Post on 15-Apr-2017
What’s new in Go Crypto?Nick Sullivan (@grittygrease)
GothamGo
October 2, 2015
Go’s Crypto Packages
AES, DES, RC4 RSA, ECDSA
SHA-1, SHA-2
HMAC2
Go’s Crypto Packages
X.509
TLS
3
Who gits the blame?
21202 Adam Langley 5099 David Crawshaw 3901 Russ Cox 1576 Yasuhiro Matsumoto 1542 Vlad Krasnov 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan
4
Who gits the blame?
21202 Adam Langley 5099 David Crawshaw 3901 Russ Cox 1576 Yasuhiro Matsumoto 1542 Vlad Krasnov 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan
5
1542 Vlad Krasnov 560 Kyle Isom 351 Jacob H. Haven
123 Nick Sullivan
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
rrdnscfssl
gokeyless
railgun
RAILGUNDefying Physics on the Web
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
railgun
Encrypted with TLS…huge CPU hog
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
Go Crypto RC4
railgun
Vlad The Compiler
• Assembly implementation of AES-GCM
• In Go master in time for 1.6
Vlad The Compiler
AES-GCM Performance
benchmark old MB/s new MB/s speedup
BenchmarkAESGCMSeal8K 89.31 2559.62 28.66x
BenchmarkAESGCMOpen8K 89.54 2463.78 27.52x
BenchmarkAESGCMSeal1K 86.24 1872.49 21.71x
BenchmarkAESGCMOpen1K 86.53 1721.78 19.90x
AES-GCM Assembly
if hasGCMAsm() {
return &aesCipherGCM{c}, nil
}
src/crypto/aes/gcm_amd64.s
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
Go Crypto RC4
MorsingTime
Go Crypto AES-GCM
Use CSRs
railgunECDSA Certs
CFSSLFull-featured CA
X.509 Certificate Chain Bundler TLS configuration scanner
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
CFSSL
How Railguns Get Keys
22
PKI the whole internal infrastructure
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
CFSSL ECDSA support in x509
CSR Support
Open Source
crypto.Signer: a private key interface
type Signer interface {
Public() PublicKey
Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error)
}
rsa.PrivateKey and ecdsa.PrivateKey both implement Signer
25
PKCS#11github.com/cloudflare/cfssl/crypto/pkcs11key
type PKCS11Key struct {
module *pkcs11.Ctx
slotDescription string
pin string
publicKey rsa.PublicKey
privateKeyHandle pkcs11.ObjectHandle
}
26
PKCS#11
27
func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
// Verify that the length of the hash is as expectedhash := opts.HashFunc()hashLen := hash.Size()if len(msg) != hashLen {
err = errors.New("input size does not match hash function output size")
return}
// Add DigestInfo prefixmechanism :=
[]*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)}prefix, ok := hashPrefixes[hash]if !ok {
err = errors.New("unknown hash function")return
}signatureInput := append(prefix, msg...)
// Open a sessionsession, err := ps.openSession()if err != nil {
return}defer ps.closeSession(session)
// Perform the sign operationerr = ps.module.SignInit(session, mechanism,
ps.privateKeyHandle)if err != nil {
return}
signature, err = ps.module.Sign(session, signatureInput)return
}
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
CFSSL ECDSA support in x509
CSR Support
crypto.Signer interface
PKCS#11 Support
Open Source
RRDNSAuthoritative DNS Server and DNS Proxy
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
rrdns
Authoritative Servers
31
Cache Poisoning (Kaminsky’s attack)
32
Resolver AuthoritativeServer
Q: what is the IP address of cloudflare.com
A: 198.41.213.157
A: 6
.6.6
.6
A: 6
.6.6
.6 A: 6.6.6.6
A: 6.6.6.6A: 6.6.6.6
A: 6.6.6.6A: 6.6.6.6
Man-in-the-middle
33
ResolverAuthoritative
Server
Q: what is the IP address of cloudflare.com
A: 198.41.213.157A: 6.6.6.6
Solution: DNSSEC (done right)Digital signatures in the DNS
Live-signed answers
Elliptic curve keys
34
github.com/cloudflare/go
• Assembly implementation of P256
• In Go: soon… copyright issues with Intel
Vlad The Compiler
P256 Performance Improvement
ECDSA Sign: 21X
ECDSA Verify: 9X
BaseMult (ECDH): 30X
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
rrdns FilippoTime
DNSSEC Prototype
P256 ASM
DNSSEC Beta
crypto.Signer
???
gokeylesstaking the private key out of TLS
TLS in RSA mode
39
Private Key
TLS in RSA mode - Keyless
40
Private Key
Geography of TLS
41
42
Geography of Keyless SSL
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
gokeyless
keyless (C)
HavenTime
New interface: crypto.Decryptertype Signer interface {
Public() PublicKey
Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error)
}
type Decrypter interface {
Public() PublicKey
Decrypt(rand io.Reader, msg []byte, opts DecrypterOpts) (plaintext []byte, err error)
}
44
Using it in TLSreturn &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: SystemRoots,
ServerName: host,
CipherSuites: CipherSuites,
MinVersion: tls.VersionTLS12,
}
45
type Certificate struct {
Certificate [][]byte
PrivateKey crypto.PrivateKey
OCSPStaple []byte
SignedCertificateTimestamps [][]byte
Leaf *x509.Certificate
}
github.com/cloudflare/go
• Assembly implementation of RSA
• In Go 1.5
Vlad The Compiler
RSA Performance
benchmark old ns/op new ns/op delta
BenchmarkRSA2048Decrypt 6696649 3073769 -54.10%
New additions to Go 1.5crypto.Decrypter, crypto.Signer support in x509, tls
AES_256_GCM_SHA384 cipher suites
Faster RSA operations
48
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
gokeyless
keyless (C)
opaque keys in TLS
HavenTime
AES 256 RSA ASM
This is now possible in GoTLS load balancer backed by hardware (PKCS#11, TPM coming soon)
Arbitrary RSA/ECDSA Implementations
50
1.0
2012 2013 2014 2015
1.11.2
2016
1.31.4
1.5
rrdnscfssl
gokeyless
railgun
❤Go Crypto
What’s new in Go Crypto?Nick Sullivan (@grittygrease)
GothamGo
October 2, 2015