SlideShare a Scribd company logo

Cryptographic algorithms diversity: Russian (GOST) crypto algorithms

D
Dmitry Baryshkov

In parallel to mainstream cryptography world, Russia has a strong school of crypto algorithms development, including block ciphers, hash functions, digital signature, etc. There is slow but ongoing trend of harmonizing GOST algorithms usage with the rest of Internet community. This talk is dedicated to debunking several myths and presenting current state of support in open source projects.

Technology
1 of 6
Download to read offline
Cryptographic algorithms diversity: Russian (GOST) crypto algorithms GOST crypto demistified Dmitry Eremin-Solenikov Abstract In parallel to mainstream cryptography world, Russia has a strong school of crypto algorithms development, including block ciphers, hash functions, digital signature, etc. There is slow but ongoing trend of harmonizing GOST algorithms usage with the rest of Internet community. This talk is dedicated to debunking several myths and presenting current state of support in open source projects. Contents 1 What is GOST crypto . . . . . . . . . . . . . . . . . . . . . . . . 2 2 GOST crypto myths (busting) . . . . . . . . . . . . . . . . . . . 2 2.1 GOST algorithms were developed by FSB . . . . . . . . . . . . . 2 2.2 GOST algorithms are unsecure and contain trapdoors and vul- nerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3 National (GOST) crypto is of no concern for the rest of the world 3 3 Existing implementations . . . . . . . . . . . . . . . . . . . . . . 4 3.1 Commercial implementations . . . . . . . . . . . . . . . . . . . . 4 3.2 Open Source Software support . . . . . . . . . . . . . . . . . . . 4 4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A Current status of GOST support in existing software . . . . . . . 5 A.1 Bright side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.1 OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.2 LibreSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.3 GnuTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.4 libgcrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.5 xmlsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.2 Dark side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.1 Nettle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.2 BoringSSL . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.3 NSS/Mozilla/Thunderbird . . . . . . . . . . . . . . . . . . 6 A.2.4 BIND9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.5 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1
1 What is GOST crypto 2 1 What is GOST crypto When speaking about contemporary cryptography we are used to common build- ing blocks. We tend to use AES, SHA-2, RSA or ECDSA without devoting too much time to select algorithm. They are known to be good, so unless one has good reason not to use one of them, he uses one of those “recommeded” algorithms. However several nations have spent significant efforts to develop their own sets of crypto primitives and high level algorithms to supplement this well-known set. Russia is one of those countries. Russian security companies have developed a full set of cryptography algo- rithms and have published them as GOST standards: • Symmetric encryption (64-bit and 128-bit ciphers); • Hash function (256-bit and 512-bit variants); • Digital signatures (using discrete logarithm problem on elliptic curve). On top of those primitives they have developed “Recommendations for stan- dardisation”, which define usage of algorithms in upper-level protocols. This includes: • X.509 public key infrastructure; • CMS Cryptographic Message Syntax (former PKCS #7), extensions to PKCS #8, #12 file formats; • TLS Cipher Suites; • payment applications; • etc. 2 GOST crypto myths (busting) 2.1 GOST algorithms were developed by FSB In fact different standards were developed by different parties, with the devel- opment effort shifting from KGB/FAPSI/FSB towards commercial companies: • GOST 28147-89 (64-bit symmetric cipher) was developed by KGB, 8th Department; • GOST R 34.10-94 (old FF-based digital signature), GOST R 34.11-94 (old hash function) and GOST R 34.10-2001 (new elliptic curve-based digital signature) were developed by FAPSI; • GOST R 34.10-2012 (extension of GOST R 34.10-2001 to use 512-bit curves), GOST R 34.11-2012 (new hash function), GOST R 34.12-2015 (block ciphers) and GOST R 34.13-2015 (block cipher modes) were devel- oped by FSB together with OJSC InfoTeCS;
2 GOST crypto myths (busting) 3 • further recommendations for standardisaton are developed by commer- cial companies under the government of standardisation technical comitee (TK26). 2.2 GOST algorithms are unsecure and contain trapdoors and vulnerabilities It is a typical myth that GOST crypto algorithms were invented by FSB/FAPSI/ KGB to be able to wiretap pedestrian communications and to forge signatures. Up to now there are no known trapdoors found in the standards. And this is quite logical for several reasons. First, pedestrians are not required to use GOST algorithms. They are al- lowed to use any of existing cryptography solutions unless they are bound by laws governing government secret data or qualified digital signatures. For all other cases people can (and will) use any set of cipher. Second, if authors were to insert a backdoor into the algorithm, it might be discovered by clever cryptographic researched working for the foreign govern- ment. And this is exactly what we are trying to be protected from. Keeping state secrets safe is much more important compared to the theoretical possibility of reading messages of your pedestrians. The best known attacks can be found in table 1. As one can see, none of them are close to be practically implementable. 2.3 National (GOST) crypto is of no concern for the rest of the world This is a very well known position, that all nation-wide crypto standards are of no concern for the rest of the world, because nobody is going to use them. First, this is not quite true from the position of algorithm diversity. GOST provides full stack alternative to AES-SHA-ECDSA world. It allows us (soft- ware developers) to actually check that both standards and their implementa- tions are not tied to the particular set of algorithms. It allows us to find bugs and shortcomings in actual crypto libraries implementations, where API or im- plementation uses particular fixed values or particular properties of algorithms, preventing future changes of underlying primitives Second, this approach prevents the flow of ideas generated by Russian com- munity into worldwide community. Few to name: • Security Evaluated Standardized Password-Authenticated Key Exchange (RFC 8133), • Re-keying for symmetric keys (draft-irtf-cfrg-re-keying), • Multilinear Galois Mode (draft-smyshlyaev-mgm), • TLS External re-keying (draft-smyshlyaev-tls12-gost-suites).
3 Existing implementations 4 Tab. 1: Best known attacks on GOST algorithms Algorithm Type Name Time Mem Notes GOST 28147-89 symmetric cipher Isobe 2224 264 232 plain / ci- phertexts pairs GOST 28147-89 symmetric cipher Dinur, Dunkel- man, Shamir (FP) 2192 232 264 plain / ci- phertexts pairs GOST 28147-89 symmetric cipher Dinur, Dunkel- man, Shamir (Reflection) 2224 236 232 plain / ci- phertexts pairs GOST R 34.11-94 hash function Mendel, Pram- staller, Rech- berger, Kontak, Szmidt 2105 collision GOST R 34.11-94 hash function Mendel, Pram- staller, Rech- berger, Kontak, Szmidt 2192 preimage GOST R 34.11-2012 hash function Guo, Jean, Peyrin, Wang 2266 second preimage for long mes- sages (> 2259 blocks) 3 Existing implementations 3.1 Commercial implementations Several companies sell certified closed-source implementations of GOST algo- rithms in the form of Windows CSP or OpenSSL engine implementations. Few to name (in the alphabetic order) are CryptoCom, CryptoPro, InfoTeCS, LISSI. Implementations differ in the featureset, certification level and price. Additionally CryptCom provides patched version of OpenVPN software and CryptoPro provides patched Chromium browser version. 3.2 Open Source Software support Several developers are working on bringing GOST cryptography support into open source software. It provides additional tests and generalization to existing libraries. OpenSSL’s ‘gost’ engine is the well known example of being the best way to test that engine- bound implementations of crypto primitives work correctly. Having GOST support in existing libraries allows us to replace or supplement existing proprietary software when working with government-provided informa- tion.
4 Summary 5 4 Summary A set of GOST algorithms looks like a promising full-stack alternative to AES/ SHA/RSA/ECDSA-dominated world. Thanks to the recent activity of Russian engineers both in IETF and IEC/ISO, GOST algorithms are trying to find their way into international standards, thus opening a possibility for wider adoption and crypto algorithms diversity. However a lot has to be done for them to become widely accepted by existing software solutions. A Current status of GOST support in existing software A.1 Bright side The following software provides support for GOST cryptography routines A.1.1 OpenSSL For the long time OpenSSL was the primary target of all GOST-related open source software development. OpenSSL provides only high-level support for using GOST algorithms in TLS, X.509 and CMS. External ‘gost’ enging provides low-level algorithms implementation to back the OpenSSL code. For some time the engine was a part of main tree, but now (since OpenSSL 1.1.0) it was split to ease maintenance of both parts. A.1.2 LibreSSL As LibreSSL is a fork of OpenSSL, it was easy to port OpenSSL’s ‘gost’ engine code to be a part of LibreSSL library. All GOST-related code is a part of core library. A.1.3 GnuTLS GnuTLS provides mixed support for GOST cryptography. PKI support is pro- vided upstream, while TLS support is still provided only in form of patches. GnuTLS maintainers are waiting for the spec to be published as and RFC to accept the code A.1.4 libgcrypt libgcrypt incorporates all GOST primitives support for quite some time. As it is a popular low-level crypto library, having GOST support allows other developers to use it to add further support into other cryptography-related software, like GnuPG, Kleopatra, etc. A.1.5 xmlsec xmlsec library provides support for XML signatures according to published IETF drafts.
A Current status of GOST support in existing software 6 A.2 Dark side Following software does not (yet) provide support for GOST crypto standards, either because upstream maintainers are reluctant to include support or because nobody (yet) has worked on adding support for them. A.2.1 Nettle Patches for Nettle library are provided, but upstream author did not include them. Patches are now being tested as a part of GnuTLS library pending future transition to become a part of Nettle library. A.2.2 BoringSSL No work was done yet. However as BoringSSL is another fork of OpenSSL, it would be easy to port existing code from OpenSSL/LibreSSL. A.2.3 NSS/Mozilla/Thunderbird This is quite a sad part of the story. Patches for this software suite exist for a long time, however upstream maintainers are reluctant to include them for various reasons. A.2.4 BIND9 BIND9 has dropped support for GOST DNSSEC because related RFC 5933 is slowly becoming deprecated because of underlying primitives transition. A.2.5 IPsec No open source IPsec software provides support for using GOST ciphers in either IKEv2 or ESP/AH transformations.

Recommended

Protocol buffers and Microservices
Protocol buffers and MicroservicesProtocol buffers and Microservices
Protocol buffers and MicroservicesVladimir Dejanovic
 
Voxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 spec
Voxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 specVoxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 spec
Voxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 specVoxxed Days Thessaloniki
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang FortressMayank Dhiman
 
Bitcoin protocol for developers at techfest
Bitcoin protocol for developers at techfestBitcoin protocol for developers at techfest
Bitcoin protocol for developers at techfestAlberto Gomez Toribio
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Matthew McCullough
 
Advanced Encryption on the JVM v0.2.8
Advanced Encryption on the JVM v0.2.8Advanced Encryption on the JVM v0.2.8
Advanced Encryption on the JVM v0.2.8Matthew McCullough
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve LambInformation Security Awareness Group
 

Recommended

Protocol buffers and Microservices
Protocol buffers and MicroservicesProtocol buffers and Microservices
Protocol buffers and MicroservicesVladimir Dejanovic
 
Voxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 spec
Voxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 specVoxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 spec
Voxxed Days Thesaloniki 2016 - Whirlwind tour through the HTTP2 specVoxxed Days Thessaloniki
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang FortressMayank Dhiman
 
Bitcoin protocol for developers at techfest
Bitcoin protocol for developers at techfestBitcoin protocol for developers at techfest
Bitcoin protocol for developers at techfestAlberto Gomez Toribio
 
Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Encryption Boot Camp at JavaZone 2010
Encryption Boot Camp at JavaZone 2010Matthew McCullough
 
Advanced Encryption on the JVM v0.2.8
Advanced Encryption on the JVM v0.2.8Advanced Encryption on the JVM v0.2.8
Advanced Encryption on the JVM v0.2.8Matthew McCullough
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve LambInformation Security Awareness Group
 
Bitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersBitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersParadigma Digital
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareMark Mager
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
From logs to metrics
From logs to metricsFrom logs to metrics
From logs to metricsLeonardo Di Donato
 
Postgresql on NFS - J.Battiato, pgday2016
Postgresql on NFS - J.Battiato, pgday2016Postgresql on NFS - J.Battiato, pgday2016
Postgresql on NFS - J.Battiato, pgday2016Jonathan Battiato
 
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...mnescot
 
Chw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsChw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsBalazs Bucsay
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...mjos
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic filesAnge Albertini
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vandaVanda KANY
 
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...MongoDB
 
Whitepaper on new research on message digest and hash techniques
Whitepaper on new research on message digest and hash techniques Whitepaper on new research on message digest and hash techniques
Whitepaper on new research on message digest and hash techniques Bhargav Amin
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004James Morris
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...ams1ams11
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 

More Related Content

What's hot

Bitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersBitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersParadigma Digital
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareMark Mager
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
Postgresql on NFS - J.Battiato, pgday2016
Postgresql on NFS - J.Battiato, pgday2016Postgresql on NFS - J.Battiato, pgday2016
Postgresql on NFS - J.Battiato, pgday2016Jonathan Battiato
 
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...mnescot
 
Chw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsChw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsBalazs Bucsay
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...mjos
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vandaVanda KANY
 
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...MongoDB
 

What's hot (17)

Bitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for DevelopersBitcoin protocol for developerBitcoin Protocol for Developers
Bitcoin protocol for developerBitcoin Protocol for Developers
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
 
Cryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of RansomwareCryptanalysis in the Time of Ransomware
Cryptanalysis in the Time of Ransomware
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
 
From logs to metrics
From logs to metricsFrom logs to metrics
From logs to metrics
 
Postgresql on NFS - J.Battiato, pgday2016
Postgresql on NFS - J.Battiato, pgday2016Postgresql on NFS - J.Battiato, pgday2016
Postgresql on NFS - J.Battiato, pgday2016
 
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
Freebsd security - message- free bsd needs git to ensure repo integrity [was-...
 
Chw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutionsChw00t: How to break out from various chroot solutions
Chw00t: How to break out from various chroot solutions
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic files
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vanda
 
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
It's a Dangerous World: From OS Through Application, Securing Your MongoDB In...
 

Similar to Cryptographic algorithms diversity: Russian (GOST) crypto algorithms

Whitepaper on new research on message digest and hash techniques
Whitepaper on new research on message digest and hash techniques Whitepaper on new research on message digest and hash techniques
Whitepaper on new research on message digest and hash techniques Bhargav Amin
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004James Morris
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...ams1ams11
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log ProcessingAnton Chuvakin
 
B03302007012
B03302007012B03302007012
B03302007012theijes
 
Understanding heartbleed by Dustin Noe
Understanding heartbleed by Dustin NoeUnderstanding heartbleed by Dustin Noe
Understanding heartbleed by Dustin NoeEC-Council
 

Similar to Cryptographic algorithms diversity: Russian (GOST) crypto algorithms (20)

Whitepaper on new research on message digest and hash techniques
Whitepaper on new research on message digest and hash techniques Whitepaper on new research on message digest and hash techniques
Whitepaper on new research on message digest and hash techniques
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITY
 
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
Cryptographic Hardware Support for the Linux Kernel - Netconf 2004
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Crypto policies-2016
Crypto policies-2016Crypto policies-2016
Crypto policies-2016
 
Minsoc
MinsocMinsoc
Minsoc
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Encryption
EncryptionEncryption
Encryption
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log Processing
 
B03302007012
B03302007012B03302007012
B03302007012
 
Embedded Rust
Embedded RustEmbedded Rust
Embedded Rust
 
Quantum computing
Quantum computingQuantum computing
Quantum computing
 
Understanding heartbleed by Dustin Noe
Understanding heartbleed by Dustin NoeUnderstanding heartbleed by Dustin Noe
Understanding heartbleed by Dustin Noe
 
01 BlockChain
01 BlockChain01 BlockChain
01 BlockChain
 
D4 Project Presentation
D4 Project PresentationD4 Project Presentation
D4 Project Presentation
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Cryptographic algorithms diversity: Russian (GOST) crypto algorithms

  • 1. Cryptographic algorithms diversity: Russian (GOST) crypto algorithms GOST crypto demistified Dmitry Eremin-Solenikov Abstract In parallel to mainstream cryptography world, Russia has a strong school of crypto algorithms development, including block ciphers, hash functions, digital signature, etc. There is slow but ongoing trend of harmonizing GOST algorithms usage with the rest of Internet community. This talk is dedicated to debunking several myths and presenting current state of support in open source projects. Contents 1 What is GOST crypto . . . . . . . . . . . . . . . . . . . . . . . . 2 2 GOST crypto myths (busting) . . . . . . . . . . . . . . . . . . . 2 2.1 GOST algorithms were developed by FSB . . . . . . . . . . . . . 2 2.2 GOST algorithms are unsecure and contain trapdoors and vul- nerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3 National (GOST) crypto is of no concern for the rest of the world 3 3 Existing implementations . . . . . . . . . . . . . . . . . . . . . . 4 3.1 Commercial implementations . . . . . . . . . . . . . . . . . . . . 4 3.2 Open Source Software support . . . . . . . . . . . . . . . . . . . 4 4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A Current status of GOST support in existing software . . . . . . . 5 A.1 Bright side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.1 OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.2 LibreSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.3 GnuTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.4 libgcrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.1.5 xmlsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 A.2 Dark side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.1 Nettle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.2 BoringSSL . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.3 NSS/Mozilla/Thunderbird . . . . . . . . . . . . . . . . . . 6 A.2.4 BIND9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 A.2.5 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1
  • 2. 1 What is GOST crypto 2 1 What is GOST crypto When speaking about contemporary cryptography we are used to common build- ing blocks. We tend to use AES, SHA-2, RSA or ECDSA without devoting too much time to select algorithm. They are known to be good, so unless one has good reason not to use one of them, he uses one of those “recommeded” algorithms. However several nations have spent significant efforts to develop their own sets of crypto primitives and high level algorithms to supplement this well-known set. Russia is one of those countries. Russian security companies have developed a full set of cryptography algo- rithms and have published them as GOST standards: • Symmetric encryption (64-bit and 128-bit ciphers); • Hash function (256-bit and 512-bit variants); • Digital signatures (using discrete logarithm problem on elliptic curve). On top of those primitives they have developed “Recommendations for stan- dardisation”, which define usage of algorithms in upper-level protocols. This includes: • X.509 public key infrastructure; • CMS Cryptographic Message Syntax (former PKCS #7), extensions to PKCS #8, #12 file formats; • TLS Cipher Suites; • payment applications; • etc. 2 GOST crypto myths (busting) 2.1 GOST algorithms were developed by FSB In fact different standards were developed by different parties, with the devel- opment effort shifting from KGB/FAPSI/FSB towards commercial companies: • GOST 28147-89 (64-bit symmetric cipher) was developed by KGB, 8th Department; • GOST R 34.10-94 (old FF-based digital signature), GOST R 34.11-94 (old hash function) and GOST R 34.10-2001 (new elliptic curve-based digital signature) were developed by FAPSI; • GOST R 34.10-2012 (extension of GOST R 34.10-2001 to use 512-bit curves), GOST R 34.11-2012 (new hash function), GOST R 34.12-2015 (block ciphers) and GOST R 34.13-2015 (block cipher modes) were devel- oped by FSB together with OJSC InfoTeCS;
  • 3. 2 GOST crypto myths (busting) 3 • further recommendations for standardisaton are developed by commer- cial companies under the government of standardisation technical comitee (TK26). 2.2 GOST algorithms are unsecure and contain trapdoors and vulnerabilities It is a typical myth that GOST crypto algorithms were invented by FSB/FAPSI/ KGB to be able to wiretap pedestrian communications and to forge signatures. Up to now there are no known trapdoors found in the standards. And this is quite logical for several reasons. First, pedestrians are not required to use GOST algorithms. They are al- lowed to use any of existing cryptography solutions unless they are bound by laws governing government secret data or qualified digital signatures. For all other cases people can (and will) use any set of cipher. Second, if authors were to insert a backdoor into the algorithm, it might be discovered by clever cryptographic researched working for the foreign govern- ment. And this is exactly what we are trying to be protected from. Keeping state secrets safe is much more important compared to the theoretical possibility of reading messages of your pedestrians. The best known attacks can be found in table 1. As one can see, none of them are close to be practically implementable. 2.3 National (GOST) crypto is of no concern for the rest of the world This is a very well known position, that all nation-wide crypto standards are of no concern for the rest of the world, because nobody is going to use them. First, this is not quite true from the position of algorithm diversity. GOST provides full stack alternative to AES-SHA-ECDSA world. It allows us (soft- ware developers) to actually check that both standards and their implementa- tions are not tied to the particular set of algorithms. It allows us to find bugs and shortcomings in actual crypto libraries implementations, where API or im- plementation uses particular fixed values or particular properties of algorithms, preventing future changes of underlying primitives Second, this approach prevents the flow of ideas generated by Russian com- munity into worldwide community. Few to name: • Security Evaluated Standardized Password-Authenticated Key Exchange (RFC 8133), • Re-keying for symmetric keys (draft-irtf-cfrg-re-keying), • Multilinear Galois Mode (draft-smyshlyaev-mgm), • TLS External re-keying (draft-smyshlyaev-tls12-gost-suites).
  • 4. 3 Existing implementations 4 Tab. 1: Best known attacks on GOST algorithms Algorithm Type Name Time Mem Notes GOST 28147-89 symmetric cipher Isobe 2224 264 232 plain / ci- phertexts pairs GOST 28147-89 symmetric cipher Dinur, Dunkel- man, Shamir (FP) 2192 232 264 plain / ci- phertexts pairs GOST 28147-89 symmetric cipher Dinur, Dunkel- man, Shamir (Reflection) 2224 236 232 plain / ci- phertexts pairs GOST R 34.11-94 hash function Mendel, Pram- staller, Rech- berger, Kontak, Szmidt 2105 collision GOST R 34.11-94 hash function Mendel, Pram- staller, Rech- berger, Kontak, Szmidt 2192 preimage GOST R 34.11-2012 hash function Guo, Jean, Peyrin, Wang 2266 second preimage for long mes- sages (> 2259 blocks) 3 Existing implementations 3.1 Commercial implementations Several companies sell certified closed-source implementations of GOST algo- rithms in the form of Windows CSP or OpenSSL engine implementations. Few to name (in the alphabetic order) are CryptoCom, CryptoPro, InfoTeCS, LISSI. Implementations differ in the featureset, certification level and price. Additionally CryptCom provides patched version of OpenVPN software and CryptoPro provides patched Chromium browser version. 3.2 Open Source Software support Several developers are working on bringing GOST cryptography support into open source software. It provides additional tests and generalization to existing libraries. OpenSSL’s ‘gost’ engine is the well known example of being the best way to test that engine- bound implementations of crypto primitives work correctly. Having GOST support in existing libraries allows us to replace or supplement existing proprietary software when working with government-provided informa- tion.
  • 5. 4 Summary 5 4 Summary A set of GOST algorithms looks like a promising full-stack alternative to AES/ SHA/RSA/ECDSA-dominated world. Thanks to the recent activity of Russian engineers both in IETF and IEC/ISO, GOST algorithms are trying to find their way into international standards, thus opening a possibility for wider adoption and crypto algorithms diversity. However a lot has to be done for them to become widely accepted by existing software solutions. A Current status of GOST support in existing software A.1 Bright side The following software provides support for GOST cryptography routines A.1.1 OpenSSL For the long time OpenSSL was the primary target of all GOST-related open source software development. OpenSSL provides only high-level support for using GOST algorithms in TLS, X.509 and CMS. External ‘gost’ enging provides low-level algorithms implementation to back the OpenSSL code. For some time the engine was a part of main tree, but now (since OpenSSL 1.1.0) it was split to ease maintenance of both parts. A.1.2 LibreSSL As LibreSSL is a fork of OpenSSL, it was easy to port OpenSSL’s ‘gost’ engine code to be a part of LibreSSL library. All GOST-related code is a part of core library. A.1.3 GnuTLS GnuTLS provides mixed support for GOST cryptography. PKI support is pro- vided upstream, while TLS support is still provided only in form of patches. GnuTLS maintainers are waiting for the spec to be published as and RFC to accept the code A.1.4 libgcrypt libgcrypt incorporates all GOST primitives support for quite some time. As it is a popular low-level crypto library, having GOST support allows other developers to use it to add further support into other cryptography-related software, like GnuPG, Kleopatra, etc. A.1.5 xmlsec xmlsec library provides support for XML signatures according to published IETF drafts.
  • 6. A Current status of GOST support in existing software 6 A.2 Dark side Following software does not (yet) provide support for GOST crypto standards, either because upstream maintainers are reluctant to include support or because nobody (yet) has worked on adding support for them. A.2.1 Nettle Patches for Nettle library are provided, but upstream author did not include them. Patches are now being tested as a part of GnuTLS library pending future transition to become a part of Nettle library. A.2.2 BoringSSL No work was done yet. However as BoringSSL is another fork of OpenSSL, it would be easy to port existing code from OpenSSL/LibreSSL. A.2.3 NSS/Mozilla/Thunderbird This is quite a sad part of the story. Patches for this software suite exist for a long time, however upstream maintainers are reluctant to include them for various reasons. A.2.4 BIND9 BIND9 has dropped support for GOST DNSSEC because related RFC 5933 is slowly becoming deprecated because of underlying primitives transition. A.2.5 IPsec No open source IPsec software provides support for using GOST ciphers in either IKEv2 or ESP/AH transformations.