This Talk • 2014: This year in cryptography • Is Rust a good language for crypto? • Survey of the Rust crypto landscape • A Rust common crypto library • Measuring timing variability in Rust
Things that might help • Dead code detection • Mandatory braces • Automatic resource management • No goto statement • true/false (and better ways of handling errors) • Memory safety
— Nadhem J. AlFardan and Kenneth G. Paterson "In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet be discovered."
Cryptocoding.net Rules • Compare secret strings in constant time • Avoid branchings controlled by secret data • Avoid table look-ups indexed by secret data • Avoid secret-dependent loop bounds • Prevent compiler interference with security-critical operations • Prevent confusion between secure and insecure APIs • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer • Use unsigned bytes to represent binary data • Use separate types for secret and non-secret information • Use separate types for different types of information • Clean memory of secret data • Use strong randomness
Constant Time Operation • Compare secret strings in constant time • Avoid branchings controlled by secret data • Avoid table look-ups indexed by secret data • Avoid secret-dependent loop bounds
Clear Abstractions • Prevent confusion between secure and insecure APIs • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer
Types! • Use unsigned bytes to represent binary data • Use separate types for secret and non-secret information • Use separate types for different types of information
libsodium • Portable repackaging of the Networking and Cryptography Library (NaCl a.k.a. “salt”) • Includes Ed25519 and ChaCha20 • Includes the scrypt password hashing function • Includes the Blake2 hash function • Includes SipHash • Some optional libsodium-specific utility functions
rust-crypto tl;dr • Good effort! • No immediate security problems on cursory inspection • Clear signs the code has not been well-reviewed • Needs more expert scrutiny to be trusted
Warning: While this library tries to avoid branches or input-dependent memory operations, the code optimizer may reintroduce them and you should carefully verify the assembly in order to use this.
Common crypto library • Common foundation for all crypto libraries • Solve unsafe concerns in one place • Solve constant-time operation in one place • Promote interoperability
Cyclometer • Automated testing for data-dependent timing variability in Rust cryptographic libraries • Use RDTSC to measure timing • Collect a large number of samples and apply statistical test (e.g. Box Test) to determine if timing variability is distinguishable
Final thoughts • Rust has immense potential for cryptography but we must tread carefully • Rust code without any branches isn’t necessarily constant time. Beware LLVM! • Stick with wrappers to mainstream crypto libraries until pure Rust crypto is more mature
tarcieri
maimux2x
ojun9
tomokusaba
squer
track3jyo
cer
masatoshiitoh
totokit4
maguroalternative
nearme_tech
punchdrunker
syumai
paigeccino
chrislema
jakevdp
colly
lara
trallard
zakiyama
jasonvnalue
addyosmani
philhawksworth
phodgson