OpenBSD: Where crypto is heading?
Mike Belopuhov
.vantronix secure systems
mikeb@openbsd.org

Moscow, December 14 2013
http://xkcd.com/1277
Pseudo-random number generator
rand (ANSI C, POSIX)
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random (Linux)
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random
arc4random (OpenBSD)
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random
arc4random in Linux! (l...
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random
arc4random (RC4?)
RC4 security
2001 Fluhrer, Mantin and Shamir attack
2005 Klein attack

1

2

2013 AlFardan, Bernstein, Paterson, et. al.

...
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random
arc4random (ChaCha?!)
ChaCha20 stream cipher
http://cr.yp.to/chacha.html
Based on Salsa20 (in eSTREAM portfolio)
Used in BLAKE (SHA-3 finalist)
...
ChaCha versus Salsa
Improved diffusion
But no performance hit
IETF Crypto Forum Research Group (CFRG) “is confident
that t...
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random
arc4random
libottery
Pseudo-random number generator
rand (ANSI C, POSIX)
*rand48 (POSIX)
random (POSIX)
/dev/[au]random
arc4random
goodrandom?
SSL/TLS
SSL/TLS ciphers
RC4
AES-CBC
AES-GCM

SSL 2.0+
SSL 3.0+
TLS 1.2
SSL/TLS in Chrome
Undocumented option --cipher-suite-blacklist
0x0004 TLS_RSA_WITH_RC4_128_MD5
0x0005 TLS_RSA_WITH_RC4_128...
AES-GCM
NIST standard of authenticated encryption
AES-CTR + GHASH
NSA Suite B, SSH, TLS, IPsec, MACsec, FC-SP, WiGig
Exper...
AES-NI and CLMUL
Available in Intel Westmere and newer
7 new SSE instructions
Implemented in OpenSSL and OCF
FPU “locks” i...
ChaCha20-Poly1305 for TLS draft
Google have proposed draft-agl-tls-chacha20poly1305
ChaCha20-Poly1305 for TLS draft
Google have proposed draft-agl-tls-chacha20poly1305
E5-2690 2.9GHz
AES-128-GCM
131 MB/s
AE...
ChaCha20-Poly1305 for TLS draft
Google have proposed draft-agl-tls-chacha20poly1305
E5-2690 2.9GHz
AES-128-GCM
131 MB/s
AE...
Salsa20-SHA1 for TLS draft
RedHat et al. draft-josefsson-salsa20-tls
Revision Changes
01
Salsa20/12 with 128-bit key remov...
Poly1305 MAC
http://cr.yp.to/mac.html
“Poly1305 can be written in a tweet”

5

About 4 cpb w/o the cipher
Security mainly ...
http://xkcd.com/1200
NIST curves
2013 Bernstein, Lange “Security dangers of NIST curves”
http://safecurves.cr.yp.to/

6

Security dangers of th...
Curve25519 Diffie-Hellman
http://cr.yp.to/ecdh.html
Does not infringe Certicom patents
Executes in constant time
32 byte p...
Ed25519 EdDSA signatures
http://ed25519.cr.yp.to/
Comparable to RSA3072, NIST P-256
32 byte private and public keys
64 byt...
NIST-free cryptography in OpenSSH
Support in OpenBSD-current:
Cipher/MAC
Key exchange
Public keys

chacha20-poly1305@opens...
IPsec/IKEv2 possibilities
It’s possible to use “Private Range” in IKEv2
ChaCha20-Poly1305 AEAD for ESP
Questions?

If this story leaves you confused, join the club.
Bruce Schneier
Upcoming SlideShare
Loading in …5
×

Mikhail Belopuhov: OpenBSD: Where is crypto headed?

1,297 views

Published on

This talk will cover the past, present and future of use of cryptography and crypto stack in OpenBSD. We'll touch on AES-NI and AES-GCM support, and ChaCha20 usage as a substitute for ARC4 в PRNG. In addition, we'll look at alternatives to algorithms standardised by NIST: ChaCha20, Poly1305, Curve25519, and their use in OpenSSH and OpenBSD.

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,297
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Mikhail Belopuhov: OpenBSD: Where is crypto headed?

  1. 1. OpenBSD: Where crypto is heading? Mike Belopuhov .vantronix secure systems mikeb@openbsd.org Moscow, December 14 2013
  2. 2. http://xkcd.com/1277
  3. 3. Pseudo-random number generator rand (ANSI C, POSIX)
  4. 4. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX)
  5. 5. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX)
  6. 6. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random (Linux)
  7. 7. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random arc4random (OpenBSD)
  8. 8. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random arc4random in Linux! (libbsd)
  9. 9. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random arc4random (RC4?)
  10. 10. RC4 security 2001 Fluhrer, Mantin and Shamir attack 2005 Klein attack 1 2 2013 AlFardan, Bernstein, Paterson, et. al. 1 Weaknesses in the Key Scheduling Algorithm of RC4 2 Attacks on the RC4 stream cipher 3 On the Security of RC4 in TLS and WPA 3
  11. 11. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random arc4random (ChaCha?!)
  12. 12. ChaCha20 stream cipher http://cr.yp.to/chacha.html Based on Salsa20 (in eSTREAM portfolio) Used in BLAKE (SHA-3 finalist) 4 cpb on modern x86 128/256 bit key
  13. 13. ChaCha versus Salsa Improved diffusion But no performance hit IETF Crypto Forum Research Group (CFRG) “is confident that the analysis was sufficiently thorough that ChaCha is an acceptable alternative to SALSA-20.” 4 4 Synopsis of CFRG discussions on new stream ciphers and MACs for TLS
  14. 14. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random arc4random libottery
  15. 15. Pseudo-random number generator rand (ANSI C, POSIX) *rand48 (POSIX) random (POSIX) /dev/[au]random arc4random goodrandom?
  16. 16. SSL/TLS SSL/TLS ciphers RC4 AES-CBC AES-GCM SSL 2.0+ SSL 3.0+ TLS 1.2
  17. 17. SSL/TLS in Chrome Undocumented option --cipher-suite-blacklist 0x0004 TLS_RSA_WITH_RC4_128_MD5 0x0005 TLS_RSA_WITH_RC4_128_SHA 0x000a TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0xc007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xc011 TLS_ECDHE_RSA_WITH_RC4_128_SHA Values from RFC 2246
  18. 18. AES-GCM NIST standard of authenticated encryption AES-CTR + GHASH NSA Suite B, SSH, TLS, IPsec, MACsec, FC-SP, WiGig Experimental support in the OpenBSD IPsec stack
  19. 19. AES-NI and CLMUL Available in Intel Westmere and newer 7 new SSE instructions Implemented in OpenSSL and OCF FPU “locks” in the kernel CBC, CTR, XTS, GCM
  20. 20. ChaCha20-Poly1305 for TLS draft Google have proposed draft-agl-tls-chacha20poly1305
  21. 21. ChaCha20-Poly1305 for TLS draft Google have proposed draft-agl-tls-chacha20poly1305 E5-2690 2.9GHz AES-128-GCM 131 MB/s AES-128-GCM with AES-NI 311 MB/s ChaCha20+Poly1305 420 MB/s Cortex-A9 1.2GHz AES-128-GCM ChaCha20+Poly1305 27 MB/s 78 MB/s
  22. 22. ChaCha20-Poly1305 for TLS draft Google have proposed draft-agl-tls-chacha20poly1305 E5-2690 2.9GHz AES-128-GCM 131 MB/s AES-128-GCM with AES-NI 311 MB/s ChaCha20+Poly1305 420 MB/s Cortex-A9 1.2GHz AES-128-GCM ChaCha20+Poly1305 27 MB/s 78 MB/s Expected in Chrome 32, bug was filed against NSS, Firefox
  23. 23. Salsa20-SHA1 for TLS draft RedHat et al. draft-josefsson-salsa20-tls Revision Changes 01 Salsa20/12 with 128-bit key removed 02 UMAC-96 added 03 UMAC-96 removed
  24. 24. Poly1305 MAC http://cr.yp.to/mac.html “Poly1305 can be written in a tweet” 5 About 4 cpb w/o the cipher Security mainly depends on a chosen cipher (AES, ChaCha, etc.) 5 Salsa20 and Poly1305 in TLS
  25. 25. http://xkcd.com/1200
  26. 26. NIST curves 2013 Bernstein, Lange “Security dangers of NIST curves” http://safecurves.cr.yp.to/ 6 Security dangers of the NIST curves 6
  27. 27. Curve25519 Diffie-Hellman http://cr.yp.to/ecdh.html Does not infringe Certicom patents Executes in constant time 32 byte private and public keys
  28. 28. Ed25519 EdDSA signatures http://ed25519.cr.yp.to/ Comparable to RSA3072, NIST P-256 32 byte private and public keys 64 byte signatures Uses PRF (SHA512)
  29. 29. NIST-free cryptography in OpenSSH Support in OpenBSD-current: Cipher/MAC Key exchange Public keys chacha20-poly1305@openssh.com curve25519-sha256@libssh.org ssh-ed25519-cert-v01@openssh.com
  30. 30. IPsec/IKEv2 possibilities It’s possible to use “Private Range” in IKEv2 ChaCha20-Poly1305 AEAD for ESP
  31. 31. Questions? If this story leaves you confused, join the club. Bruce Schneier

×