Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rust in Blockchain - Tendermint KMS and Abscissa

tarcieri
July 17, 2019
0
560

Rust in Blockchain - Tendermint KMS and Abscissa

tarcieri

July 17, 2019
Tweet

More Decks by tarcieri

See All by tarcieri
Embedded cryptography in Rust: RustCrypto + Veriform
tarcieri
0
970
Rhapsody in Zero Knowledge - Proving without Revealing
tarcieri
2
290
Insane in the Blockchain
tarcieri
1
700
Macaroons for Rust
tarcieri
3
790
A Protocol for Interledger Payments
tarcieri
0
380
Frontiers in Cryptography
tarcieri
2
1.6k
Macaroons - A Better Kind of Cookie
tarcieri
1
290
Thoughts on Rust Cryptography
tarcieri
6
6.6k
Being Boring: A Survivor's Guide to Ruby Cryptography
tarcieri
4
1.1k

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
How STYLIGHT went responsive
nonsquared
95
5.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
97
Building an army of robots
kneath
302
43k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Fireside Chat
paigeccino
34
3k
A Philosophy of Restraint
colly
203
16k
Speed Design
sergeychernyshev
25
620

Transcript

  1. Tendermint KMS + Tony Arcieri · Rust in Blockchain ·

    July 17th, 2019 0 ∞ S C I S S B

  2. Tony Arcieri Hello! @bascule

  3. @iqlusioninc

  4. Today's Talk • Tendermint KMS: HSM-backed multi-chain key management system

    for Tendermint blockchains • Signatory: multi-provider digital signature library for Rust • yubihsm.rs: pure Rust client for Yubico YubiHSM2 • Abscissa: security-oriented Rust application framework

  5. Tendermint KMS Key Management System for Tendermint Blockchains https://github.com/tendermint/kms/

  6. • BFT protocol and consensus engine for blockchain applications, i.e

    "Raft for BFT" • Designed for Proof-of-Stake: security through network of validators / block proposers which sign blocks (Ed25519) • Application Blockchain Interface (ABCI): 
 pluggable applications with arbitrary validation logic • Multiple production networks deployed:
 Cosmos Hub, IRIS Network, Terra Tendermint

  7. • Secure key storage for Tendermint validators:
 support for YubiHSM2,

    Ledger, and software-backed keys • Centralized signing service for multiple networks:
 validators can spin up new Tendermint networks without having to provision additional HSM hardware • Double-signing prevention: prevents validators from signing repeatedly at the same block height (and getting slashed) • Deployed in production: by multiple Tendermint validators Tendermint KMS
  8. None

  9. Multi-provider Rust Digital Signature Library Signatory https://github.com/tendermint/signatory/

  10. • Digital signature abstractions: traits for signing and verifying digital

    signatures with support for both ECDSA and Ed25519 algorithms • Support for popular Rust signing crates: wrappers for the following: • ed25519-dalek • ring • secp256k1 (FFI wrapper for libsecp256k1) • sodiumoxide (FFI wrapper for libsodium) • HSM-friendly abstractions: supports the following HSM options • YubiHSM2 • Ledger (Tendermint only) Signatory

  11. Pure-Rust client library for YubiHSM2s yubihsm.rs https://github.com/tendermint/yubihsm-rs/

  12. yubihsm.rs • Pure Rust: (re)implementation of the YubiHSM2 SDK and

    Secure Connection (SCP03) protocol with USB support • Most commands supported: ECDSA, Ed25519, key wrapping (encrypted export/import), HMAC, auditing • Mock HSM support: software reimplementation of the YubiHSM2 for testing and CI

  13. 0 ∞ S C I S S B Security-oriented Rust

    application framework https://github.com/iqlusioninc/abscissa/

  14. x abscissa

  15. None

  16. IT WAS TOTALLY INVISIBLE HOWS THAT POSSIBLE ? THEY USED

    THE EARTHS MAGNETIC FIELD X THE INFORMATION WAS GATHERED AND TRANSMITTED UNDERGRUUND TO AN UNKNOWN LOCATION X DOES LANGLEY KNOW ABOUT THIS ? THEY SHOULD ITS BURIED OUT THERE SOMEWHERE X WHO KNOWS THE EXACT LOCATION ? ONLY WW THIS WAS HIS LAST MESSAGE X THIRTY EIGHT DEGREES FIFTY SEVEN MINUTES SIX POINT FIVE SECONDS NORTH SEVENTY SEVEN DEGREES EIGHT MINUTES FORTY FOUR SECONDS WEST X LAYER TWO Kryptos K2

  17. • Framework for CLI apps or network services • Maximize

    features while minimizing dependencies • Strong focus on security (particularly dependencies) • Particularly interesting for blockchain applications 0 ∞ S C I S S B https://github.com/iqlusioninc/abscissa/

  18. • Tendermint KMS • cargo-audit (RustSec) • Zcash Foundation "zebra"

    • Multiple internal iqlusion tools (OSS TBA) 0 ∞ S C I S S B Used by the following projects:

  19. • command-line option parsing: simple declarative option parser based on

    gumdrop • components: ECS-like component architecture with hooks into the application lifecycle • configuration: parses TOML configurations files using serde • error handling: generic Error type based on the failure crate • logging: integrated logging subsystem based on the log crate • secrets management: optional Secret type (from the secrecy crate) which can be used to represent secret values parsed from configuration files or elsewhere • terminal interactions: support for colored terminal output 0 ∞ S C I S S B

  20. $ cargo install abscissa 0 ∞ S C I S

    S B

  21. $ abscissa new my_application_name 0 ∞ S C I S

    S B

  22. 0 ∞ S C I S S B

  23. Abscissa blog post tomorrow! Want to know more? https://iqlusion.blog

  24. Thanks for coming!

  25. Links • Twitter: @bascule @iqlusioninc • iqlusion blog: https://iqlusion.blog •

    Abscissa: https://github.com/iqlusioninc/abscissa/ • Tendermint KMS: https://github.com/tendermint/kms/ • Signatory: https://github.com/tendermint/signatory/ • yubihsm.rs: https://github.com/tendermint/yubihsm-rs/