SlideShare a Scribd company logo

Go Crypto Updates: AES-GCM, RSA, ECDSA, PKCS#11

Nick Sullivan
Nick Sullivan

If you don’t know, now you know… Go has an amazing cryptography package built into the standard library. In Go 1.5 it’s better than ever. Join CloudFlare’s Nick Sullivan for a presentation that explores the new interfaces crypto.Signer and crypto.Decrypter. Learn how they can be used to enable some powerful new features. Nick will also cover how his team improved the speed of crypto operations by up to 20x using Go’s inline assembly feature. Attendees will also uncover how to enable cool features like serving a website over HTTPS while storing the private key inside of hardware like a Trusted Platform Module (TPM) or a Hardware Security Module (HSM)!

Technology
1 of 53
Download to read offline
What’s new in Go Crypto? Nick Sullivan (@grittygrease) GothamGo October 2, 2015
Go’s Crypto Packages AES, DES, RC4 RSA, ECDSA SHA-1, SHA-2 HMAC 2
Go’s Crypto Packages X.509 TLS 3
Who gits the blame? 21202 Adam Langley 5099 David Crawshaw 3901 Russ Cox 1576 Yasuhiro Matsumoto 1542 Vlad Krasnov 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan 4
Who gits the blame? 21202 Adam Langley 5099 David Crawshaw 3901 Russ Cox 1576 Yasuhiro Matsumoto 1542 Vlad Krasnov 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan 5 1542 Vlad Krasnov 560 Kyle Isom 351 Jacob H. Haven 123 Nick Sullivan
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns cfssl gokeyless railgun
RAILGUNDefying Physics on the Web
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 railgun
Encrypted with TLS …huge CPU hog
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 Go Crypto RC4 railgun
Vlad The Compiler
• Assembly implementation of AES-GCM • In Go master in time for 1.6 Vlad The Compiler
AES-GCM Performance benchmark old MB/s new MB/s speedup BenchmarkAESGCMSeal8K 89.31 2559.62 28.66x BenchmarkAESGCMOpen8K 89.54 2463.78 27.52x BenchmarkAESGCMSeal1K 86.24 1872.49 21.71x BenchmarkAESGCMOpen1K 86.53 1721.78 19.90x
AES-GCM Assembly if hasGCMAsm() { return &aesCipherGCM{c}, nil } src/crypto/aes/gcm_amd64.s
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 Go Crypto RC4 MorsingTime Go Crypto AES-GCM Use CSRs railgun ECDSA Certs
CFSSLFull-featured CA X.509 Certificate Chain Bundler TLS configuration scanner
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 CFSSL
How Railguns Get Keys
22
PKI the whole internal infrastructure
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 CFSSL ECDSA support in x509 CSR Support Open Source
crypto.Signer: a private key interface type Signer interface { Public() PublicKey Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error) } rsa.PrivateKey and ecdsa.PrivateKey both implement Signer 25
PKCS#11 github.com/cloudflare/cfssl/crypto/pkcs11key type PKCS11Key struct { module *pkcs11.Ctx slotDescription string pin string publicKey rsa.PublicKey privateKeyHandle pkcs11.ObjectHandle } 26
PKCS#11 27 func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) { // Verify that the length of the hash is as expected hash := opts.HashFunc() hashLen := hash.Size() if len(msg) != hashLen { err = errors.New("input size does not match hash function output size") return } // Add DigestInfo prefix mechanism := []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)} prefix, ok := hashPrefixes[hash] if !ok { err = errors.New("unknown hash function") return } signatureInput := append(prefix, msg...) // Open a session session, err := ps.openSession() if err != nil { return } defer ps.closeSession(session) // Perform the sign operation err = ps.module.SignInit(session, mechanism, ps.privateKeyHandle) if err != nil { return } signature, err = ps.module.Sign(session, signatureInput) return }
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 CFSSL ECDSA support in x509 CSR Support crypto.Signer interface PKCS#11 Support Open Source
RRDNSAuthoritative DNS Server and DNS Proxy
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns
Authoritative Servers 31
Cache Poisoning (Kaminsky’s attack) 32 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A: 6.6.6.6 A: 6.6.6.6
Man-in-the-middle 33 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157A: 6.6.6.6
Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed answers Elliptic curve keys 34
github.com/cloudflare/go • Assembly implementation of P256 • In Go: soon… copyright issues with Intel Vlad The Compiler
P256 Performance Improvement ECDSA Sign: 21X ECDSA Verify: 9X BaseMult (ECDH): 30X
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns FilippoTime DNSSEC Prototype P256 ASM DNSSEC Beta crypto.Signer ???
gokeyless taking the private key out of TLS
TLS in RSA mode 39 Private Key
TLS in RSA mode - Keyless 40 Private Key
Geography of TLS 41
42 Geography of Keyless SSL
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 gokeyless keyless (C) HavenTime
New interface: crypto.Decrypter type Signer interface { Public() PublicKey Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error) } type Decrypter interface { Public() PublicKey Decrypt(rand io.Reader, msg []byte, opts DecrypterOpts) (plaintext []byte, err error) } 44
Using it in TLS return &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: SystemRoots, ServerName: host, CipherSuites: CipherSuites, MinVersion: tls.VersionTLS12, } 45 type Certificate struct { Certificate [][]byte PrivateKey crypto.PrivateKey OCSPStaple []byte SignedCertificateTimestamps [][]byte Leaf *x509.Certificate }
github.com/cloudflare/go • Assembly implementation of RSA • In Go 1.5 Vlad The Compiler
RSA Performance benchmark old ns/op new ns/op delta BenchmarkRSA2048Decrypt 6696649 3073769 -54.10%
New additions to Go 1.5 crypto.Decrypter, crypto.Signer support in x509, tls AES_256_GCM_SHA384 cipher suites Faster RSA operations 48
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 gokeyless keyless (C) opaque keys in TLS HavenTime AES 256 RSA ASM
This is now possible in Go TLS load balancer backed by hardware (PKCS#11, TPM coming soon) Arbitrary RSA/ECDSA Implementations 50
1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns cfssl gokeyless railgun
❤Go Crypto
What’s new in Go Crypto? Nick Sullivan (@grittygrease) GothamGo October 2, 2015

Recommended

Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
Scaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixScaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixC4Media
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEANGINX, Inc.
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 

Recommended

Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
Scaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixScaling Push Messaging for Millions of Devices @Netflix
Scaling Push Messaging for Millions of Devices @NetflixC4Media
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEANGINX, Inc.
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 
What's new in NGINX Plus R9
What's new in NGINX Plus R9What's new in NGINX Plus R9
What's new in NGINX Plus R9NGINX, Inc.
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)Gene Leybzon
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheKevin Jones
 
Redecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinRedecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinFacultad de Informática UCM
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSwallyqs
 
DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
DEFCON 28: 21 Jump Server: Going Bastionless in the CloudDEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
DEFCON 28: 21 Jump Server: Going Bastionless in the CloudColin Estep
 
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...Cyber Fund
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Altitude SF 2017: Optimizing your hit rate
Altitude SF 2017: Optimizing your hit rateAltitude SF 2017: Optimizing your hit rate
Altitude SF 2017: Optimizing your hit rateFastly
 
NGINX: The Past, Present and Future of the Modern Web
NGINX: The Past, Present and Future of the Modern WebNGINX: The Past, Present and Future of the Modern Web
NGINX: The Past, Present and Future of the Modern WebKevin Jones
 
Consul and Complex Networks
Consul and Complex NetworksConsul and Complex Networks
Consul and Complex Networksslackpad
 
Serverless for the Cloud Native Era with Fission
Serverless for the Cloud Native Era with FissionServerless for the Cloud Native Era with Fission
Serverless for the Cloud Native Era with FissionNATS
 
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...wallyqs
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSwallyqs
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareCloudflare
 
Connect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo EuropeConnect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo Europewallyqs
 
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...Tanya Denisyuk
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
RSK sidechain
RSK sidechainRSK sidechain
RSK sidechainOscar Guindzberg
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationTazdrumm3r
 

More Related Content

What's hot

What's new in NGINX Plus R9
What's new in NGINX Plus R9What's new in NGINX Plus R9
What's new in NGINX Plus R9NGINX, Inc.
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)Gene Leybzon
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheKevin Jones
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSwallyqs
 
DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
DEFCON 28: 21 Jump Server: Going Bastionless in the CloudDEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
DEFCON 28: 21 Jump Server: Going Bastionless in the CloudColin Estep
 
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...Cyber Fund
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
 
Altitude SF 2017: Optimizing your hit rate
Altitude SF 2017: Optimizing your hit rateAltitude SF 2017: Optimizing your hit rate
Altitude SF 2017: Optimizing your hit rateFastly
 
NGINX: The Past, Present and Future of the Modern Web
NGINX: The Past, Present and Future of the Modern WebNGINX: The Past, Present and Future of the Modern Web
NGINX: The Past, Present and Future of the Modern WebKevin Jones
 
Consul and Complex Networks
Consul and Complex NetworksConsul and Complex Networks
Consul and Complex Networksslackpad
 
Serverless for the Cloud Native Era with Fission
Serverless for the Cloud Native Era with FissionServerless for the Cloud Native Era with Fission
Serverless for the Cloud Native Era with FissionNATS
 
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...wallyqs
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSwallyqs
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareCloudflare
 
Connect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo EuropeConnect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo Europewallyqs
 
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...Tanya Denisyuk
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 

What's hot (20)

What's new in NGINX Plus R9
What's new in NGINX Plus R9What's new in NGINX Plus R9
What's new in NGINX Plus R9
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
 
Redecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinRedecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and Filecoin
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATS
 
DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
DEFCON 28: 21 Jump Server: Going Bastionless in the CloudDEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud
 
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
End-to-end encryption for Dapps with NuCypher KMS. Sergey Zotov, software dev...
 
Advanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a serviceAdvanced Crypto Service Provider – cryptography as a service
Advanced Crypto Service Provider – cryptography as a service
 
Altitude SF 2017: Optimizing your hit rate
Altitude SF 2017: Optimizing your hit rateAltitude SF 2017: Optimizing your hit rate
Altitude SF 2017: Optimizing your hit rate
 
NGINX: The Past, Present and Future of the Modern Web
NGINX: The Past, Present and Future of the Modern WebNGINX: The Past, Present and Future of the Modern Web
NGINX: The Past, Present and Future of the Modern Web
 
Consul and Complex Networks
Consul and Complex NetworksConsul and Complex Networks
Consul and Complex Networks
 
Serverless for the Cloud Native Era with Fission
Serverless for the Cloud Native Era with FissionServerless for the Cloud Native Era with Fission
Serverless for the Cloud Native Era with Fission
 
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
 
Connect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo EuropeConnect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo Europe
 
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
Сергей Сверчков "Want to build a secure private cloud for IoT with high avail...
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
 
RSK sidechain
RSK sidechainRSK sidechain
RSK sidechain
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 

Similar to Go Crypto Updates: AES-GCM, RSA, ECDSA, PKCS#11

Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationTazdrumm3r
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Precomputed Voxelized-Shadows for Large-scale Scene and Many lights
Precomputed Voxelized-Shadows for Large-scale Scene and Many lightsPrecomputed Voxelized-Shadows for Large-scale Scene and Many lights
Precomputed Voxelized-Shadows for Large-scale Scene and Many lightsSeongdae Kim
 
wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자
쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자
쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자Seongdae Kim
 
Status of Vulkan on Raspberry
Status of Vulkan on RaspberryStatus of Vulkan on Raspberry
Status of Vulkan on RaspberryIgalia
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFBrendan Gregg
 
Ben Coverston - The Apache Cassandra Project
Ben Coverston - The Apache Cassandra ProjectBen Coverston - The Apache Cassandra Project
Ben Coverston - The Apache Cassandra ProjectMorningstar Tech Talks
 
Internet 101
Internet 101Internet 101
Internet 101lzeltzer
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...LinuxCon ContainerCon CloudOpen China
 
Top-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTier1 app
 
Kubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesKubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesLaurent Bernaille
 

Similar to Go Crypto Updates: AES-GCM, RSA, ECDSA, PKCS#11 (20)

Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineering
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentation
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
20141105 asfws-norx-slides
20141105 asfws-norx-slides20141105 asfws-norx-slides
20141105 asfws-norx-slides
 
The Internet
The InternetThe Internet
The Internet
 
Nmap Guide
Nmap GuideNmap Guide
Nmap Guide
 
Precomputed Voxelized-Shadows for Large-scale Scene and Many lights
Precomputed Voxelized-Shadows for Large-scale Scene and Many lightsPrecomputed Voxelized-Shadows for Large-scale Scene and Many lights
Precomputed Voxelized-Shadows for Large-scale Scene and Many lights
 
wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018wolfSSL Performance Improvements 2018
wolfSSL Performance Improvements 2018
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
 
쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자
쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자
쉐도우맵을 압축하여 대규모씬에 라이팅을 적용해보자
 
Status of Vulkan on Raspberry
Status of Vulkan on RaspberryStatus of Vulkan on Raspberry
Status of Vulkan on Raspberry
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 
Ben Coverston - The Apache Cassandra Project
Ben Coverston - The Apache Cassandra ProjectBen Coverston - The Apache Cassandra Project
Ben Coverston - The Apache Cassandra Project
 
Internet 101
Internet 101Internet 101
Internet 101
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
 
Top-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptx
 
Kubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesKubernetes DNS Horror Stories
Kubernetes DNS Horror Stories
 

Recently uploaded

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

Go Crypto Updates: AES-GCM, RSA, ECDSA, PKCS#11

  • 1. What’s new in Go Crypto? Nick Sullivan (@grittygrease) GothamGo October 2, 2015
  • 2. Go’s Crypto Packages AES, DES, RC4 RSA, ECDSA SHA-1, SHA-2 HMAC 2
  • 4. Who gits the blame? 21202 Adam Langley 5099 David Crawshaw 3901 Russ Cox 1576 Yasuhiro Matsumoto 1542 Vlad Krasnov 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan 4
  • 5. Who gits the blame? 21202 Adam Langley 5099 David Crawshaw 3901 Russ Cox 1576 Yasuhiro Matsumoto 1542 Vlad Krasnov 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan 5 1542 Vlad Krasnov 560 Kyle Isom 351 Jacob H. Haven 123 Nick Sullivan
  • 6. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5
  • 7. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns cfssl gokeyless railgun
  • 8.
  • 10. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 railgun
  • 12. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 Go Crypto RC4 railgun
  • 13.
  • 15. • Assembly implementation of AES-GCM • In Go master in time for 1.6 Vlad The Compiler
  • 16. AES-GCM Performance benchmark old MB/s new MB/s speedup BenchmarkAESGCMSeal8K 89.31 2559.62 28.66x BenchmarkAESGCMOpen8K 89.54 2463.78 27.52x BenchmarkAESGCMSeal1K 86.24 1872.49 21.71x BenchmarkAESGCMOpen1K 86.53 1721.78 19.90x
  • 17. AES-GCM Assembly if hasGCMAsm() { return &aesCipherGCM{c}, nil } src/crypto/aes/gcm_amd64.s
  • 18. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 Go Crypto RC4 MorsingTime Go Crypto AES-GCM Use CSRs railgun ECDSA Certs
  • 19. CFSSLFull-featured CA X.509 Certificate Chain Bundler TLS configuration scanner
  • 20. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 CFSSL
  • 22. 22
  • 23. PKI the whole internal infrastructure
  • 24. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 CFSSL ECDSA support in x509 CSR Support Open Source
  • 25. crypto.Signer: a private key interface type Signer interface { Public() PublicKey Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error) } rsa.PrivateKey and ecdsa.PrivateKey both implement Signer 25
  • 26. PKCS#11 github.com/cloudflare/cfssl/crypto/pkcs11key type PKCS11Key struct { module *pkcs11.Ctx slotDescription string pin string publicKey rsa.PublicKey privateKeyHandle pkcs11.ObjectHandle } 26
  • 27. PKCS#11 27 func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) { // Verify that the length of the hash is as expected hash := opts.HashFunc() hashLen := hash.Size() if len(msg) != hashLen { err = errors.New("input size does not match hash function output size") return } // Add DigestInfo prefix mechanism := []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)} prefix, ok := hashPrefixes[hash] if !ok { err = errors.New("unknown hash function") return } signatureInput := append(prefix, msg...) // Open a session session, err := ps.openSession() if err != nil { return } defer ps.closeSession(session) // Perform the sign operation err = ps.module.SignInit(session, mechanism, ps.privateKeyHandle) if err != nil { return } signature, err = ps.module.Sign(session, signatureInput) return }
  • 28. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 CFSSL ECDSA support in x509 CSR Support crypto.Signer interface PKCS#11 Support Open Source
  • 30. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns
  • 32. Cache Poisoning (Kaminsky’s attack) 32 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A: 6.6.6.6 A: 6.6.6.6
  • 33. Man-in-the-middle 33 Resolver Authoritative Server Q: what is the IP address of cloudflare.com A: 198.41.213.157A: 6.6.6.6
  • 34. Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed answers Elliptic curve keys 34
  • 35. github.com/cloudflare/go • Assembly implementation of P256 • In Go: soon… copyright issues with Intel Vlad The Compiler
  • 36. P256 Performance Improvement ECDSA Sign: 21X ECDSA Verify: 9X BaseMult (ECDH): 30X
  • 37. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns FilippoTime DNSSEC Prototype P256 ASM DNSSEC Beta crypto.Signer ???
  • 39. TLS in RSA mode 39 Private Key
  • 40. TLS in RSA mode - Keyless 40 Private Key
  • 43. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 gokeyless keyless (C) HavenTime
  • 44. New interface: crypto.Decrypter type Signer interface { Public() PublicKey Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error) } type Decrypter interface { Public() PublicKey Decrypt(rand io.Reader, msg []byte, opts DecrypterOpts) (plaintext []byte, err error) } 44
  • 45. Using it in TLS return &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: SystemRoots, ServerName: host, CipherSuites: CipherSuites, MinVersion: tls.VersionTLS12, } 45 type Certificate struct { Certificate [][]byte PrivateKey crypto.PrivateKey OCSPStaple []byte SignedCertificateTimestamps [][]byte Leaf *x509.Certificate }
  • 46. github.com/cloudflare/go • Assembly implementation of RSA • In Go 1.5 Vlad The Compiler
  • 47. RSA Performance benchmark old ns/op new ns/op delta BenchmarkRSA2048Decrypt 6696649 3073769 -54.10%
  • 48. New additions to Go 1.5 crypto.Decrypter, crypto.Signer support in x509, tls AES_256_GCM_SHA384 cipher suites Faster RSA operations 48
  • 49. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 gokeyless keyless (C) opaque keys in TLS HavenTime AES 256 RSA ASM
  • 50. This is now possible in Go TLS load balancer backed by hardware (PKCS#11, TPM coming soon) Arbitrary RSA/ECDSA Implementations 50
  • 51. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4 1.5 rrdns cfssl gokeyless railgun
  • 53. What’s new in Go Crypto? Nick Sullivan (@grittygrease) GothamGo October 2, 2015