Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rust in Blockchain - Tendermint KMS and Abscissa

tarcieri
July 17, 2019
0
500

Rust in Blockchain - Tendermint KMS and Abscissa

tarcieri

July 17, 2019
Tweet

More Decks by tarcieri

See All by tarcieri
Embedded cryptography in Rust: RustCrypto + Veriform
tarcieri
0
910
Rhapsody in Zero Knowledge - Proving without Revealing
tarcieri
2
280
Insane in the Blockchain
tarcieri
1
690
Macaroons for Rust
tarcieri
3
780
A Protocol for Interledger Payments
tarcieri
0
360
Frontiers in Cryptography
tarcieri
2
1.5k
Macaroons - A Better Kind of Cookie
tarcieri
1
280
Thoughts on Rust Cryptography
tarcieri
6
6.3k
Being Boring: A Survivor's Guide to Ruby Cryptography
tarcieri
4
1.1k

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
8
3.5k
The Language of Interfaces
destraynor
151
23k
RailsConf 2023
tenderlove
9
580
Making Projects Easy
brettharned
109
5.5k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
7k
4 Signs Your Business is Dying
shpigford
176
21k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Embracing the Ebb and Flow
colly
80
4.2k
The Invisible Side of Design
smashingmag
294
49k
The Cost Of JavaScript in 2023
addyosmani
21
4k
Build your cross-platform service in a week with App Engine
jlugia
226
17k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k

Transcript

  1. Tendermint KMS + Tony Arcieri · Rust in Blockchain ·

    July 17th, 2019 0 ∞ S C I S S B

  2. Tony Arcieri Hello! @bascule

  3. @iqlusioninc

  4. Today's Talk • Tendermint KMS: HSM-backed multi-chain key management system

    for Tendermint blockchains • Signatory: multi-provider digital signature library for Rust • yubihsm.rs: pure Rust client for Yubico YubiHSM2 • Abscissa: security-oriented Rust application framework

  5. Tendermint KMS Key Management System for Tendermint Blockchains https://github.com/tendermint/kms/

  6. • BFT protocol and consensus engine for blockchain applications, i.e

    "Raft for BFT" • Designed for Proof-of-Stake: security through network of validators / block proposers which sign blocks (Ed25519) • Application Blockchain Interface (ABCI): 
 pluggable applications with arbitrary validation logic • Multiple production networks deployed:
 Cosmos Hub, IRIS Network, Terra Tendermint

  7. • Secure key storage for Tendermint validators:
 support for YubiHSM2,

    Ledger, and software-backed keys • Centralized signing service for multiple networks:
 validators can spin up new Tendermint networks without having to provision additional HSM hardware • Double-signing prevention: prevents validators from signing repeatedly at the same block height (and getting slashed) • Deployed in production: by multiple Tendermint validators Tendermint KMS
  8. None

  9. Multi-provider Rust Digital Signature Library Signatory https://github.com/tendermint/signatory/

  10. • Digital signature abstractions: traits for signing and verifying digital

    signatures with support for both ECDSA and Ed25519 algorithms • Support for popular Rust signing crates: wrappers for the following: • ed25519-dalek • ring • secp256k1 (FFI wrapper for libsecp256k1) • sodiumoxide (FFI wrapper for libsodium) • HSM-friendly abstractions: supports the following HSM options • YubiHSM2 • Ledger (Tendermint only) Signatory

  11. Pure-Rust client library for YubiHSM2s yubihsm.rs https://github.com/tendermint/yubihsm-rs/

  12. yubihsm.rs • Pure Rust: (re)implementation of the YubiHSM2 SDK and

    Secure Connection (SCP03) protocol with USB support • Most commands supported: ECDSA, Ed25519, key wrapping (encrypted export/import), HMAC, auditing • Mock HSM support: software reimplementation of the YubiHSM2 for testing and CI

  13. 0 ∞ S C I S S B Security-oriented Rust

    application framework https://github.com/iqlusioninc/abscissa/

  14. x abscissa

  15. None

  16. IT WAS TOTALLY INVISIBLE HOWS THAT POSSIBLE ? THEY USED

    THE EARTHS MAGNETIC FIELD X THE INFORMATION WAS GATHERED AND TRANSMITTED UNDERGRUUND TO AN UNKNOWN LOCATION X DOES LANGLEY KNOW ABOUT THIS ? THEY SHOULD ITS BURIED OUT THERE SOMEWHERE X WHO KNOWS THE EXACT LOCATION ? ONLY WW THIS WAS HIS LAST MESSAGE X THIRTY EIGHT DEGREES FIFTY SEVEN MINUTES SIX POINT FIVE SECONDS NORTH SEVENTY SEVEN DEGREES EIGHT MINUTES FORTY FOUR SECONDS WEST X LAYER TWO Kryptos K2

  17. • Framework for CLI apps or network services • Maximize

    features while minimizing dependencies • Strong focus on security (particularly dependencies) • Particularly interesting for blockchain applications 0 ∞ S C I S S B https://github.com/iqlusioninc/abscissa/

  18. • Tendermint KMS • cargo-audit (RustSec) • Zcash Foundation "zebra"

    • Multiple internal iqlusion tools (OSS TBA) 0 ∞ S C I S S B Used by the following projects:

  19. • command-line option parsing: simple declarative option parser based on

    gumdrop • components: ECS-like component architecture with hooks into the application lifecycle • configuration: parses TOML configurations files using serde • error handling: generic Error type based on the failure crate • logging: integrated logging subsystem based on the log crate • secrets management: optional Secret type (from the secrecy crate) which can be used to represent secret values parsed from configuration files or elsewhere • terminal interactions: support for colored terminal output 0 ∞ S C I S S B

  20. $ cargo install abscissa 0 ∞ S C I S

    S B

  21. $ abscissa new my_application_name 0 ∞ S C I S

    S B

  22. 0 ∞ S C I S S B

  23. Abscissa blog post tomorrow! Want to know more? https://iqlusion.blog

  24. Thanks for coming!

  25. Links • Twitter: @bascule @iqlusioninc • iqlusion blog: https://iqlusion.blog •

    Abscissa: https://github.com/iqlusioninc/abscissa/ • Tendermint KMS: https://github.com/tendermint/kms/ • Signatory: https://github.com/tendermint/signatory/ • yubihsm.rs: https://github.com/tendermint/yubihsm-rs/