What's New in Go Crypto? by Nick Sullivan

Transcript

1. What’s new in Go Crypto? Nick Sullivan (@grittygrease) GoSF Go

   1.6 Release Party February 17, 2015

2. Go’s Crypto Packages AES, DES, RC4 RSA, ECDSA SHA-1, SHA-2

   HMAC 2

3. Go’s Crypto Packages X.509 TLS 3

4. Who gits the blame? 19012 Adam Langley 5099 David Crawshaw

   4468 Vlad Krasnov 3939 Russ Cox 3074 Shenghou Ma 1576 Yasuhiro Matsumoto 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan 4

5. 19012 Adam Langley 5099 David Crawshaw 4468 Vlad Krasnov 3939

   Russ Cox 3074 Shenghou Ma 1576 Yasuhiro Matsumoto 1216 Joel Sing 1190 Robert Griesemer 653 Nan Deng 641 Dave Cheney 610 Mikkel Krautz 560 Kyle Isom 557 Rob Pike 553 Jonathan Rodenberg 499 Shenghou Ma 397 Gautham Thambidorai 395 Brad Fitzpatrick 389 Nevins Bartolomeo 351 Jacob H. Haven 345 Han-Wen Nienhuys 330 Luit van Drongelen 317 Rémy Oudompheng 282 Conrad Meyer 281 Taru Karttunen 280 Paul van Brouwershaven 260 David Leon Gil 241 Roger Peppe 233 Nick Craig-Wood 219 Benjamin Black 211 Jeff Wendling 196 Anthony Martin 167 Andy Davis 159 Peter Mundy 153 Jeff R. Allen 152 Josh Bleecher Snyder 151 Shawn Smith 123 Nick Sullivan Who gits the blame? 5 4468 Vlad Krasnov 560 Kyle Isom 303 Jacob H. Haven 39 Nick Sullivan

6. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

   1.5 1.6

7. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

   1.5 rrdns cfssl gokeyless railgun 1.6
8. None

9. RAILGUN Defying Physics on the Web

10. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 railgun 1.6

11. Encrypted with TLS …huge CPU hog

12. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 Go Crypto RC4 railgun 1.6
13. None

14. Vlad The Compiler

15. • Assembly implementation of AES-GCM • In Go master in

    time for 1.6 Vlad The Compiler

16. AES-GCM Performance benchmark old MB/s new MB/s speedup BenchmarkAESGCMSeal8K 89.31

    2559.62 28.66x BenchmarkAESGCMOpen8K 89.54 2463.78 27.52x BenchmarkAESGCMSeal1K 86.24 1872.49 21.71x BenchmarkAESGCMOpen1K 86.53 1721.78 19.90x

17. AES-GCM Assembly if hasGCMAsm() { return &aesCipherGCM{c}, nil } src/crypto/aes/gcm_amd64.s

18. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 Go Crypto RC4 MorsingTime Go Crypto AES-GCM Use CSRs railgun ECDSA Certs 1.6

19. CFSSL Full-featured CA X.509 certificate chain bundler TLS configuration scanner

20. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 CFSSL 1.6

21. How Railguns Get Keys

22. 22

23. PKI the whole internal infrastructure

24. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 CFSSL ECDSA support in x509 CSR Support Open Source 1.6

25. crypto.Signer: a private key interface type Signer interface { Public()

    PublicKey Sign(rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error) } rsa.PrivateKey and ecdsa.PrivateKey both implement Signer 25

26. PKCS#11 github.com/cloudflare/cfssl/crypto/pkcs11key type PKCS11Key struct { module *pkcs11.Ctx slotDescription string

    pin string publicKey rsa.PublicKey privateKeyHandle pkcs11.ObjectHandle } 26

27. PKCS#11 27 func (ps *PKCS11Key) Sign(rand io.Reader, msg []byte, opts

    crypto.SignerOpts) (signature []byte, err error) { // Verify that the length of the hash is as expected hash := opts.HashFunc() hashLen := hash.Size() if len(msg) != hashLen { err = errors.New("input size does not match hash function output size") return } // Add DigestInfo prefix mechanism := []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)} prefix, ok := hashPrefixes[hash] if !ok { err = errors.New("unknown hash function") return } signatureInput := append(prefix, msg...) // Open a session session, err := ps.openSession() if err != nil { return } defer ps.closeSession(session) // Perform the sign operation err = ps.module.SignInit(session, mechanism, ps.privateKeyHandle) if err != nil { return } signature, err = ps.module.Sign(session, signatureInput) return }

28. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 CFSSL ECDSA support in x509 CSR Support crypto.Signer interface PKCS#11 Support Open Source 1.6

29. RRDNS Authoritative DNS Server and DNS Proxy

30. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 rrdns 1.6

31. Authoritative Servers 31

32. Cache Poisoning (Kaminsky’s attack) 32 Resolver Authoritative Server Q: what

    is the IP address of cloudflare.com A: 198.41.213.157 A: 6.6.6.6 A: 6.6.6.6 A: 6.6.6.6 A: 6.6.6.6 A: 6.6.6.6 A: 6.6.6.6 A: 6.6.6.6

33. Man-in-the-middle 33 Resolver Authoritative Server Q: what is the IP

    address of cloudflare.com A: 198.41.213.157 A: 6.6.6.6

34. Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed

    answers Elliptic curve keys 34

35. github.com/cloudflare/go • Assembly implementation of P256 • In Go 1.6!

    Thanks Intel! Vlad The Compiler

36. P256 Performance Improvement ECDSA Sign: 21X ECDSA Verify: 9X BaseMult

    (ECDH): 30X

37. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 rrdns FilippoTime DNSSEC Prototype P256 ASM DNSSEC Beta crypto.Signer 1.6

38. gokeyless taking the private key out of TLS

39. TLS in RSA mode 39 Private Key

40. TLS in RSA mode - Keyless 40 Private Key

41. Geography of TLS 41

42. 42 Geography of Keyless SSL

43. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 gokeyless keyless (C) HavenTime 1.6

44. New interface: crypto.Decrypter type Signer interface { Public() PublicKey Sign(rand

    io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error) } type Decrypter interface { Public() PublicKey Decrypt(rand io.Reader, msg []byte, opts DecrypterOpts) (plaintext []byte, err error) } 44

45. Using it in TLS return &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: SystemRoots,

    ServerName: host, CipherSuites: CipherSuites, MinVersion: tls.VersionTLS12, } 45 type Certificate struct { Certificate [][]byte PrivateKey crypto.PrivateKey OCSPStaple []byte SignedCertificateTimestamps [][]byte Leaf *x509.Certificate }

46. github.com/cloudflare/go • Faster implementation of RSA • In Go 1.5

    • (bugfix in Go 1.6) Vlad The Compiler

47. RSA Performance benchmark old ns/op new ns/op delta BenchmarkRSA2048Decrypt 6696649

    3073769 -54.10%

48. New additions to Go 1.5 crypto.Decrypter, crypto.Signer support in x509,

    tls AES_256_GCM_SHA384 cipher suites Faster RSA operations 48

49. New additions to Go 1.6 20x Faster Elliptic Curves (P256)

    20x Faster AES-GCM 49

50. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 gokeyless keyless (C) opaque keys in TLS HavenTime AES 256 RSA Mont 1.6

51. This is now possible in Go TLS load balancer backed

    by hardware (PKCS#11, TPM coming soon) Arbitrary RSA/ECDSA Implementations 51

52. 1.0 2012 2013 2014 2015 1.1 1.2 2016 1.3 1.4

    1.5 rrdns cfssl gokeyless railgun 1.6

53. ❤Go Crypto

54. What’s new in Go Crypto? Nick Sullivan (@grittygrease) GoSF Go

    1.6 Release Party February 17, 2015