Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thoughts on Rust Cryptography

tarcieri
December 19, 2014

Thoughts on Rust Cryptography

Bay Area Rust Meetup - Mozilla SF (2014)

Video: https://www.youtube.com/watch?v=fO_ox-DGDqw

tarcieri

December 19, 2014
Tweet

More Decks by tarcieri

Other Decks in Programming

Transcript

  1. This Talk • 2014: This year in cryptography • Is

    Rust a good language for crypto? • Survey of the Rust crypto landscape • A Rust common crypto library • Measuring timing variability in Rust
  2. • Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail”

    MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3: “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel)
  3. • Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail”

    MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) BITES AGAIN!!!
  4. • Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail”

    MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) SSL/TLS Design Flaws
  5. • Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail”

    MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) SSL/TLS Design Flaws
  6. • Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail”

    MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) SSL/TLS Design Flaws
  7. • Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail”

    MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) C is a crappy language
  8. Things that might help • Dead code detection • Mandatory

    braces • Automatic resource management • No goto statement • true/false (and better ways of handling errors) • Memory safety
  9. Things Rust has • Dead code detection • Mandatory braces

    • Automatic resource management • No goto statement • true/false (and better ways of handling errors) • Memory safety
  10. — Nadhem J. AlFardan and Kenneth G. Paterson "In this

    sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet be discovered."
  11. Cryptocoding.net Rules • Compare secret strings in constant time •

    Avoid branchings controlled by secret data • Avoid table look-ups indexed by secret data • Avoid secret-dependent loop bounds • Prevent compiler interference with security-critical operations • Prevent confusion between secure and insecure APIs • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer • Use unsigned bytes to represent binary data • Use separate types for secret and non-secret information • Use separate types for different types of information • Clean memory of secret data • Use strong randomness
  12. Constant Time Operation • Compare secret strings in constant time

    • Avoid branchings controlled by secret data • Avoid table look-ups indexed by secret data • Avoid secret-dependent loop bounds
  13. Clear Abstractions • Prevent confusion between secure and insecure APIs

    • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer
  14. Types! • Use unsigned bytes to represent binary data •

    Use separate types for secret and non-secret information • Use separate types for different types of information
  15. libsodium • Portable repackaging of the Networking and Cryptography Library

    (NaCl a.k.a. “salt”) • Includes Ed25519 and ChaCha20 • Includes the scrypt password hashing function • Includes the Blake2 hash function • Includes SipHash • Some optional libsodium-specific utility functions
  16. rust-crypto • Promising start! • Some good implementations • Some

    questionable implementations • Sometimes they’re the same!
  17. rust-crypto tl;dr • Good effort! • No immediate security problems

    on cursory inspection • Clear signs the code has not been well-reviewed • Needs more expert scrutiny to be trusted
  18. Protect Keys! • mprotect! PROT_NONE guard pages • mlock! prevents

    keys from being swapped out • volatile zero on drop
  19. Warning: While this library tries to avoid branches or input-dependent

    memory operations, the code optimizer may reintroduce them and you should carefully verify the assembly in order to use this.
  20. Rust Common Crypto • Handle zeroing buffers on drop •

    Protected buffers for keys (ala TARS) • Traits! Traits! Traits! • Constant-time primitives (ala Nadeko)
  21. Common crypto library • Common foundation for all crypto libraries

    • Solve unsafe concerns in one place • Solve constant-time operation in one place • Promote interoperability
  22. Modern CPU • Example clock speed: 2.5 GHz • 2,500,000,000

    CPU cycles per second • 0.4 nanoseconds per cycle • 400 picoseconds per cycle
  23. Cyclometer • Automated testing for data-dependent timing variability in Rust

    cryptographic libraries • Use RDTSC to measure timing • Collect a large number of samples and apply statistical test (e.g. Box Test) to determine if timing variability is distinguishable
  24. Final thoughts • Rust has immense potential for cryptography but

    we must tread carefully • Rust code without any branches isn’t necessarily constant time. Beware LLVM! • Stick with wrappers to mainstream crypto libraries until pure Rust crypto is more mature