Beyond Public Key Encryption | Matthew Green

Matthew Green; Beyond Public Key Encryption; In His Blog entitled A Few Thoughts on Cryptographic Engineering; 2017-07-02.
Matthew Green, professor, Johns Hopkins University.

tl;dr → overview & history of Identity Based Cryptography and allied arts.

Mentions

  • Eugen Belyakoff, an artist, The Noun Project (licensed artwork, specifically communicative graphics)
  • Voltage Security, now Hewlett-Packard Enterprise (HPE)
  • IBE systems effectively “bake in” key escrow
  • Christopher Cocks discovered RSA circa five years before RSA did.
    ellisdocdiscovered the RSA cryptosystem
  • Boneh-Franklin Scheme, 2001
    Uses

    • elliptic curves
    • support efficient bilinear maps (pdf)
  • Attribute-Based Encryption (ABE)
    think: biometric & encryption; record-level & field-level database access encryption

    • Sahai & Waters
    • “threshold gate”.
    • fuzzy IBE, or not.
    • is that a threshold gate can be used to implement the boolean AND and OR gates
    • ciphertext policy
  • Functional Encryption iacr:2010/543
    Concept: embed arbitrary computer programs? in the attributes of ABE, iacr:2013/337, arXiv:1210.5287

Practice

Argot

  • Attribute-Based Encryption (ABE)
  • Diffie-Hellman Key Exchange (DHKE)
  • Functional Encryption (FE?, <aside>everything gets an acronym</aside>)
  • Identity Based Encryption (IBE); a.k.a. Identity-Based Cryptography
  • Identity-Based Encryption (IBE)
  • Identity-Based Signature (IBS)
  • Key Generation Authority.
  • Master Public Key (MPK)
  • Master Secret Key (MSK)
  • Pretty Good Privacy (PGP)
  • Public Key Encryption (PKE)
  • Public Key Infrastructure (PKI)
  • Shamir-Rivest-Adelman (RSA), a cryptosystem
The Roles
  • Alice
  • Bob
  • Eve
  • Mallory

Key Servers

At GitHub

Who

References

At IACR

At arXiv

At Semantic Scholar

Popularizations

In Jimi Wales’ Wiki

Previously filled.

On the path to the deprecation, abandonment & refusal to honor SHA-1 signatures

Policy

  • Chrome will completely stop supporting SHA-1 certificates, soon
    • on or before 2017-01-01 (after 2016-12-31).
    • but maybe 2016-07-01 (after 2016-06-30).
  • Chrome will exhibit a warning if
    AND

    • a site presents a certificate
    • the site’s certificate
      OR

      • is signed with a SHA-1-based signature
      • is issued on or after 2016-01-01 (after 2015-12-31)
      • chains to a public CA.
  • Chrome 48
    due “early in 2016″.

Who

  • Lucas Garron, Chrome security team, Google.
  • David Benjamin, Chrome’s networking group, Google.

Statements

Apologia

  • Ryan Sleev; A History of Hard Choices; On His Blog, at Medium; 2015-12-28; separately noted.
    Ryan Sleev, cross-platform crypto & PKI core, Chromium, Google.

Promotions

Disabling the use of RC4 in Firefox

This is for client-side disablement within your span of control within your client web-reading affordance (firefox):

  1. about:config
  2. search for rc4
  3. disable


References

With context about why RC4 ought to be disabled at all.

Menagerie

Background

$ openssl ciphers -V 'ALL:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT' | grep RC4
      0xC0,0x11 - ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
      0xC0,0x07 - ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
      0xC0,0x16 - AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
      0xC0,0x0C - ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
      0xC0,0x02 - ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
      0x00,0x8A - PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1

SSL, TLS & Perfect Forward Secrecy

Mentions

  • CRL
  • OSCP
  • Perfect Forward Secrecy (PFS)
  • Elliptic Curve Cryptography (ECC)

Protocols

  • HTTPS
  • SSL
  • TLS

Theory

Algorithms

  • AES128-SHA

Perfect Forward Secrecy (PFS)

  • DHE-RSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-SHA

Cipher Suites

  • ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA
    • Optional
  • ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA
    • Required

Standards

  • RFC 6090 Fundamental Elliptic Curve Cryptography Algorithms; D. McGrew (Cisco), K. Igoe, M. Salter (NSA); 2011-02.
  • RFC 5246 The Transport Layer Security (TLS) Protocol, Version 1.2; T. Dierks (self), E. Rescoria (RTFM); 2008-08.
  • RFC 5077 Transport Layer Security (TLS) Session Resumption without Server-Side State; J. Salowey (Cisco), H. Zhou (Cisco), P. Eronen (Nokia), H. Tschofenig (Nokia Siemens); 2008-01.
  • RFC 4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS); S. Blake-Wilson (SafeNet), N. Bolyard (Sun), V. Gupta (Sun), C. Hawk (Corriente), B. Moeller (Ruhr-Uni Bochum), 2006-05.
  • NIST P-256
  • NIST P-521
  • NIST P-224

Patents

Who

  • Bodo Möller, Emilia Käsper  (Google), Adam Langley (Google) => 64bit optimized versions of NIST P-224, P-256 and P-521 for OpenSSL
  • Emilia Käsper (Google)

Package Support

OpenSSL

Yet Fedora does not have ECC in OpenSSL

$ openssl ciphers ECDH
Error in cipher list
139915857282912:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:
$ rpm -q openssl
openssl-1.0.1e-4.fc18.x86_64
$ cat /etc/fedora-release 
Fedora release 18 (Spherical Cow)

Mozilla Network Security Services (NSS)

  • Version?

Client Support

Support for NIST P-256, P-384 and P-521

  • “Recent” versions of Firefox and Chrome (circa 2011-11) “should”
  • “Most” versions, Internet Explorer do not support

Server Support

Apache httpd

  • httpd-2.3.3
  • ensure the order of cipher suites is respected.
    • SSLHonorCipherOrder on
  • Curve is what?
    • Specify with what?

nginx

  • nginx-1.0.6.
  • nginx-1.1.0.
  • ensure the order of cipher suites is respected.
    • ssl_prefer_server_ciphers on.
  • Curve is NIST P-256
    • Specify with ssl_ecdh_curve

stud

  • pull/61; Adding support for ECDHE in stud

Cited & Referenced

General

Implementation

Background

Indirect

Cited in Cryptographic Key Length Recommendation

Via & transitively via: backfill, backfill. backfill

DNSCrypt from OpenDNS

DNSCrypt

Mentions

Unrelated

Promotions

Via: backfill, backfill

NaCl : Networking and Cryptography library

  • Pronounced “salt”
  • Stands for “Networking and Cryptography Library”
  • Is in the public domain
  • Aspires to be patent clean; has not received any claims of patent infringement.

Availability

Authors’ release

Forks & Additions

Who

(main)

  • Daniel J. Bernstein (University of Illinois at Chicago)
  • Tanja Lange (Technische Universiteit Eindhoven)
  • Peter Schwabe (Academia Sinica)

Also

(alphabetical)

  • Niels Duif (Technische Universiteit Eindhoven)
  • Emilia Käsper (Google, ex-Katholieke Universiteit Leuven)
  • Adam Langley (Google)Matthew Dempsky (Google, ex-Mochi Media)
  • Sean Lynch (Facebook)
  • Jan Mojzis
  • Bo-Yin Yang (Academia Sinica)

Capabilities

  • Curve25519
  • Salsa20
  • Poly1305

Programs

  • SUPERCOP => System for Unified Performance Evaluation Related to Cryptographic Operations and Primitives, an API
  • eBACS => ECRYPT Benchmarking of Cryptographic Systems
  • eSTREAM => the ECRYPT Stream Cipher Project

Mentions

  • IEEE P1363
  • NIST P-256
  • NIST “Suite B”
    • twist security
    • Montgomery representation
    • Edwards representation
  • AES
    • AES-GCM
  • Curve25519
    • Ed25519
  • Diffie-Hellman
    • ECDH
  • DNS
    • DNSCrypt
    • DNSCurve
    • DNSSEC
  • DSA
    • ECDSA
    • EdDSA
  • ElGamal
  • HMAC
  • OpenSSL
  • PKCS
    • PKCS#1
  • Poly1305
    • Poly1305-AES
  • RIPEMD
    • RIPEMD-160
  • RSA
    • RSA-1024
    • RSA-2048
    • RSA-SHA1
    • RSA-SHA256
  • Schnorr
  • TCP
    • CurveCP
  • TLS (SSL)
    • DTLS
    • GnuTLS
  • TWIRL

Promotion

Daniel J. Bernstein, Tanja Lange, Peter Schwabe; The security impact of a new cryptographic library; In Proceedings of LatinCrypt 2012; 2012-07-25; 18 pages.

Abstract

This paper introduces a new cryptographic library, NaCl, and explains how the design and implementation of the library avoid various types of cryptographic disasters su ffered by previous cryptographic libraries such as OpenSSL. Specifi cally, this paper analyzes the security impact of the following NaCl features: no data flow from secrets to load addresses; no data flow from secrets to branch conditions; no padding oracles; centralizing randomness; avoiding unnecessary randomness; extremely high speed; and cryptographic primitives chosen conservatively in light of the cryptanalytic literature.

Usage

Via: backfill