Maintaining cryptographic library for 12 languages

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
November 07, 2019

Maintaining cryptographic library for 12 languages

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.

https://github.com/cossacklabs/themis

This talk is useful for ppl that believe that perfect crypto lib is a C lib with 1-page readme :)

—————————————-

As developers, what do we want from using cryptographic tools? They should be easy to use and hard to misuse, cover complete use-cases instead of providing crypto-primitives, support language-specific style, work in the same way on numerous platforms and languages. Basically, we want less stress and more work done.

But is it so easy to maintain cross-platform crypto library? How to simplify complex crypto concepts into simple "encrypt(msg, key)" and "decrypt(data, key)" functions? How to provide unified API for 11 languages, when some of them are strongly-typed and another one is javascript? Secure by default: what design choices should be made to protect from misuse. Multi-platformness: how to make sure that message encrypted using Ruby on x64 Ubuntu 18.04 will be [successfully] decrypted on iOS12 on iPhone armv7s? Testing wildness: static analyzers, fuzzing, unit tests, integration tests. Docs: developers copy-paste from readme anyway, how to make sure that they copy-paste correct things.

I'll describe the 4yrs experience on maintaining multi-platform open source library Themis: from API design to language-specific hacks.

Bonus questions:
- what maintainers completely forget about: the biggest fail reason for users.
- what is faster in Go: calling OpenSSL via c-Go interop or using native Go crypto primitives?
- how to deal with multi-platformness, if BoringSSL for iOS doesn't support AES XTS?
- epic bug with iOS-Android compatibility, which appears to be a sad story about `size_t`.
- switching cryptographic backends for fun and profit: switching between BoringSSL, OpenSSL, LibreSSL, ~libsodium and CommonCrypto~, and governmental crypto standards of some countries, leaving same high-level API.

Key takeaways:
- cryptography is easy, but "secure by default" APIs are hard;
- never agree to support multi-platform libs;
- each language has unique hacks and typical mistakes, deal with it.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

November 07, 2019
Tweet

Transcript

  1. Maintaining cryptographic library for 11 languages @vixentael

  2. Maintaining cryptographic library for 11 languages @vixentael 12

  3. @vixentael head of customer solutions, security software engineer OSS maintainer:

    Themis, Acra focused on applied crypto and building e2ee protocols
  4. cossacklabs.com/products Data security solutions @vixentael We provide hard-to-misuse cryptographic tools

    to help companies to protect the data that is sensitive for their business.
  5. database searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/ zero knowledge

    authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/ @vixentael
  6. None
  7. USABLE

  8. 1. Boring Crypto & inspiration 3. Easy to use VS

    hard to misuse 2. The Scale: core & language wrappers 5. Community & cases Plan for today @vixentael 4. Security & testing
  9. “Let’s protect stored data” @vixentael …imagine simple use case

  10. Things to decide on: PADDING KEY LENGTH KEY ROTATION MODE

    KEY DERIVATION KEY STORAGE KEY EXCHANGE DATA SCOPE CIPHER IV KEY REVOCATION BACKUPS PLATFORMS KMS @vixentael
  11. None
  12. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael
  13. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA Kuznyechik

    Blowfish SHARK RC4 DSS ChaCha20 CTR AES-SIV Camelia SEED Rabbit ECDSA @vixentael
  14. — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael
  15. I want to store data securely I want to send

    data securely I want to verify data integrity Solve use-cases @vixentael
  16. store data securely send data securely verify data integrity KEY

    DERIVATION KEY EXCHANGE KEY ROTATION SIGN/VERIFY EPHEMERAL KEYS ENCR / DECR @vixentael Solve use-cases
  17. github.com/cossacklabs/themis @vixentael

  18. github.com/cossacklabs/themis Themis: cryptosystems @vixentael store encrypted encrypt for someone encrypt

    session communication authenticate
  19. github.com/cossacklabs/themis Themis: cryptosystems SecureCell @vixentael AES GCM / AES CTR

    built in KDF store encrypted encrypt for someone encrypt session communication authenticate
  20. github.com/cossacklabs/themis Themis: cryptosystems SecureCell SecureMessage @vixentael AES GCM / AES

    CTR built in KDF ECC + ECDSA / RSA + PSS + PKCS#7 built in key gen store encrypted encrypt for someone encrypt session communication authenticate
  21. github.com/cossacklabs/themis Themis: cryptosystems SecureCell SecureMessage SecureSession @vixentael AES GCM /

    AES CTR built in KDF ECC + ECDSA / RSA + PSS + PKCS#7 built in key gen ECDH + ECC + AES ephemeral keys store encrypted encrypt for someone encrypt session communication authenticate
  22. github.com/cossacklabs/themis Themis: cryptosystems SecureCell SecureMessage SecureSession SecureComparator @vixentael AES GCM

    / AES CTR built in KDF ECC + ECDSA / RSA + PSS + PKCS#7 built in key gen ECDH + ECC + AES ephemeral keys OTR SMP + ECC ZKP store encrypted encrypt for someone encrypt session communication authenticate
  23. Themis @vixentael OpenSSL BoringSSL LibreSSL BearSSL DSTU libsodium native GoCrypto

    stable experimental crypto-backends
  24. Themis @vixentael OpenSSL BoringSSL LibreSSL BearSSL DSTU libsodium native GoCrypto

    crypto-backends Soter Themis Themis Core stable experimental
  25. Themis @vixentael OpenSSL BoringSSL LibreSSL BearSSL DSTU libsodium native GoCrypto

    crypto-backends Soter Themis Themis Core iOS Android Java python ruby WASM language wrappers Go rust js PHP C++ stable experimental
  26. Themis Core (server & desktop OS) @vixentael Ubuntu Debian CentOS

    / RHEL macOS Windows
  27. Themis Core (server & desktop OS) @vixentael Ubuntu 18.04 x64

    Debian 9 x32 Ubuntu 16.04 x64 CentOS 7 x64 Ubuntu 16.04 x32 Debian 9 x64 Debian 8 x64 Debian 8 x32 macOS 10.13 macOS 10.14 macOS 10.15 Windows
  28. Themis OSs @vixentael Ubuntu 18.04 x64 Debian 9 x32 Ubuntu

    16.04 x64 CentOS 7 x64 Ubuntu 16.04 x32 Debian 9 x64 Debian 8 x64 Debian 8 x32 macOS 10.13 macOS 10.14 macOS 10.15 Windows iOS 9 iOS 10 iOS 11 iOS 12 iOS 13 Android SDK 16 - 29
  29. easy to use or hard to misuse? Cryptographic tools should

    be @vixentael
  30. make make test sudo make install Easy to use @vixentael

  31. make make test sudo make install Easy to use @vixentael

    noone cares about your lib if they can’t install it using their fav package manager
  32. Themis Core: install @vixentael Ubuntu Debian CentOS / RHEL macOS

    Windows apt-get install libthemis-dev apt-get install libthemis-dev yum install libthemis-devel brew install libthemis make nsis_installer
  33. Package managers @vixentael npm install jsthemis pip install pythemis pip3

    install pythemis gem install rbthemis maven { url "https://dl.bintray.com/cossacklabs/maven/" } npm install wasm-themis [dependencies] themis = "0.12" go get github.com/cossacklabs/themis/gothemis/... pod themis pod install github “cossacklabs/themis" carthage update
  34. iOS specifics @vixentael OpenSSL Soter Themis Themis iOS BoringSSL C

    lang ObjC ObjC app Swift app ObjC <> Swift interoperability
  35. iOS specifics @vixentael OpenSSL Soter Themis Themis iOS BoringSSL C

    lang ObjC ObjC app Swift app ObjC <> Swift interoperability CocoaPods Carthage SPM manually package managers
  36. iOS specifics @vixentael OpenSSL Soter Themis Themis iOS BoringSSL C

    lang ObjC ObjC app Swift app ObjC <> Swift interoperability CocoaPods Carthage SPM manually package managers Xcode/Swift update iOS update device update package manager update Open/BoringSSL update
  37. iOS specifics @vixentael

  38. None
  39. Android specifics @vixentael Soter Themis Themis Java BoringSSL C lang

    Java <> C Java app Kotlin app Java <> Kotlin interoperability Themis jni
  40. Android specifics @vixentael Soter Themis Themis Java BoringSSL C lang

    Java <> C Java app Kotlin app Java <> Kotlin interoperability Themis jni complicated to debug complicated to build
  41. BoringSSL @vixentael github.com/cossacklabs/themis/pull/352 CMake Error at /home/user/android-sdk/ndk-bundle/build/cmake/ android.toolchain.cmake:169 (message): GCC

    is no longer supported. See https://android.googlesource.com/platform/ndk/+/master/docs/ ClangMigration.md.
  42. BoringSSL @vixentael github.com/cossacklabs/themis/pull/352 CMake Error at /home/user/android-sdk/ndk-bundle/build/cmake/ android.toolchain.cmake:169 (message): GCC

    is no longer supported. See https://android.googlesource.com/platform/ndk/+/master/docs/ ClangMigration.md. gcc -> clang
  43. BoringSSL @vixentael github.com/cossacklabs/themis/pull/447 why so slow

  44. BoringSSL @vixentael don’t build examples github.com/cossacklabs/themis/pull/447

  45. Multi-platform is hard @vixentael BoringSSL is used in iOS libs

    by Google (Firebase) Themis iOS BoringSSL
  46. Multi-platform is hard @vixentael BoringSSL is used in iOS libs

    by Google (Firebase) Themis iOS BoringSSL no AES XTS in BoringSSL iOS CocoaPod
  47. Multi-platform is hard @vixentael #define SOTER_BORINGSSL_DISABLE_XTS BoringSSL is used in

    iOS libs by Google (Firebase) Themis iOS BoringSSL no AES XTS in BoringSSL iOS CocoaPod
  48. Hard to misuse @vixentael

  49. encryption integration abstraction level complexity @vixentael

  50. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain
  51. CommonCrypto AES @vixentael

  52. Easy to make mistakes @vixentael

  53. @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? Easy to make mistakes
  54. Themis: hard to make mistakes github.com/cossacklabs/themis @vixentael

  55. hides cryptographic details: salt, IV, KDF, padding uses AES-256-GCM github.com/cossacklabs/themis

    built-in KDF to make keys stronger Themis: hard to make mistakes @vixentael
  56. One API to rule them all! @vixentael

  57. @vixentael @vixentael

  58. @vixentael @vixentael

  59. @vixentael @vixentael

  60. @vixentael @vixentael

  61. @vixentael 1. Cipher suit, mode, padding, IV, key, memory. 2.

    KDF, key management. 3. Authentication, ephemeral keys. ✅ ✅ ✅ Themis API incapsulates
  62. Testing @vixentael

  63. Testing @vixentael

  64. Testing @vixentael

  65. Testing @vixentael medium.com/@cossacklabs/automated-security-testing-56ee1253c1fd unit tests per each language, crypto: NIST-

    specified for PRNG & AES
  66. Testing @vixentael medium.com/@cossacklabs/automated-security-testing-56ee1253c1fd fuzzing unit tests per each language, crypto:

    NIST- specified for PRNG & AES AFL
  67. Testing @vixentael medium.com/@cossacklabs/automated-security-testing-56ee1253c1fd fuzzing memory, sanitizers, SATS unit tests per

    each language, crypto: NIST- specified for PRNG & AES clang, Valgrind, Splint, Cppcheck AFL
  68. Testing @vixentael medium.com/@cossacklabs/automated-security-testing-56ee1253c1fd fuzzing memory, sanitizers, SATS integration tests unit

    tests per each language, crypto: NIST- specified for PRNG & AES per OS, per language clang, Valgrind, Splint, Cppcheck AFL
  69. Testing @vixentael medium.com/@cossacklabs/automated-security-testing-56ee1253c1fd fuzzing memory, sanitizers, SATS integration tests unit

    tests per each language, crypto: NIST- specified for PRNG & AES per OS, per language clang, Valgrind, Splint, Cppcheck backwards compatibility tests AFL between versions
  70. Testing @vixentael OWASP Source Code Analysis Tools owasp.org/index.php/Source_Code_Analysis_Tools Clouseau –

    git repo inspector for keys & creds. github.com/cfpb/clouseau Fuzzing resources github.com/secfigo/Awesome-Fuzzing
  71. Testing @vixentael integrated with Github unit tests, memory iOS, Android,

    macOS examples and tests everything o.o
  72. Security @vixentael cryptocoding internal review external audits tests github.com/veorq/cryptocoding zeroing,

    minimization, memory, constant time checks, etc cossacklabs.com/blog/macros-in-crypto-c-code.html
  73. One readme is not enough @vixentael

  74. @vixentael 1. Language-specific docs

  75. @vixentael 1. Language-specific docs “give me code!” “too much to

    read”
  76. @vixentael 2. “Safe to copypaste” code snippets

  77. @vixentael 2. “Safe to copypaste” code snippets “how to use

    it in the app?”
  78. @vixentael 3. Example applications

  79. @vixentael 3. Example applications

  80. @vixentael 3. Example applications “but I am building unique app!”

  81. @vixentael 4. Tutorials and use case specific apps

  82. @vixentael 4. Tutorials and use case specific apps “your app

    works, but my app doesn’t”
  83. @vixentael 5. Codeless simulators verify own configuration docs.cossacklabs.com/simulator/interactive/

  84. @vixentael 5. Codeless simulators debug the whole flow

  85. One readme is not enough @vixentael 1. Language-specific docs 2.

    “Safe to copypaste” code snippets 3. Example applications 4. Tutorials and use case specific apps 5. Codeless simulators
  86. Community @vixentael Are you responsible for how users use your

    software?
  87. Community @vixentael answering Q

  88. Community @vixentael

  89. Community @vixentael

  90. Where Themis is used? @vixentael mobile apps other libraries chats

    web-first apps Cossack Labs software e-commerce fintech cossacklabs.com/blog/themis-contributors-and-projects-2018.html
  91. <HospitalApp>: cryptocore 130 lines @vixentael

  92. Bear: cryptocore 60 lines speakerdeck.com/vixentael/10-lines-of-encryption-1500-lines-of- key-management?slide=42 @vixentael

  93. End-to-end encryption in Bear blog.bear.app/ cossacklabs.com/blog/ @vixentael

  94. passphrase KDF hint encryption zeroing secrets TLS / certificate pinning

    auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html @vixentael
  95. Key points

  96. Good tools allow to focus on product, not on crypto

    code @vixentael
  97. @vixentael 1. Encryption lib should be: multi-platform, maintained, secure by

    default, open sourced, easy to install, hard to misuse, tested. 2. Supporting libs is VERY complicated. 3. Better to spend time on features than the crypto code.
  98. @vixentael github.com/vixentael/ my-talks