Maintaining cryptographic library for 12 languages

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
November 07, 2019

Maintaining cryptographic library for 12 languages

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.

https://github.com/cossacklabs/themis

This talk is useful for ppl that believe that perfect crypto lib is a C lib with 1-page readme :)

—————————————-

As developers, what do we want from using cryptographic tools? They should be easy to use and hard to misuse, cover complete use-cases instead of providing crypto-primitives, support language-specific style, work in the same way on numerous platforms and languages. Basically, we want less stress and more work done.

But is it so easy to maintain cross-platform crypto library? How to simplify complex crypto concepts into simple "encrypt(msg, key)" and "decrypt(data, key)" functions? How to provide unified API for 11 languages, when some of them are strongly-typed and another one is javascript? Secure by default: what design choices should be made to protect from misuse. Multi-platformness: how to make sure that message encrypted using Ruby on x64 Ubuntu 18.04 will be [successfully] decrypted on iOS12 on iPhone armv7s? Testing wildness: static analyzers, fuzzing, unit tests, integration tests. Docs: developers copy-paste from readme anyway, how to make sure that they copy-paste correct things.

I'll describe the 4yrs experience on maintaining multi-platform open source library Themis: from API design to language-specific hacks.

Bonus questions:
- what maintainers completely forget about: the biggest fail reason for users.
- what is faster in Go: calling OpenSSL via c-Go interop or using native Go crypto primitives?
- how to deal with multi-platformness, if BoringSSL for iOS doesn't support AES XTS?
- epic bug with iOS-Android compatibility, which appears to be a sad story about `size_t`.
- switching cryptographic backends for fun and profit: switching between BoringSSL, OpenSSL, LibreSSL, ~libsodium and CommonCrypto~, and governmental crypto standards of some countries, leaving same high-level API.

Key takeaways:
- cryptography is easy, but "secure by default" APIs are hard;
- never agree to support multi-platform libs;
- each language has unique hacks and typical mistakes, deal with it.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

November 07, 2019
Tweet

Transcript

  1. Maintaining cryptographic library for 11 languages @vixentael

  2. Maintaining cryptographic library for 11 languages 14 @vixentael

  3. @vixentael head of customer solutions, security software engineer OSS maintainer:

    Themis, Acra focused on data security, applied crypto and building e2ee schemes
  4. cossacklabs.com/products Data security solutions @vixentael We provide hard-to-misuse cryptographic tools

    to help companies to protect the data that is sensitive for their business.
  5. database searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/ zero knowledge

    authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/ @vixentael
  6. None
  7. USABLE

  8. github.com/cossacklabs/themis @vixentael

  9. Where Themis is used? @vixentael mobile apps other libraries chats

    web-first apps Cossack Labs software e-commerce fintech docs.cossacklabs.com/themis/community/projects-that-use-themis/
  10. End-to-end encryption in Bear blog.bear.app/ cossacklabs.com/blog/ @vixentael

  11. End-to-end encryption in AppSpector appspector.com/ @vixentael

  12. I want to store data securely I want to send

    data securely I want to verify data integrity Solve use-cases @vixentael
  13. github.com/cossacklabs/themis Themis: cryptosystems @vixentael store encrypted encrypt for someone encrypt

    session communication authenticate
  14. github.com/cossacklabs/themis Themis: cryptosystems SecureCell @vixentael AES GCM / AES CTR

    built in KDF store encrypted encrypt for someone encrypt session communication authenticate
  15. github.com/cossacklabs/themis Themis: cryptosystems SecureCell SecureMessage @vixentael AES GCM / AES

    CTR built in KDF ECC + ECDSA / RSA + PSS + PKCS#7 built in key gen store encrypted encrypt for someone encrypt session communication authenticate
  16. github.com/cossacklabs/themis Themis: cryptosystems SecureCell SecureMessage SecureSession @vixentael AES GCM /

    AES CTR built in KDF ECC + ECDSA / RSA + PSS + PKCS#7 built in key gen ECDH + ECC + AES ephemeral keys store encrypted encrypt for someone encrypt session communication authenticate
  17. github.com/cossacklabs/themis Themis: cryptosystems SecureCell SecureMessage SecureSession SecureComparator @vixentael AES GCM

    / AES CTR built in KDF ECC + ECDSA / RSA + PSS + PKCS#7 built in key gen ECDH + ECC + AES ephemeral keys OTR SMP + ECC ZKP store encrypted encrypt for someone encrypt session communication authenticate
  18. Themis @vixentael OpenSSL BoringSSL LibreSSL BearSSL DSTU libsodium native GoCrypto

    stable experimental crypto-backends
  19. Themis @vixentael OpenSSL BoringSSL LibreSSL BearSSL DSTU libsodium native GoCrypto

    crypto-backends Soter Themis Themis Core stable experimental
  20. Themis @vixentael OpenSSL BoringSSL LibreSSL BearSSL DSTU libsodium native GoCrypto

    crypto-backends Soter Themis Themis Core iOS Android Java python ruby WASM language wrappers Go rust js PHP C++ stable experimental
  21. Themis Core (server & desktop OS) @vixentael Ubuntu Debian CentOS

    / RHEL macOS Windows
  22. Themis Core (server & desktop OS) @vixentael Ubuntu 18.04 x64

    Debian 9 x32 Ubuntu 16.04 x64 CentOS 7 x64 Ubuntu 16.04 x32 Debian 9 x64 Debian 8 x64 Debian 8 x32 macOS 10.13 macOS 10.14 macOS 10.15 Windows
  23. Themis OSs @vixentael Ubuntu 18.04 x64 Debian 9 x32 Ubuntu

    16.04 x64 CentOS 7 x64 Ubuntu 16.04 x32 Debian 9 x64 Debian 8 x64 Debian 8 x32 macOS 10.13 macOS 10.14 macOS 10.15 Windows iOS 10 - iOS 14 Android SDK 16 - 29
  24. Boring crypto @vixentael

  25. — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael
  26. "Don’t give users options, because they will mess it up.

    Just tell them what to do.” dev.to/cossacklabs/schneier-on-cryptography-live-interview-4mi7 Bruce Schneier No options @vixentael
  27. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael
  28. easy to use or hard to misuse? Cryptographic tools should

    be @vixentael
  29. make make test sudo make install Easy to use @vixentael

  30. make make test sudo make install Easy to use @vixentael

    noone cares about your lib if they can’t install it using their fav package manager
  31. Themis Core: install @vixentael Ubuntu Debian CentOS / RHEL macOS

    Windows apt-get install libthemis-dev apt-get install libthemis-dev yum install libthemis-devel brew install libthemis make nsis_installer
  32. Package managers @vixentael npm install jsthemis pip install pythemis pip3

    install pythemis gem install rbthemis jcenter() implementation ‘com.cossacklabs.com:themis:0.13.4' npm install wasm-themis [dependencies] themis = “0.13.4” go get github.com/cossacklabs/themis/gothemis/... pod themis pod install github “cossacklabs/themis" carthage update
  33. iOS specifics @vixentael OpenSSL Soter Themis Themis iOS BoringSSL C

    lang ObjC ObjC app Swift app ObjC <> Swift interoperability
  34. iOS specifics @vixentael OpenSSL Soter Themis Themis iOS BoringSSL C

    lang ObjC ObjC app Swift app ObjC <> Swift interoperability CocoaPods Carthage SPM manually package managers
  35. iOS specifics @vixentael OpenSSL Soter Themis Themis iOS BoringSSL C

    lang ObjC ObjC app Swift app ObjC <> Swift interoperability CocoaPods Carthage SPM manually package managers Xcode/Swift update iOS update device update package manager update Open/BoringSSL update
  36. iOS specifics @vixentael

  37. iOS specifics @vixentael

  38. None
  39. Android specifics @vixentael Soter Themis Themis Java BoringSSL C lang

    Java <> C Java app Kotlin app Java <> Kotlin interoperability Themis jni
  40. Android specifics @vixentael Soter Themis Themis Java BoringSSL C lang

    Java <> C Java app Kotlin app Java <> Kotlin interoperability Themis jni complicated to debug complicated to build
  41. BoringSSL @vixentael github.com/cossacklabs/themis/pull/352 CMake Error at /home/user/android-sdk/ndk-bundle/build/cmake/ android.toolchain.cmake:169 (message): GCC

    is no longer supported. See https://android.googlesource.com/platform/ndk/+/master/docs/ ClangMigration.md.
  42. BoringSSL @vixentael github.com/cossacklabs/themis/pull/352 CMake Error at /home/user/android-sdk/ndk-bundle/build/cmake/ android.toolchain.cmake:169 (message): GCC

    is no longer supported. See https://android.googlesource.com/platform/ndk/+/master/docs/ ClangMigration.md. gcc -> clang
  43. BoringSSL @vixentael github.com/cossacklabs/themis/pull/447 why so slow

  44. BoringSSL @vixentael don’t build examples github.com/cossacklabs/themis/pull/447

  45. Multi-platform is hard @vixentael BoringSSL is used in iOS libs

    by Google (Firebase) Themis iOS BoringSSL
  46. Multi-platform is hard @vixentael BoringSSL is used in iOS libs

    by Google (Firebase) Themis iOS BoringSSL no AES XTS in BoringSSL iOS CocoaPod
  47. Multi-platform is hard @vixentael #define SOTER_BORINGSSL_DISABLE_XTS BoringSSL is used in

    iOS libs by Google (Firebase) Themis iOS BoringSSL no AES XTS in BoringSSL iOS CocoaPod
  48. Hard to misuse @vixentael

  49. encryption integration abstraction level complexity @vixentael

  50. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain
  51. CommonCrypto AES @vixentael

  52. Easy to make mistakes @vixentael

  53. @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? Easy to make mistakes
  54. github.com/cossacklabs/themis Themis: hard to make mistakes @vixentael

  55. hides cryptographic details: salt, IV, KDF, padding uses AES-256-GCM github.com/cossacklabs/themis

    generates strong encryption key Themis: hard to make mistakes @vixentael
  56. hides cryptographic details: salt, IV, KDF, padding uses AES-256-GCM github.com/cossacklabs/themis

    Themis: built-in KDF @vixentael uses KDF to transform passphrase into key:
  57. one API to rule them all @vixentael

  58. @vixentael 1. Cipher suit, mode, padding, IV, key, memory. 2.

    KDF, key management. 3. Authentication, ephemeral keys. ✅ ✅ ✅ Themis API incapsulates
  59. Testing @vixentael

  60. Testing @vixentael

  61. Testing @vixentael

  62. Testing @vixentael unit tests per each language, crypto: NIST- specified

    for PRNG & AES
  63. Testing @vixentael fuzzing unit tests per each language, crypto: NIST-

    specified for PRNG & AES AFL
  64. Testing @vixentael fuzzing memory, sanitizers, SAST unit tests per each

    language, crypto: NIST- specified for PRNG & AES clang, Valgrind, Splint, Cppcheck AFL
  65. Testing @vixentael fuzzing memory, sanitizers, SAST integration tests unit tests

    per each language, crypto: NIST- specified for PRNG & AES per OS, per language clang, Valgrind, Splint, Cppcheck AFL
  66. Testing @vixentael fuzzing memory, sanitizers, SAST integration tests unit tests

    per each language, crypto: NIST- specified for PRNG & AES per OS, per language clang, Valgrind, Splint, Cppcheck backwards compatibility tests AFL between versions
  67. Testing tools @vixentael dev.to/cossacklabs/automated-software-security-testing-for-devs-part-1-gcf

  68. CI & autotests @vixentael integrated with Github unit tests, memory

    iOS, Android, macOS examples and tests everything cross-platform tests GitHub actions: everything
  69. Security testing @vixentael cryptocoding internal review external audits tests github.com/veorq/cryptocoding

    zeroing, minimization, memory, constant time checks, etc cossacklabs.com/blog/macros-in-crypto-c-code.html
  70. One readme is not enough @vixentael

  71. @vixentael 1. Language-specific docs

  72. @vixentael 1. Language-specific docs “give me code!” “too much to

    read”
  73. @vixentael 2. “Safe to copypaste” code snippets

  74. @vixentael 2. “Safe to copypaste” code snippets “how to use

    it in the app?”
  75. @vixentael 3. Example applications

  76. @vixentael 3. Example applications

  77. @vixentael 3. Example applications “but I am building unique app!”

  78. @vixentael 4. Tutorials and use case specific apps

  79. @vixentael 4. Tutorials and use case specific apps “your app

    works, but my app doesn’t”
  80. @vixentael 5. Codeless simulators verify own configuration docs.cossacklabs.com/simulator/interactive/

  81. @vixentael 5. Codeless simulators debug the whole flow

  82. One readme is not enough @vixentael 1. Language-specific docs 2.

    “Safe to copypaste” code snippets 3. Example applications 4. Tutorials and use case specific apps 5. Codeless simulators
  83. Community @vixentael Are you responsible for how users use your

    software?
  84. Community @vixentael answering Q

  85. Community @vixentael

  86. Community @vixentael

  87. Key points

  88. @vixentael 1. Encryption lib should be: multi-platform, maintained, secure by

    default, open sourced, easy to install, hard to misuse, tested. 2. Supporting libs is VERY complicated. 3. Better to spend time on features than the crypto code. Key points
  89. Good tools allow to focus on product, not on crypto

    code @vixentael
  90. @vixentael github.com/vixentael/my-talks cossacklabs.com/products Cossack Labs – data security solutions