabe December 29, 2013 30C3, Hamburg (Tweet)NaCl NaCl http://nacl.cr.yp.to Networking and Cryptography library Contributions by Matthew Dempsky, Adam Langley, Niels Duif, Bo-Yin

371 views • 7 slides
Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U.

Cleaning up crypto D. J. Bernstein, U. Illinois Chicago & T. U. Eindhoven Tanja Lange, T. U. Eindhoven Joint work with: Peter Schwabe, R. U. Nijmegen http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards. Obviously

844 views • 52 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, Academia Sinica http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted standards.

603 views • 38 slides
The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint

The security impact of a new cryptographic library D. J. Bernstein, U. Illinois Chicago Joint work with: Tanja Lange, T. U. Eindhoven Peter Schwabe, National Taiwan U. http://xkcd.com/538/ AES-128, RSA-2048, etc. are widely accepted

641 views • 35 slides
NaCls crypto box in hardware Michael Hutter, J urgen Schilling, Peter Schwabe, and Wolfgang

NaCls crypto box in hardware Michael Hutter, J urgen Schilling, Peter Schwabe, and Wolfgang

NaCls crypto box in hardware Michael Hutter, J urgen Schilling, Peter Schwabe, and Wolfgang Wieser Cryptography Research, TU Graz (IAIK), Radboud University Nijmegen September 14, 2015 CHES 2015, Saint-Malo, France NaCl and crypto box

394 views • 36 slides
Gtk and C++ Gtk is widely used graphical support library, allows use of typical gui components

Gtk and C++ Gtk is widely used graphical support library, allows use of typical gui components

Gtk and C++ Gtk is widely used graphical support library, allows use of typical gui components (windows, buttons, file selects, images, arrows, titles, rulers, menubars, menus, calendars, text boxes, etc etc) Assumes developer is creating

327 views • 11 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Making Change in 2048 David Eppstein 9th International Conference on Fun With Algorithms (FUN

Making Change in 2048 David Eppstein 9th International Conference on Fun With Algorithms (FUN

Making Change in 2048 David Eppstein 9th International Conference on Fun With Algorithms (FUN 2018) La Maddalena, Italy, June 2018 2048 game 16 squares that can be filled by power-of-two tiles Each turn: slide all squares in one of four

487 views • 14 slides
A New Kid on the Block: CLINT - a Cryptographic Library for the INternet of Things Mike Scott

A New Kid on the Block: CLINT - a Cryptographic Library for the INternet of Things Mike Scott

A New Kid on the Block: CLINT - a Cryptographic Library for the INternet of Things Mike Scott CertiVox Ltd Real World Crypto, London, January 2014 A problem Academic Cryptographers ? Real Real World Crypto Figure: Communication Problem

632 views • 13 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
ICN IDENTIFIER / LOCATOR Marc Mosko Palo Alto Research Center ICNRG Interim Meeting (Berlin,

ICN IDENTIFIER / LOCATOR Marc Mosko Palo Alto Research Center ICNRG Interim Meeting (Berlin,

ICN IDENTIFIER / LOCATOR Marc Mosko Palo Alto Research Center ICNRG Interim Meeting (Berlin, 2016) 1 A brief review of ID/Locators in IETF Its long, and well skim over it Then we discuss the CCNx & NDN approaches to ID/Locator (or

912 views • 24 slides
The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani

The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani

The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani 1 , Eric Osterweil 2 , Jochen Schiller 3 , Thomas C. Schmidt 4 , Mathias W ahlisch 3 1 Weizenbaum Institut / Fraunhofer FOKUS 2 George Mason

1.2k views • 56 slides
On On- -Dem Demand Rou outi ting for or Scalable e

On On- -Dem Demand Rou outi ting for or Scalable e

On On- -Dem Demand Rou outi ting for or Scalable e Name Na me- -Ba Base sed For orwarding Onur Ascigil , Sergi Rene, Ioannis Psaras, and George Pavlou

778 views • 31 slides
NDNS: DNS in NDN Alex Afanasyev, Yukai Tu, Xiaoke Jiang, Lixia Zhang, and others Overview 2

NDNS: DNS in NDN Alex Afanasyev, Yukai Tu, Xiaoke Jiang, Lixia Zhang, and others Overview 2

NDNS: DNS in NDN Alex Afanasyev, Yukai Tu, Xiaoke Jiang, Lixia Zhang, and others Overview 2 NDN needs DNS-like system Map names to names (e.g., to scale routing [1]) n Some names can be reached directly (in FIB) and some need to be mapped

375 views • 11 slides
Some lessons Matthew taught me Luca Aceto ICE-TCS, School of Computer Science, Reykjavik

Some lessons Matthew taught me Luca Aceto ICE-TCS, School of Computer Science, Reykjavik

Some lessons Matthew taught me Luca Aceto ICE-TCS, School of Computer Science, Reykjavik University MatthewFest, 16 October 2014 Disclaimer: Matthew bears no responsibility for this presentation. Luca Aceto Lessons from Matthew Model for

602 views • 13 slides
TAPS-related topics from the NEAT project Naeem Khademi (NEAT project) TAPS WG - IETF 97 Seoul-

TAPS-related topics from the NEAT project Naeem Khademi (NEAT project) TAPS WG - IETF 97 Seoul-

TAPS-related topics from the NEAT project Naeem Khademi (NEAT project) TAPS WG - IETF 97 Seoul- South Korea 16 November 2016 Introduction on NEAT NEAT project has been ongoing since March 2015 NEAT library builds a TAPS-like prototype

282 views • 10 slides
Enabling holographic media for future applications: Missing pieces and limitations in networks

Enabling holographic media for future applications: Missing pieces and limitations in networks

nd NE 2 nd NEAT W T Worksho hop Pa Panel Enabling holographic media for future applications: Missing pieces and limitations in networks Networks for Future Applications? For the last several decades: Applications have taken advantage

652 views • 44 slides
Determinants Artem Los (arteml@kth.se) February 6th, 2017 Artem Los (arteml@kth.se)

Determinants Artem Los (arteml@kth.se) February 6th, 2017 Artem Los (arteml@kth.se)

Determinants Artem Los (arteml@kth.se) February 6th, 2017 Artem Los (arteml@kth.se) Determinants February 6th, 2017 1 / 16 Overview What is a Determinant? 1 Rules and Theorems 2 Area of a Parallelogram 3 Artem Los (arteml@kth.se)

801 views • 42 slides

More recommend