Implementing a Fast, Memory–safe Axolotl Ratchet Protocol

Transcript

1. ࡅܰҊ ݫݽܻ–উ੹ೠ ইഓ۽ౣ ېஞ ೐۽ష௒ ҳഅ ࢲ૑ഄ*, ട׮࠼** ѤҴ؀೟Ү ࢤݺҗ೟җ*,

   ࢲ਎ৈ੗؀೟Ү ੿ࠁࠁഐ೟җ**

2. Implementing a Fast, Memory–safe Axolotl Ratchet Protocol Jihyeok Seo*, Dabin

   Hwang** Konkuk University*, Seoul Women’s University**

3. Motivation • 20150730, Yonhap, “NIS, Requested ‘Hacking Team’ Provide KakaoTalk

   Wiretapping” • 20151006, Yonhap, “Kakao, Starts Producing Data For Wiretapping Warrants” • We need secure, end–to–end encrypted mobile communication methods

4. How? • Suitable protocols for the mobile environment • Secure

   cryptographic primitives • Safe implementations

5. Ratcheting Protocol

6. Ratcheting • Sharing a secret is trivial (Diffie–Hellman) • How

   do we reduce risk of a compromised shared secret key? • Constantly change the shared secret • Ratcheting Protocols (OTR, SCIMP, Axolotl, etc.)

7. OTR • https://otr.cypherpunks.ca • Diffie–Hellman key exchange on every message

   • Assumptions: communicating parties are always online • In mobile environments, not always so

8. SCIMP • https://silentcircle.com/products-and-solutions/ technology/scimp/ • Hash–based iteration ratchet • Can

   ratchet even when offline • Past keys can be used to derive future keys

9. Axolotl • https://github.com/trevp/axolotl/wiki • Trevor Perrin • State-of-the-art key ratcheting

   protocol • OTR (DH ratchet) + SCIMP (hash ratchet) • Opportunistic

10. Cryptographic Primitives

11. Message Encryption: ChaCha20 • D. J. Bernstein. 2008. • http://cr.yp.to/papers.html#chacha

    • Faster, more energy-efficient in mobile devices • Immune to timing, padding oracle attacks

12. Message Authentication: Poly1305 • D. J. Bernstein. 2005. • http://cr.yp.to/papers.html#poly1305

    • Faster, more energy-efficient in mobile devices • Smaller MAC size compared to HMAC–SHA256

13. ChaCha20–Poly1305 • Accepted TLS cipher suite • Used for communication

    between Android devices and Google services • Used for Cloudflare CDN network • Industry tested cipher suite

14. Comparison Signal Lumi Key Derivation HKDF (HMAC–SHA256) Key Exchange X25519

    (Curve25519) Encryption AES–256 (CTR) ChaCha20 MAC HMAC–SHA256 Poly1305–AES

15. Safe Implementation

16. Rust • https://www.rust-lang.org • Guaranteed memory safety • Prevents security

    vulnerabilities • Buffer overflows, dangling pointers, data race…
17. None
18. None
19. None

20. Conclusion • Memory–safe implementation of the state–of–the– art ratcheting protocol

    • Better, faster, more secure cryptographic primitives • Proof of concept of an end–to–end encrypted messaging application

21. Future Work • Adopt post-quantum cryptography
 (Ring-LWE, SPHINCS, etc.) •

    Reduce metadata leak
 (I2P, Tor, Router Federation, etc.) • Formal verification of Rust code
 (Coq, Isabelle, etc.)

22. Acknowledgements • KITRI Best of the Best • NAVER, Sanghyun

    Cho, Heo Gyu