Skip to main content
SpringerLink
Log in

The Security Impact of a New Cryptographic Library

  • Conference paper
Progress in Cryptology – LATINCRYPT 2012 (LATINCRYPT 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7533))

Abstract

This paper introduces a new cryptographic library, NaCl, and explains how the design and implementation of the library avoid various types of cryptographic disasters suffered by previous cryptographic libraries such as OpenSSL. Specifically, this paper analyzes the security impact of the following NaCl features: no data flow from secrets to load addresses; no data flow from secrets to branch conditions; no padding oracles; centralizing randomness; avoiding unnecessary randomness; extremely high speed; and cryptographic primitives chosen conservatively in light of the cryptanalytic literature.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: Evans, D., Myers, A. (eds.) 2009 IEEE Symposium on Security and Privacy, Proceedings, pp. 16–26. IEEE Computer Society (2009), http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf

  2. Alfardan, N.J., Paterson, K.G.: Plaintext-recovery attacks against datagram TLS. In: NDSS 2012 (to appear, 2012), http://www.isg.rhul.ac.uk/~kp/dtls.pdf

  3. Bacelar Almeida, J., Barbosa, M., Pinto, J.S., Vieira, B.: Formal verification of side channel countermeasures using self-composition. Science of Computer Programming (to appear), http://dx.doi.org/10.1016/j.scico.2011.10.008

  4. Apple. iPhone end user licence agreement. Copy distributed inside each iPhone 4; transcribed at http://rxt3ch.wordpress.com/2011/09/27/iphone-end-user-liscence-agreement-quick-refrence/

  5. Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management—part 1: General (revised). NIST Special Publication 800-57 (2007), http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf

  6. Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) Fast Software Encryption. LNCS, vol. 3557, pp. 32–49. Springer (2005), http://cr.yp.to/papers.html#poly1305

  7. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) Public Key Cryptography—PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer (2006), http://cr.yp.to/papers.html#curve25519

  8. Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New stream cipher designs: the eSTREAM finalists. LNCS, vol. 4986, pp. 84–97. Springer (2008), http://cr.yp.to/papers.html#salsafamily

  9. Bernstein, D.J.: DNSCurve: Usable security for DNS (2009), http://dnscurve.org/

  10. Bernstein, D.J.: CurveCP: Usable security for the Internet (2011), http://curvecp.org/

  11. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer (2011), http://eprint.iacr.org/2011/368

  12. Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT benchmarking of cryptographic systems, http://bench.cr.yp.to

  13. Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) Cryptographic Hardware and Embedded Systems: CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer (2012), http://cr.yp.to/papers.html#neoncrypto

  14. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1. In: Krawczyk, H. (ed.) Advances in Cryptology—CRYPTO ’98. LNCS, vol. 1462, pp. 1–12. Springer (1998), http://www.bell-labs.com/user/bleichen/papers/pkcs.ps

  15. Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) Computer Security—ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer (2011), http://eprint.iacr.org/2011/232/

  16. “Bushing”, Hector Martin “marcan” Cantero, Boessenkool, S., Peter, S.: PS3 epic fail (2010), http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf

  17. Chandramouli, R., Rose, S.: Secure domain name system (DNS) deployment guide. NIST Special Publication 800-81r1 (2010), http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf

  18. Daemen, J., Rijmen, V.: AES proposal: Rijndael, version 2 (1999), http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf

  19. Dempsky, M.: OpenDNS adopts DNSCurve, http://blog.opendns.com/2010/02/23/opendns-dnscurve/

  20. Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) Fast Software Encryption. LNCS, vol. 1039, pp. 71–82. Springer (1996)

    Google Scholar 

  21. ECRYPT. The eSTREAM project, http://www.ecrypt.eu.org/stream/

  22. Gutmann, P.: cryptlib security toolkit, http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

  23. Gutmann, P.: cryptlib security toolkit: version 3.4.1: user’s guide and manual, ftp://ftp.franken.de/pub/crypt/cryptlib/manual.pdf

  24. Josefsson, S.: Don’t return different errors depending on content of decrypted PKCS#1. Commit to the GnuTLS library (2006), http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=fc43c0d05ac450513b6dcb91949ab03eba49626a

  25. Kaliski, B.: TWIRL and RSA key size, http://web.archive.org/web/20030618141458/http://rsasecurity.com/rsalabs/technotes/twirl.html

  26. Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer (2009), http://cryptojedi.org/papers/#aesbs

  27. Langley, A.: ctgrind—checking that functions are constant time with Valgrind (2010), https://github.com/agl/ctgrind

  28. Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: Automatic detection and removal of control-flow side channel attacks. In: Won, D., Kim, S. (eds.) Information Security and Cryptology: ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer (2005)

    Google Scholar 

  29. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987), http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866113-7/S0025-5718-1987-0866113-7.pdf

    Article  MathSciNet  MATH  Google Scholar 

  30. OpenSSL. OpenSSL: The open source toolkit for SSL/TLS, http://www.openssl.org/

  31. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) Topics in Cryptology—CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer (2006)

    Google Scholar 

  32. Shamir, A., Tromer, E.: Factoring large numbers with the TWIRL device. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer (2003), http://tau.ac.il/~tromer/papers/twirl.pdf

  33. Smits, I.: QuickTun, http://wiki.ucis.nl/QuickTun

  34. Software in the Public Interest, Inc. Debian security advisory, DSA-1571-1 openssl—predictable random number generator (2008), http://www.debian.org/security/2008/dsa-1571

  35. Solworth, J.A.: Ethos: an operating system which creates a culture of security, http://rites.uic.edu/~solworth/ethos.html

  36. Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: MD5 considered harmful today (2008), http://www.win.tue.nl/hashclash/rogue-ca/

  37. Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collision for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) Advances in Cryptology—CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer (2009), http://eprint.iacr.org/2009/111/

  38. Tor project: Anonymity online, https://www.torproject.org/

  39. Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23(1), 37–71 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  40. Ulevitch, D.: Want to do something that matters? Then read on, http://blog.opendns.com/2012/02/06/dnscrypt-hackers-wanted/

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, Chicago, IL, 60607-7053, USA

    Daniel J. Bernstein

  2. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, P.O. Box 513, 5600MB, Eindhoven, The Netherlands

    Tanja Lange

  3. Research Center for Information Technology Innovation and Institute of Information Science, Academia Sinica, No. 128 Academia Road, Section 2, Nankang, Taipei, 11529, Taiwan

    Peter Schwabe

Authors
  1. Daniel J. Bernstein
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tanja Lange
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter Schwabe
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Chile, Blanco Encalada 2120, Tercer Piso, Santiago, Chile

    Alejandro Hevia

  2. IBM Research - Zürich, Säumerstrasse 4, 8803, Rüschlikon, Switzerland

    Gregory Neven

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bernstein, D.J., Lange, T., Schwabe, P. (2012). The Security Impact of a New Cryptographic Library. In: Hevia, A., Neven, G. (eds) Progress in Cryptology – LATINCRYPT 2012. LATINCRYPT 2012. Lecture Notes in Computer Science, vol 7533. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33481-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33481-8_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33480-1

  • Online ISBN: 978-3-642-33481-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation