What's New in Go Crypto? by Nick Sullivan

What’s new in Go Crypto?
Nick Sullivan (@grittygrease)
GoSF Go 1.6 Release Party
February 17, 2015

View Slide

Go’s Crypto Packages
AES, DES, RC4
RSA, ECDSA
SHA-1, SHA-2
HMAC
2

View Slide

Go’s Crypto Packages
X.509
TLS
3

View Slide

Who gits the blame?
19012 Adam Langley
5099 David Crawshaw
4468 Vlad Krasnov
3939 Russ Cox
3074 Shenghou Ma
1576 Yasuhiro Matsumoto
1216 Joel Sing
1190 Robert Griesemer
653 Nan Deng
641 Dave Cheney
610 Mikkel Krautz
560 Kyle Isom
557 Rob Pike
553 Jonathan Rodenberg
499 Shenghou Ma
397 Gautham Thambidorai
395 Brad Fitzpatrick
389 Nevins Bartolomeo
351 Jacob H. Haven
345 Han-Wen Nienhuys
330 Luit van Drongelen
317 Rémy Oudompheng
282 Conrad Meyer
281 Taru Karttunen
280 Paul van Brouwershaven
260 David Leon Gil
241 Roger Peppe
233 Nick Craig-Wood
219 Benjamin Black
211 Jeﬀ Wendling
196 Anthony Martin
167 Andy Davis
159 Peter Mundy
153 Jeﬀ R. Allen
152 Josh Bleecher Snyder
151 Shawn Smith
123 Nick Sullivan
4

View Slide

19012 Adam Langley
5099 David Crawshaw
4468 Vlad Krasnov
3939 Russ Cox
3074 Shenghou Ma
1576 Yasuhiro Matsumoto
1216 Joel Sing
1190 Robert Griesemer
653 Nan Deng
641 Dave Cheney
610 Mikkel Krautz
560 Kyle Isom
557 Rob Pike
553 Jonathan Rodenberg
499 Shenghou Ma
397 Gautham Thambidorai
395 Brad Fitzpatrick
389 Nevins Bartolomeo
351 Jacob H. Haven
345 Han-Wen Nienhuys
330 Luit van Drongelen
317 Rémy Oudompheng
282 Conrad Meyer
281 Taru Karttunen
280 Paul van Brouwershaven
260 David Leon Gil
241 Roger Peppe
233 Nick Craig-Wood
219 Benjamin Black
211 Jeﬀ Wendling
196 Anthony Martin
167 Andy Davis
159 Peter Mundy
153 Jeﬀ R. Allen
152 Josh Bleecher Snyder
151 Shawn Smith
123 Nick Sullivan
Who gits the blame?
5
4468 Vlad Krasnov
560 Kyle Isom
303 Jacob H. Haven
39 Nick Sullivan

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
1.6

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
rrdns
cfssl
gokeyless
railgun
1.6

View Slide

View Slide

RAILGUN
Defying Physics on the Web

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
railgun
1.6

View Slide

Encrypted with TLS
…huge CPU hog

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
Go Crypto
RC4
railgun
1.6

View Slide

View Slide

Vlad The Compiler

View Slide

• Assembly implementation of AES-GCM
• In Go master in time for 1.6
Vlad The Compiler

View Slide

AES-GCM Performance
benchmark old MB/s new MB/s speedup
BenchmarkAESGCMSeal8K 89.31 2559.62 28.66x
BenchmarkAESGCMOpen8K 89.54 2463.78 27.52x
BenchmarkAESGCMSeal1K 86.24 1872.49 21.71x
BenchmarkAESGCMOpen1K 86.53 1721.78 19.90x

View Slide

AES-GCM Assembly
if hasGCMAsm() {
return &aesCipherGCM{c}, nil
}
src/crypto/aes/gcm_amd64.s

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
Go Crypto
RC4
MorsingTime
Go Crypto
AES-GCM
Use
CSRs
railgun
ECDSA
Certs
1.6

View Slide

CFSSL
Full-featured CA
X.509 certiﬁcate chain bundler
TLS conﬁguration scanner

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
CFSSL
1.6

View Slide

How Railguns Get Keys

View Slide

22

View Slide

PKI the whole internal infrastructure

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
CFSSL ECDSA
support
in x509
CSR
Support
Open Source
1.6

View Slide

crypto.Signer: a private key interface
type Signer interface {
Public() PublicKey
Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error)
}
rsa.PrivateKey and ecdsa.PrivateKey both implement Signer
25

View Slide

PKCS#11
github.com/cloudﬂare/cfssl/crypto/pkcs11key
type PKCS11Key struct {
module *pkcs11.Ctx
slotDescription string
pin string
publicKey rsa.PublicKey
privateKeyHandle pkcs11.ObjectHandle
}
26

View Slide

PKCS#11
27
func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts
crypto.SignerOpts) (signature []byte, err error) {
// Verify that the length of the hash is as expected
hash := opts.HashFunc()
hashLen := hash.Size()
if len(msg) != hashLen {
err = errors.New("input size does not match hash function
output size")
return
}
// Add DigestInfo prefix
mechanism :=
[]*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)}
prefix, ok := hashPrefixes[hash]
if !ok {
err = errors.New("unknown hash function")
return
}
signatureInput := append(prefix, msg...)
// Open a session
session, err := ps.openSession()
if err != nil {
return
}
defer ps.closeSession(session)
// Perform the sign operation
err = ps.module.SignInit(session, mechanism,
ps.privateKeyHandle)
if err != nil {
return
}
signature, err = ps.module.Sign(session, signatureInput)
return
}

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
CFSSL ECDSA
support
in x509
CSR
Support
crypto.Signer
interface
PKCS#11
Support
Open Source
1.6

View Slide

RRDNS
Authoritative DNS Server and DNS Proxy

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
rrdns
1.6

View Slide

Authoritative
Servers
31

View Slide

Cache Poisoning (Kaminsky’s attack)
32
Resolver Authoritative
Server
Q: what is the IP address of cloudﬂare.com
A: 198.41.213.157
A: 6.6.6.6
A: 6.6.6.6
A: 6.6.6.6
A: 6.6.6.6
A: 6.6.6.6
A: 6.6.6.6
A: 6.6.6.6

View Slide

Man-in-the-middle
33
Resolver
Authoritative
Server
Q: what is the IP address of cloudﬂare.com
A: 198.41.213.157
A: 6.6.6.6

View Slide

Solution: DNSSEC (done right)
Digital signatures in the DNS
Live-signed answers
Elliptic curve keys
34

View Slide

github.com/cloudﬂare/go
• Assembly implementation of P256
• In Go 1.6! Thanks Intel!
Vlad The Compiler

View Slide

P256 Performance Improvement
ECDSA Sign: 21X
ECDSA Verify: 9X
BaseMult (ECDH): 30X

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
rrdns FilippoTime
DNSSEC
Prototype
P256 ASM
DNSSEC
Beta
crypto.Signer
1.6

View Slide

gokeyless
taking the private key out of TLS

View Slide

TLS in RSA mode
39
Private Key

View Slide

TLS in RSA mode - Keyless
40
Private Key

View Slide

Geography of TLS
41

View Slide

42
Geography of Keyless SSL

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
gokeyless
keyless (C)
HavenTime
1.6

View Slide

New interface: crypto.Decrypter
type Signer interface {
Public() PublicKey
Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error)
}
type Decrypter interface {
Public() PublicKey
Decrypt(rand io.Reader, msg []byte, opts DecrypterOpts) (plaintext []byte, err error)
}
44

View Slide

Using it in TLS
return &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: SystemRoots,
ServerName: host,
CipherSuites: CipherSuites,
MinVersion: tls.VersionTLS12,
}
45
type Certificate struct {
Certificate [][]byte
PrivateKey crypto.PrivateKey
OCSPStaple []byte
SignedCertificateTimestamps [][]byte
Leaf *x509.Certificate
}

View Slide

github.com/cloudﬂare/go
• Faster implementation of RSA
• In Go 1.5
• (bugﬁx in Go 1.6)
Vlad The Compiler

View Slide

RSA Performance
benchmark old ns/op new ns/op delta
BenchmarkRSA2048Decrypt 6696649 3073769 -54.10%

View Slide

New additions to Go 1.5
crypto.Decrypter, crypto.Signer support in x509, tls
AES_256_GCM_SHA384 cipher suites
Faster RSA operations
48

View Slide

New additions to Go 1.6
20x Faster Elliptic Curves (P256)
20x Faster AES-GCM
49

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
gokeyless
keyless (C)
opaque keys
in TLS
HavenTime
AES 256
RSA Mont
1.6

View Slide

This is now possible in Go
TLS load balancer backed by hardware (PKCS#11, TPM coming soon)
Arbitrary RSA/ECDSA Implementations
51

View Slide

1.0
2012 2013 2014 2015
1.1
1.2
2016
1.3
1.4
1.5
rrdns
cfssl
gokeyless
railgun
1.6

View Slide

❤Go Crypto

View Slide

What’s new in Go Crypto?
Nick Sullivan (@grittygrease)
GoSF Go 1.6 Release Party
February 17, 2015

View Slide

What's New in Go Crypto? by Nick Sullivan

What's New in Go Crypto? by Nick Sullivan

Paul Burt

More Decks by Paul Burt

Other Decks in Technology

Featured

Transcript