Modern Session Encryption David Wong outline 3. NOISE 2. STROBE - PowerPoint PPT Presentation

Modern Session Encryption David Wong

outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK

Sponge Construction 00101 01001 01100 11001 01011 10101 0 0 ⊕ ⊕ ⊕ 0 0 f f f f f 0 0 0 0 absorbing squeezing

Duplex Construction input output input output input output 0 0 ⊕ ⊕ ⊕ 0 0 f f f 0 0 0 0 init duplexing duplexing duplexing

Keyed-mode key 0 0 ⊕ 0 0 f 0 0 0 init 0 duplexing

Encryption? key 0 0 ⊕ 0 0 f 0 0 0 init 0 duplexing

Encryption key ciphertext1 plaintext1 ⊕ 0 0 ⊕ 0 0 f 0 0 0 init 0 duplexing

Authenticated Encryption key tag1 ciphertext1 plaintext1 ⊕ 0 0 ⊕ ⊕ 0 0 f f 0 0 0 init 0 duplexing duplexing

Sessions key tag1 ciphertext2 tag2 ciphertext1 plaintext2 plaintext1 ⊕ ⊕ 0 0 ⊕ ⊕ ⊕ 0 0 f f f f 0 0 0 init 0 duplexing duplexing duplexing duplexing

key tag1 ciphertext2 tag2 ciphertext1 ciphertext3 tag3 ciphertext4 tag4 plaintext2 plaintext1 ⊕ plaintext3 plaintext4 ⊕ ⊕ ⊕ 0 0 ⊕ ⊕ ⊕ 0 ⊕ ⊕ f f f f f f f f 0 0 0 0 init 0 duplexing duplexing duplexing duplexing duplexing duplexing duplexing duplexing

outline 2. STROBE 1. KECCAK

Strobe functions AD KEY PRF send_CLR recv_CLR operation = send_CLR operation = recv_CLR operation = AD operation = KEY operation = PRF output data = 010100… data = 010100… data = 010100… data = 010100… 00000… ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ f f send_ENC recv_ENC send_MAC recv_MAC RATCHET operation = send_ENC operation = recv_ENC operation = send_MAC operation = recv_MAC operation = RATCHET plaintext 0000 plaintext 0000… ciphertext tag ⊕ ⊕ ciphertext tag ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ f f f f f

Strobe protocol example myProtocol = Strobe_init (“myWebsite.com”) myProtocol. AD (sharedSecret) buffer = myProtocol. send_ENC (“GET /”) buffer += myProtocol. send_MAC (len=16) // send the buffer // receive a ciphertext message = myProtocol. recv_ENC (ciphertext[:-16]) ok = myProtocol. recv_MAC (ciphertext[-16:]) if !ok { // reset the connection }

buffer = myProtocol. send_ENC (plaintext1) buffer += myProtocol. send_MAC (len=16) // send the buffer buffer = myProtocol. send_ENC (plaintext2) buffer += myProtocol. send_MAC (len=16) // send the buffer buffer = myProtocol. send_ENC (plaintext3) buffer += myProtocol. send_MAC (len=16) // send the buffer buffer = myProtocol. send_ENC (plaintext4) buffer += myProtocol. send_MAC (len=16) // send the buffer

Strobe • flexible framework to support a large number of protocols • large symmetric cryptography library

Strobe as a Hash Function myHash = Strobe_init (“david_wong_hash”) myHash. AD (“something to be hashed”) hash = myHash. PRF (outputLen=32)

operation = AD ⊕ rate capacity

operation = AD data = 010100… ⊕ ⊕ rate capacity

operation = send_ENC operation = AD data = 010100… ⊕ ⊕ ⊕ rate capacity

operation = send_ENC operation = AD data = 010100… ⊕ ⊕ ⊕ rate f capacity

operation = send_ENC operation = AD data = 010100… data = hello ciphertext ⊕ ⊕ ⊕ ⊕ rate f capacity

operation = send_ENC operation = send_MAC operation = AD data = 010100… data = hello tag ciphertext len = 16 ⊕ ⊕ ⊕ ⊕ ⊕ rate f f capacity

send_AEAD operation = send_ENC operation = send_MAC operation = AD data = 010100… data = hello tag ciphertext len = 16 ⊕ ⊕ ⊕ ⊕ ⊕ rate f f capacity

Strobe • flexible framework to support a large number of protocols • large symmetric cryptography library • fits into tiny IoT devices ( ~300 lines of code) • relies on strong SHA-3 standard ( SHAKE -compliant)

strobe.sourceforge.io strobe.sourceforge.io

outline 3. NOISE 2. STROBE 1. KECCAK

TLS • TLS is the de facto standard for securing communications • complex specification (TLS 1.3 is 160-page long) • supported by other specifications (asn.1, x509, 44 mentioned RFCs …) • design carrying a lot of legacy decisions • cryptographic agility and complicated state machine • huge and scary libraries (OpenSSL is 700k LOC, 165 CVEs) • cumbersome configuration… • o fu en dangerously re-implemented (custom implementations) • or re-invented (proprietary protocols)

Complexity is the enemy of security

www.noiseprotocol.org

The Noise Protocol Framework • no need for certificates or a PKI • many handshakes to choose from ( flexible ) • it’s straight forward to implement (<1k LOC, 18kb for Arduino) • there are already libraries that you can leverage • minimal (or zero) configuration • used by WhatsApp , Slack , the Bitcoin Lightning Network , … • if you have a good excuse not to use TLS, Noise is the answer

The crypto functions • DH: X25519 or X448 • AEAD: Chacha20-Poly1305 or AES-GCM • HASH : BLAKE2 or SHA-2

ephemeral key Client Server ephemeral key handshake

ephemeral key Client Server ephemeral key Di ff ie-Hellman() Di ff ie-Hellman() handshake keys keys

ephemeral key Client Server ephemeral key Di ff ie-Hellman() Di ff ie-Hellman() handshake encrypted data keys keys encrypted data post-handshake

e Client Server e ee ee handshake encrypted data keys keys encrypted data post-handshake

→ e ← e, ee

Tokens • e : ephemeral key • s : static key • ee : DH (client ephemeral key, server ephemeral key) • es : DH (client ephemeral key, server static key) • se : DH (client static key, server ephemeral key) • ss : DH (client static key, server static key) • psk : pre-shared key

Handshake Patterns N (rs): K (s,rs): X (s,rs): NN (): NK (rs): NX (rs): ← s ← s ← s → e ← s → e … → s … ← e, ee … ← e, ee, s, es → e, es … → e, es, s, ss → e, es → e, es, ss ← e, ee XN (s): XK (s, rs): XX (s, rs): KN (s): KK (s, rs): → e ← s → e → s ← s ← e, ee … ← e, ee, s, es … → s → s, se → e, es → s, se → e … ← e, ee ← e, ee, se → e, es, ss → s, se ← e, ee, se

NX (rs): → e ← e, ee, s, es Client Server

NX (rs): → e ← e, ee, s, es Client Server e public

NX (rs): → e ← e, ee, s, es Client Server e public payload1

NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public

NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public

NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public E K1 (rs)

NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public E K1 (rs)

NX (rs): → e ← e, ee, s, es Client Server e public payload1 re public E K1 (rs) E K2 (payload2)

Cipher State Symmetric State Handshake State Initialization ck h HASH “Noise_NX_25519_AESGCM_SHA256” DH (e, re) e GENERATE_KEYPAIR() e public e.public_key HKDF HASH n=0 k1 payload1 h ck re public DH (e, rs) payload1 HASH re public re h HKDF E k1 (rs public ) n=0 k2 re.public_key HASH h ck E k2 (payload2) h rs DecryptWithAd() E k1 (rs public ) Cipher State HKDF HASH E k1 (rs public ) h k n=0 h payload2 DecryptWithAd() E k2 (payload2) Cipher State HASH E k2 (payload2) n=0 k h

outline 3. NOISE 2. STROBE 4. DISCO 1. KECCAK

Strobe State Handshake State Initialization InitStrobe() “Noise_NX_25519_Strobe” e GENERATE_KEYPAIR() e public send_CLR() e.public_key payload1 send_CLR() payload1 re public re.public_key recv_CLR() re public E(rs public ) AD() DH (e, re) rs.public_key E(rs public ) recv_AEAD() E(payload2) AD() DH (e, rs) payload2 E(payload2) recv_AEAD() Strobe State Strobe State … …

Strobe State Strobe State send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD() send_AEAD() recv_AEAD()

Strobe State Handshake State ⊕ Initialization “Noise_NX_25519_Strobe” e GENERATE_KEYPAIR() ⊕ e public e.public_key ⊕ payload1 payload1 ⊕ re public re.public_key re public ⊕ DH (e, re) E(rs public ) , tag1 ⊕ rs.public_key E(rs public ) E(payload2), tag2 tag1 ⊕ DH (e, rs) ⊕ rs.public_key E(payload2) tag2

www.discocrypto.com

OpenSSL disco-c libdisco (go) 2,000 LOC 700,000 LOC 1,000 LOC 4,000 LOC DiscoNet* (C#) * implementation by Artyom Makarov

Trust Graph of Disco DISCO STROBE X25519 KECCAK-F

Trust Graph of biased SSL/TLS TLS 1.3 AES-GCM HKDF HMAC X25519 ECDSA SHA-256

Trust Graph of SSL/TLS DER TLS 1.1 TLS 1.2 ASN.1 ffdhe2048 CHACHA20- ffdhe3072 POLY1305 X.509 DH ffdhe4096 TLS 1.3 AES-CCM ffdhe6144 ffdhe8192 RSA-PSS or ECDH AES-GCM HKDF HMAC RSA-PKCS#1 ECDSA X448 v1.5 secp256r1 X25519 SHA-256 secp521r1 SHA-384 SHA-512 ed25519 secp384r1 ed448