Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rust in Blockchain - Tendermint KMS and Abscissa

tarcieri
July 17, 2019
550

Rust in Blockchain - Tendermint KMS and Abscissa

tarcieri

July 17, 2019
Tweet

Transcript

  1. Tendermint KMS + Tony Arcieri · Rust in Blockchain ·

    July 17th, 2019 0 ∞ S C I S S B
  2. Today's Talk • Tendermint KMS: HSM-backed multi-chain key management system

    for Tendermint blockchains • Signatory: multi-provider digital signature library for Rust • yubihsm.rs: pure Rust client for Yubico YubiHSM2 • Abscissa: security-oriented Rust application framework
  3. • BFT protocol and consensus engine for blockchain applications, i.e

    "Raft for BFT" • Designed for Proof-of-Stake: security through network of validators / block proposers which sign blocks (Ed25519) • Application Blockchain Interface (ABCI): 
 pluggable applications with arbitrary validation logic • Multiple production networks deployed:
 Cosmos Hub, IRIS Network, Terra Tendermint
  4. • Secure key storage for Tendermint validators:
 support for YubiHSM2,

    Ledger, and software-backed keys • Centralized signing service for multiple networks:
 validators can spin up new Tendermint networks without having to provision additional HSM hardware • Double-signing prevention: prevents validators from signing repeatedly at the same block height (and getting slashed) • Deployed in production: by multiple Tendermint validators Tendermint KMS
  5. • Digital signature abstractions: traits for signing and verifying digital

    signatures with support for both ECDSA and Ed25519 algorithms • Support for popular Rust signing crates: wrappers for the following: • ed25519-dalek • ring • secp256k1 (FFI wrapper for libsecp256k1) • sodiumoxide (FFI wrapper for libsodium) • HSM-friendly abstractions: supports the following HSM options • YubiHSM2 • Ledger (Tendermint only) Signatory
  6. yubihsm.rs • Pure Rust: (re)implementation of the YubiHSM2 SDK and

    Secure Connection (SCP03) protocol with USB support • Most commands supported: ECDSA, Ed25519, key wrapping (encrypted export/import), HMAC, auditing • Mock HSM support: software reimplementation of the YubiHSM2 for testing and CI
  7. 0 ∞ S C I S S B Security-oriented Rust

    application framework https://github.com/iqlusioninc/abscissa/
  8. IT WAS TOTALLY INVISIBLE HOWS THAT POSSIBLE ? THEY USED

    THE EARTHS MAGNETIC FIELD X THE INFORMATION WAS GATHERED AND TRANSMITTED UNDERGRUUND TO AN UNKNOWN LOCATION X DOES LANGLEY KNOW ABOUT THIS ? THEY SHOULD ITS BURIED OUT THERE SOMEWHERE X WHO KNOWS THE EXACT LOCATION ? ONLY WW THIS WAS HIS LAST MESSAGE X THIRTY EIGHT DEGREES FIFTY SEVEN MINUTES SIX POINT FIVE SECONDS NORTH SEVENTY SEVEN DEGREES EIGHT MINUTES FORTY FOUR SECONDS WEST X LAYER TWO Kryptos K2
  9. • Framework for CLI apps or network services • Maximize

    features while minimizing dependencies • Strong focus on security (particularly dependencies) • Particularly interesting for blockchain applications 0 ∞ S C I S S B https://github.com/iqlusioninc/abscissa/
  10. • Tendermint KMS • cargo-audit (RustSec) • Zcash Foundation "zebra"

    • Multiple internal iqlusion tools (OSS TBA) 0 ∞ S C I S S B Used by the following projects:
  11. • command-line option parsing: simple declarative option parser based on

    gumdrop • components: ECS-like component architecture with hooks into the application lifecycle • configuration: parses TOML configurations files using serde • error handling: generic Error type based on the failure crate • logging: integrated logging subsystem based on the log crate • secrets management: optional Secret type (from the secrecy crate) which can be used to represent secret values parsed from configuration files or elsewhere • terminal interactions: support for colored terminal output 0 ∞ S C I S S B
  12. Links • Twitter: @bascule @iqlusioninc • iqlusion blog: https://iqlusion.blog •

    Abscissa: https://github.com/iqlusioninc/abscissa/ • Tendermint KMS: https://github.com/tendermint/kms/ • Signatory: https://github.com/tendermint/signatory/ • yubihsm.rs: https://github.com/tendermint/yubihsm-rs/