fed up getting shattered and log jammed? a new … up getting shattered and log jammed? david wong a...
TRANSCRIPT
Fed Up Getting Shattered and Log Jammed?
David Wong
A New Generation of Crypto is Coming
Snefru
MD4
Snefru
MD4
Snefru
MD4
MD5
SHA-1
SHA-2
Merkle–Damgård
Snefru
MD4
MD5
SHA-1
SHA-2
Merkle–Damgård
Snefru
MD5
SHA-1
SHA-2
Merkle–Damgård
MD4
Snefru
MD5
SHA-1
SHA-2
Merkle–Damgård
MD4
KeccakBLAKE, Grøstl, JH, Skein
outline
• 1. Intro • 2. SHA-3 • 3. Strobe, a protocol framework derived from SHA-3 • 4. Noise, a full protocol framework not derived from SHA-3 • 5. Strobe + Noise = Disco
Part I: SHA-3 Big things have small beginnings
f
permutation-based cryptography
AES
AES is a permutation
input
output
AES
AES is a permutation
input
output
key
0000000000000000
f
Sponge Construction
f
Sponge Construction
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
1
f
Sponge Construction
r
c
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
1
f
Sponge Construction
AES key
0000000000000000
r cr
c
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
1
f
message
⊕
Sponge Construction
0
0
0
0
0
0
0
0
1
1
1
0
0
0
1
0
f
message
⊕ ⊕
Sponge Construction
0
0
0
0
0
0
0
0
f
⊕ ⊕
f
Sponge Construction
0
0
0
0
0
0
0
0
message
f
⊕ ⊕
f
⊕
Sponge Construction
0
0
0
0
0
0
0
0
message
f
⊕ ⊕
f
⊕
f
Sponge Construction
0
0
0
0
0
0
0
0
message
f
⊕ ⊕
f
⊕
f
absorbing
Sponge Construction
0
0
0
0
0
0
0
0
message
absorbing
0
0
0
0
0
0
0
0
f
⊕ ⊕
f
⊕
f
output
Sponge Construction
message
absorbing
0
0
0
0
0
0
0
0
f
⊕ ⊕
f
⊕
f f
Sponge Construction
message output
absorbing
0
0
0
0
0
0
0
0
f
⊕ ⊕
f
⊕
f f
Sponge Construction
message output
absorbing
0
0
0
0
0
0
0
0
f
⊕ ⊕
f
⊕
f f f
Sponge Construction
message output
f
⊕ ⊕
f
⊕
f f f
squeezing
Sponge Construction
absorbing
0
0
0
0
0
0
0
0
message output
Part II: Strobe From SHA-3 to protocols
Sponge Construction
f
⊕ ⊕
f
⊕
f f f
squeezingabsorbing
0
0
0
0
0
0
0
0
message output
f
input
⊕
init
output
duplexing
Duplex Construction
f
input
⊕
output
duplexing
f
input output
duplexing
⊕
0
0
0
0
0
0
0
0
Keyed-mode
f
key
⊕
init duplexing
0
0
0
0
0
0
0
0
Keyed-mode
f
key
⊕
init duplexing
0
0
0
0
0
0
0
0
secret part
leak
f
key
⊕
init duplexing
0
0
0
0
0
0
0
0
ciphertext1
plaintext1⊕
Encryption
f
key
⊕
init duplexing
0
0
0
0
0
0
0
0
ciphertext1
plaintext1⊕
f
⊕
tag1
duplexing
Authenticated Encryption
f
key
⊕
init duplexing
0
0
0
0
0
0
0
0
ciphertext1
plaintext1⊕
f
⊕
tag1
duplexing
f
ciphertext2
duplexing
f
⊕
tag2
duplexing
plaintext2⊕
Sessions
myProtocol = Strobe_init(“myWebsite.com”)
myProtocol.AD(sharedSecret)
buffer = myProtocol.send_ENC(“GET /”)
buffer += myProtocol.send_MAC(len=16)
// send the buffer
// receive a ciphertext
message = myProtocol.recv_ENC(ciphertext[:-16])
ok = myProtocol.recv_MAC(ciphertext[-16:])
if !ok {
// reset the connection
}
Strobe
buffer = myProtocol.send_ENC(plaintext1)
buffer += myProtocol.send_MAC(len=16)
// send the buffer
buffer = myProtocol.send_ENC(plaintext2)
buffer += myProtocol.send_MAC(len=16)
// send the buffer
buffer = myProtocol.send_ENC(plaintext3)
buffer += myProtocol.send_MAC(len=16)
// send the buffer
buffer = myProtocol.send_ENC(plaintext4)
buffer += myProtocol.send_MAC(len=16)
// send the buffer
Strobe
myHash = Strobe_init(“hash”)
myHash.AD(“something to be hashed”)
hash = myHash.PRF(outputLen=16)
Hash Function
KDF = Strobe_init(“deriving keys”)
KDF.AD(keyExchangeOutput)
keys = KDF.PRF(outputLen=32)
key1 = keys[:16]
key2 = keys[16:]
Key Derivation Function
init
0
0
0
0
0
0
0
0
operation = AD
⊕
init
0
0
0
0
0
0
0
0
operation = AD
⊕
data = 010100…
init
0
0
0
0
0
0
0
0
operation = AD
⊕
data = 010100…
⊕
operation = send_ENC
init
0
0
0
0
0
0
0
0
operation = AD
⊕
data = 010100…
f
⊕
operation = send_ENC
init
0
0
0
0
0
0
0
0
operation = AD
⊕
data = 010100…
f
⊕
operation = send_ENC
data = hello
⊕
ciphertext
init
0
0
0
0
0
0
0
0
operation = AD
⊕
data = 010100…
f f
⊕
operation = send_ENC
data = hello
⊕
ciphertextlen = 16
tag
⊕
operation = send_MAC
init
0
0
0
0
0
0
0
0
operation = AD
⊕
data = 010100…
f f
⊕
operation = send_ENC
data = hello
⊕
ciphertextlen = 16
tag
⊕
operation = send_MAC
send_AEAD
Strobe
• flexible framework to support a large number of protocols • large symmetric cryptography library • fits into tiny IoT devices (less than 1000 lines of code) • relies on strong SHA-3 standard
Part III: NoiseA modern protocol framework
TLS• TLS is the de facto standard for securing communications • complex specification
• supported by other complex specs (asn.1, x509, extensions, …) • design carrying a lot of legacy decisions • huge and scary libraries
• cumbersome configuration… • often dangerously re-implemented (custom implementations)
• or re-invented (proprietary protocols)
Complexity is the enemy of security
The Noise Protocol Framework• it’s a protocol framework to achieve something like TLS • “easy” to understand, to analyze, to extend and to implement • no need for a PKI • many handshakes to choose from (flexible) • it’s straight forward to implement (<2k LOC)
• and small (18kb for Arduino by Virgil Security) • there are already libraries that you can leverage • minimal (or zero) configuration • if you have a good excuse not to use TLS, Noise is the answer
• DH
• 25519
• 448
The crypto functions
• AEAD
• Chacha20-Poly1305
• AES-GCM
• HASH
• SHA-256
• SHA-512
• BLAKE2s
• BLAKE2b
A simple state machine
ephemeral key
ephemeral key
Client Server
handshake
A simple state machine
ephemeral key
ephemeral key
Client Server
handshakeDiffie-Hellman() Diffie-Hellman()
keys keys
A simple state machine
ephemeral key
ephemeral key
Client Server
handshake
encrypted data
encrypted data
post-handshake
Diffie-Hellman() Diffie-Hellman()
keys keys
A simple state machine
e
e
Client Server
handshake
encrypted data
encrypted data
post-handshake
ee ee
keys keys
Handshake Patterns
→ e ← e, ee
→ e ← e, ee
Noise_NN():
Handshake Patterns
• e: ephemeral key
• s: static key
• ee: DH(client ephemeral key, server ephemeral key)
• es: DH(client ephemeral key, server static key)
• se: DH(client static key, server ephemeral key)
• ss: DH(client static key, server static key)
• psk: pre-shared key
Tokens
Handshake Pattern
Noise_NX(rs): → e ← e, ee, s, es
No static key for the client
Static key for the server Xmitted ("transmitted") to the client
Noise_NX(rs): → e ← e, ee, s, es
Client Server
Noise_NX(rs): → e ← e, ee, s, es
epublic
Client Server
Noise_NX(rs): → e ← e, ee, s, es
payload1
epublic
Client Server
Noise_NX(rs): → e ← e, ee, s, es
republic
epublic
Client Server
payload1
Noise_NX(rs): → e ← e, ee, s, es
republic
epublic
Client Server
payload1
Noise_NX(rs): → e ← e, ee, s, es
republic
EK1(s)
epublic
Client Server
payload1
Noise_NX(rs): → e ← e, ee, s, es
republic
EK1(s)
epublic
Client Server
payload1
republic
EK1(s)
EK2(payload2)
epublic
Client Server
Noise_NX(rs): → e ← e, ee, s, es
payload1
HandshakeStateSymmetricStateCipherState
epublic
payload1
republic
Ek1(rspublic)
HKDF
DH(e, re)
ckn=0 k1
e GENERATE_KEYPAIR()
Initializationck h “Noise_NX_25519_AESGCM_SHA256”HASH
h
e.public_keyHASH
re.public_keyHASH
h rs DecryptWithAd() Ek1(rspublic)
h
HASH
h
Ek1(rspublic)
HASH
h
payload1
CipherState
HKDF
k
k
n=0
n=0
CipherStateEk2(payload2)
re republicHKDF
DH(e, rs)
ckn=0 k2
DecryptWithAd() Ek2(payload2)
h
payload2
HASH
h
Ek2(payload2)
Part IV: Noise + Strobe = Disco A modern cryptographic {protocol, library} based on
SHA-3 and Curve25519
HandshakeStateStrobeState
epublic
payload1
republic
E(rspublic)
Initialization
E(payload2)
InitStrobe() “Noise_NX_25519_AESGCM_SHA256”
e GENERATE_KEYPAIR()
send_CLR()payload1
send_CLR() e.public_key
re.public_keyrecv_CLR()republic
recv_AEAD()E(payload2) payload2
AD()DH(e, rs)
rs.public_keyrecv_AEAD()E(rspublic)
StrobeState StrobeState……
AD()DH(e, re)
StrobeState
send_AEAD()
send_AEAD()
send_AEAD()
send_AEAD()
send_AEAD()
send_AEAD()
send_AEAD()
StrobeState
recv_AEAD()
recv_AEAD()
recv_AEAD()
recv_AEAD()
recv_AEAD()
recv_AEAD()
recv_AEAD()
no need for IVs or nonces
HandshakeStateStrobeState
epublic
payload1
republic
E(rspublic), tag
E(payload2), tag
e GENERATE_KEYPAIR()Initialization“Noise_NX_25519_AESGCM_SHA256”⊕
e.public_key⊕payload1⊕
DH(e, re)⊕
DH(e, rs)⊕
re.public_key⊕ republic
tag
rs.public_key
E(rspublic)⊕
rs.public_key
E(rspublic)⊕
tag
• Noise is still a draft • Strobe is alpha (v1.0.2) • Disco is a draft specification extending Noise (experimental) • libDisco is a plug-and-play protocol+library
• the Golang library is here: www.discrocrypto.com • it’s ~1000 lines of code
• ~2000 lines of code with Strobe • +2000 lines of code with X25519
• ⚠ Disco and libdisco are still experimental • we need more eyes, more interoperability testing, …
• ⚠ THIS IS NOT REPLACING TLS
The state of Disco
I write about crypto at www.cryptologie.net
I tweet my mind on twitter.com/lyon01_david
and I work here