cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /*...
Transcript of cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /*...
![Page 1: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/1.jpg)
cryptocoding v2JP Aumasson (@veorq)
![Page 2: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/2.jpg)
academic background (EPFL crypto PhD)
principal cryptographer at Kudelski Security, .ch
applied crypto research and outreach
BLAKE, BLAKE2, SipHash, NORXCrypto Coding Standard Password Hashing CompetitionOpen Crypto Audit Project board member
@veorq / http://aumasson.jp
![Page 3: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/3.jpg)
buffer = OPENSSL_malloc(1 + 2 + payload + padding);bp = buffer;*bp++ = TLS1_HB_RESPONSE;s2n(payload, bp); memcpy(bp, pl, payload);r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, \
3 + payload + padding);
![Page 4: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/4.jpg)
![Page 5: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/5.jpg)
bugs are badsoftware crashes, incorrect output, etc.
![Page 6: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/6.jpg)
crypto bugs are really badleak of private keys, secret documents, past and future communications, etc.
![Page 7: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/7.jpg)
crypto bugs are really badleak of private keys, secret documents, past and future communications, etc.
(ok, not as bad as root RCE exploits...)
![Page 8: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/8.jpg)
threats toindividuals’ privacy, sometimes lives
organizations’ strategies, IP, etc.
![Page 9: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/9.jpg)
![Page 10: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/10.jpg)
Heartbleed, gotofail:“silly bugs” by “experts”
![Page 11: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/11.jpg)
not pure "crypto bugs", but bugs in the crypto
missing bound checkunconditional goto
![Page 12: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/12.jpg)
"But we have static analyzers!"
![Page 13: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/13.jpg)
not detected(in part due to OpenSSL's complexity)
![Page 14: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/14.jpg)
detected(like plenty of other unreachable code)
![Page 15: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/15.jpg)
crypto bugs (and bugs in crypto) vs "standard" security bugs:
less understoodfewer experts
fewer tools
![Page 16: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/16.jpg)
everybody uses OpenSSL, Applesometimes, some read the code
many more bugs in code that noone reads
![Page 17: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/17.jpg)
Agenda
1. the poster child: OpenSSL
2. secure crypto coding guidelines
3. conclusion
![Page 18: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/18.jpg)
"OpenSSL s****"?
![Page 19: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/19.jpg)
![Page 20: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/20.jpg)
ASN.1 parsing, CA/CRL managementcrypto: RSA, DSA, DH*, ECDH*; AES,
CAMELLIA, CAST, DES, IDEA, RC2, RC4, RC5; MD2, MD5, RIPEMD160, SHA*; SRP,
CCM, GCM, HMAC, GOST*, PKCS*,PRNG, password hashing, S/MIME
X.509 certificate management, timestampingsome crypto accelerators, hardware tokensclients and servers for SSL2, SSL3, TLS1.0,
TLS1.1, TLS1.2, DTLS1.0, DTLS1.2SNI, session tickets, etc. etc.
![Page 21: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/21.jpg)
*nixBeOSDOS
HP-UXMac OS Classic
NetWareOpenVMSULTRIXVxWorks
Win* (including 16-bit, CE)
![Page 22: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/22.jpg)
OpenSSL is the space shuttle of crypto libraries. It will get you to space, provided you have a team of people to push the ten thousand buttons required to do so.
— Matthew Green
![Page 23: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/23.jpg)
I promise nothing complete; because any human thing supposed to be complete, must not for that very reason infallibly be faulty.
— Herman Melville, in Moby Dick
![Page 24: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/24.jpg)
![Page 25: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/25.jpg)
OpenSSL code
![Page 26: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/26.jpg)
buffer = OPENSSL_malloc(1 + 2 + payload + padding);bp = buffer;*bp++ = TLS1_HB_RESPONSE;s2n(payload, bp); memcpy(bp, pl, payload);r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, \
3 + payload + padding);
payload is not the payload but its length (pl is the payload)
![Page 27: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/27.jpg)
courtesy of @OpenSSLFact (Matt Green)
![Page 28: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/28.jpg)
in the RNG:
/* may compete with other threads */state[st_idx++]^=local_md[i];
(crypto/rand/md_rand.c)
![Page 29: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/29.jpg)
![Page 30: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/30.jpg)
https://www.peereboom.us/assl/assl/html/openssl.html
![Page 31: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/31.jpg)
ranting about OpenSSL is easy
we should not blame the devs
let's try to understand..
![Page 32: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/32.jpg)
http://www.openbsd.org/papers/bsdcan14-libressl/mgp00004.html (slide credit: Bob Beck, OpenBSD project)
![Page 33: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/33.jpg)
OpenSSL prioritizesspeed
portabilityfunctionalities
at the price of "best efforts" and "dirty tricks"...
![Page 34: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/34.jpg)
/* Quick and dirty OCSP server: read in and parse input request */
/* Quick, cheap and dirty way to discard any device and directory
/* kind of dirty hack for Sun Studio */
#ifdef STD_ERROR_HANDLE /* what a dirty trick! */
/* Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE):
![Page 35: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/35.jpg)
of lesser priorityusabilitysecurity
consistencyrobustness
![Page 36: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/36.jpg)
recent effort: https://www.openssl.org/about/secpolicy.html
![Page 37: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/37.jpg)
http://insanecoding.blogspot.gr/2014/04/libressl-good-and-bad.html
![Page 38: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/38.jpg)
crypto by "real programmers" often yields cleaner code, but dubious
choices of primitives and/or broken implementations (cf. messaging apps)
![Page 39: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/39.jpg)
it's probably unrealistic to build a better secure/fast/usable/consistent/certified
toolkit+lib in reasonable time
what are the alternatives?
![Page 40: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/40.jpg)
really better? (maybe TLS itself is the problem?)
http://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
![Page 41: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/41.jpg)
it’s not just OpenSSL, NSS too...
![Page 42: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/42.jpg)
let's just use closed-source code!
![Page 43: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/43.jpg)
It’s not just OpenSSL, it’s not an open-source thing.
— Bob Beck
![Page 44: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/44.jpg)
open- vs. closed-source software security:● well-known debate● no definite answer, depends on lots of
factors; see summary onhttp://en.wikipedia.org/wiki/Open-source_software_security
for crypto, OSS has a better track record● better assurance against "backdoors"● flaws in closed-source can often be found
in a "black-box" manner
![Page 45: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/45.jpg)
http://www.libressl.org/ https://github.com/libressl-portable/
initiative of the OpenBSD community
big progress in little time
portable version and OpenBSD version
OpenSSL patches unlikely to directly apply
replacement API for OpenSSL “ressl” (WIP)
![Page 46: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/46.jpg)
LibreSSL: still lot of work neededFork-unsafety on Linux in LibreSSL’s first release...
https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
![Page 47: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/47.jpg)
how to write secure crypto code?
![Page 48: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/48.jpg)
write secure code!
![Page 50: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/50.jpg)
etc.
![Page 51: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/51.jpg)
write secure crypto!=
defend against algorithmic attacks, timing attacks, "misuse" attacks, etc.
![Page 52: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/52.jpg)
?
![Page 53: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/53.jpg)
the best list I found: in NaCl [salt]
http://nacl.cr.yp.to/internals.html
![Page 54: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/54.jpg)
so we tried to help
![Page 55: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/55.jpg)
https://cryptocoding.net
with help from Tanja Lange, Nick Mathewson, Samuel Neves, Diego F. Aranha, etc.
![Page 56: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/56.jpg)
we tried to make the rules simple, in a do-vs.-don’t style
![Page 57: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/57.jpg)
secrets should be kept secret =
do not leak information on the secrets (timing, memory accesses, etc.)
![Page 58: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/58.jpg)
compare strings in constant time
Microsoft C runtime library memcmp implementation:
EXTERN_C int __cdecl memcmp(const void *Ptr1, const void *Ptr2, size_t Count) { INT v = 0; BYTE *p1 = (BYTE *)Ptr1; BYTE *p2 = (BYTE *)Ptr2;
while(Count-- > 0 && v == 0) { v = *(p1++) - *(p2++); /* execution time leaks the position of the first difference */
/* may be exploited to forge MACs (cf. Google Keyczar’s bug) */ }
return v;}
![Page 59: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/59.jpg)
compare strings in constant time
Constant-time comparison function
int util_cmp_const(const void * a, const void *b, const size_t size) { const unsigned char *_a = (const unsigned char *) a; const unsigned char *_b = (const unsigned char *) b; unsigned char result = 0; size_t i;
for (i = 0; i < size; i++) result |= _a[i] ^ _b[i];
/* returns 0 if equal, nonzero otherwise */ return result; }
![Page 60: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/60.jpg)
avoid other potential timing leaks
make● branchings● loop bounds● table lookups● memory allocationsindependent of secrets or user-supplied value(private key, password, heartbeat payload, etc.)
![Page 61: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/61.jpg)
prevent compiler interference with security-critical operations
Tor vs MS Visual C++ 2010 optimizations
intcrypto_pk_private_sign_digest(...){ char digest[DIGEST_LEN]; (...) /* operations involving secret digest */ memset(digest, 0, sizeof(digest)); return r;}
a solution: C11’s memset_s()
![Page 62: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/62.jpg)
clean memory of secret data(keys, round keys, internal states, etc.)
Data in stack or heap may leak through crash dumps, memory reuse, hibernate files, etc.
Windows’ SecureZeroMemory()OpenSSL’s OPENSSL_cleanse()
void burn( void *v, size_t n ){ volatile unsigned char *p = ( volatile unsigned char * )v; while( n-- ) *p++ = 0;}
![Page 63: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/63.jpg)
last but not least
![Page 64: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/64.jpg)
![Page 65: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/65.jpg)
Randomness everywherekey generation and key agreementsymmetric encryption (CBC, etc.)RSA OAEP, El Gamal, (EC)DSA
side-channel defensesetc. etc.
![Page 66: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/66.jpg)
Netscape, 1996: ~ 47-bit security thanks to
RNG_GenerateRandomBytes() { return (..) /* something that depends only on
● microseconds time● PID and PPID */
}
![Page 67: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/67.jpg)
Mediawiki, 2012: 32-bit Mersenne Twister seed
![Page 68: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/68.jpg)
*nix: /dev/urandom
example: get a random 32-bit integer
int randint, bytes_read; int fd = open("/dev/urandom", O_RDONLY); if (fd != -1) { bytes_read = read(fd, &randint, sizeof(randint)); if (bytes_read != sizeof(randint)) return -1; } else { return -2; } printf("%08x\n", randint); close(fd); return 0;
more checks needed to ensure sanity of urandom...(see LibreSSL’s getentropy_urandom)
![Page 69: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/69.jpg)
“but /dev/random is better! it blocks!”
/dev/random may do more harm than good to your application, since
● blockings may be mishandled● /dev/urandom is safe on reasonable OS’
![Page 70: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/70.jpg)
Linux is introducing a syscall..
http://lists.openwall.net/linux-kernel/2014/07/17/235
![Page 71: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/71.jpg)
Win*: CryptGenRandom
int randombytes(unsigned char *out, size_t outlen) { static HCRYPTPROV handle = 0; if(!handle) { if(!CryptAcquireContext(&handle, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return -1; } while(outlen > 0) { const DWORD len = outlen > 1048576UL ? 1048576UL : outlen; if(!CryptGenRandom(handle, len, out)) { return -2; } out += len; outlen -= len; } return 0;}
![Page 72: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/72.jpg)
it’s possible to fail in many ways, and appear to succeed in many ways
non-uniform samplingno forward secrecyrandomness reuse
poor testingetc.
![Page 73: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/73.jpg)
Thou shalt:1. compare secret strings in constant time2. avoid branchings controlled by secret data3. avoid table look-ups indexed by secret data4. avoid secret-dependent loop bounds5. prevent compiler interference with security-critical
operations6. prevent confusion between secure and insecure APIs7. avoid mixing security and abstraction levels of
cryptographic primitives in the same API layer8. use unsigned bytes to represent binary data9. use separate types for secret and non-secret
information10. use separate types for different types of information11. clean memory of secret data12. use strong randomness
![Page 74: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/74.jpg)
Learn the rules like a pro, so you can break them like an artist.
— Pablo Picasso
![Page 75: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/75.jpg)
conclusion
![Page 76: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/76.jpg)
let’s stop the blame game(OpenSSL, “developers”, “academics”, etc.)
![Page 77: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/77.jpg)
cryptographers (and scientists, etc.)● acknowledge that you suck at coding● get help from real programmers
programmers ● acknowledge that you suck at crypto● get help from real cryptographers
in any case: get third-party reviews/audits!
![Page 78: cryptocoding v2 - Aumasson/* Quick and dirty OCSP server: read in and parse input request */ /* Quick, cheap and dirty way to discard any device and directory /* kind of dirty hack](https://reader035.fdocuments.us/reader035/viewer/2022071108/5fe29d127a9b0944530b41ba/html5/thumbnails/78.jpg)
спасибо !