Abstract
This paper introduces a new cryptographic library, NaCl, and explains how the design and implementation of the library avoid various types of cryptographic disasters suffered by previous cryptographic libraries such as OpenSSL. Specifically, this paper analyzes the security impact of the following NaCl features: no data flow from secrets to load addresses; no data flow from secrets to branch conditions; no padding oracles; centralizing randomness; avoiding unnecessary randomness; extremely high speed; and cryptographic primitives chosen conservatively in light of the cryptanalytic literature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: Evans, D., Myers, A. (eds.) 2009 IEEE Symposium on Security and Privacy, Proceedings, pp. 16–26. IEEE Computer Society (2009), http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
Alfardan, N.J., Paterson, K.G.: Plaintext-recovery attacks against datagram TLS. In: NDSS 2012 (to appear, 2012), http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Bacelar Almeida, J., Barbosa, M., Pinto, J.S., Vieira, B.: Formal verification of side channel countermeasures using self-composition. Science of Computer Programming (to appear), http://dx.doi.org/10.1016/j.scico.2011.10.008
Apple. iPhone end user licence agreement. Copy distributed inside each iPhone 4; transcribed at http://rxt3ch.wordpress.com/2011/09/27/iphone-end-user-liscence-agreement-quick-refrence/
Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management—part 1: General (revised). NIST Special Publication 800-57 (2007), http://csrc.nist.gov/groups/ST/toolkit/documents/SP800-57Part1_3-8-07.pdf
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) Fast Software Encryption. LNCS, vol. 3557, pp. 32–49. Springer (2005), http://cr.yp.to/papers.html#poly1305
Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) Public Key Cryptography—PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer (2006), http://cr.yp.to/papers.html#curve25519
Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New stream cipher designs: the eSTREAM finalists. LNCS, vol. 4986, pp. 84–97. Springer (2008), http://cr.yp.to/papers.html#salsafamily
Bernstein, D.J.: DNSCurve: Usable security for DNS (2009), http://dnscurve.org/
Bernstein, D.J.: CurveCP: Usable security for the Internet (2011), http://curvecp.org/
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer (2011), http://eprint.iacr.org/2011/368
Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT benchmarking of cryptographic systems, http://bench.cr.yp.to
Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) Cryptographic Hardware and Embedded Systems: CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer (2012), http://cr.yp.to/papers.html#neoncrypto
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1. In: Krawczyk, H. (ed.) Advances in Cryptology—CRYPTO ’98. LNCS, vol. 1462, pp. 1–12. Springer (1998), http://www.bell-labs.com/user/bleichen/papers/pkcs.ps
Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) Computer Security—ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer (2011), http://eprint.iacr.org/2011/232/
“Bushing”, Hector Martin “marcan” Cantero, Boessenkool, S., Peter, S.: PS3 epic fail (2010), http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf
Chandramouli, R., Rose, S.: Secure domain name system (DNS) deployment guide. NIST Special Publication 800-81r1 (2010), http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf
Daemen, J., Rijmen, V.: AES proposal: Rijndael, version 2 (1999), http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
Dempsky, M.: OpenDNS adopts DNSCurve, http://blog.opendns.com/2010/02/23/opendns-dnscurve/
Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) Fast Software Encryption. LNCS, vol. 1039, pp. 71–82. Springer (1996)
ECRYPT. The eSTREAM project, http://www.ecrypt.eu.org/stream/
Gutmann, P.: cryptlib security toolkit, http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
Gutmann, P.: cryptlib security toolkit: version 3.4.1: user’s guide and manual, ftp://ftp.franken.de/pub/crypt/cryptlib/manual.pdf
Josefsson, S.: Don’t return different errors depending on content of decrypted PKCS#1. Commit to the GnuTLS library (2006), http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=fc43c0d05ac450513b6dcb91949ab03eba49626a
Kaliski, B.: TWIRL and RSA key size, http://web.archive.org/web/20030618141458/http://rsasecurity.com/rsalabs/technotes/twirl.html
Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer (2009), http://cryptojedi.org/papers/#aesbs
Langley, A.: ctgrind—checking that functions are constant time with Valgrind (2010), https://github.com/agl/ctgrind
Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: Automatic detection and removal of control-flow side channel attacks. In: Won, D., Kim, S. (eds.) Information Security and Cryptology: ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer (2005)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987), http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866113-7/S0025-5718-1987-0866113-7.pdf
OpenSSL. OpenSSL: The open source toolkit for SSL/TLS, http://www.openssl.org/
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) Topics in Cryptology—CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer (2006)
Shamir, A., Tromer, E.: Factoring large numbers with the TWIRL device. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer (2003), http://tau.ac.il/~tromer/papers/twirl.pdf
Smits, I.: QuickTun, http://wiki.ucis.nl/QuickTun
Software in the Public Interest, Inc. Debian security advisory, DSA-1571-1 openssl—predictable random number generator (2008), http://www.debian.org/security/2008/dsa-1571
Solworth, J.A.: Ethos: an operating system which creates a culture of security, http://rites.uic.edu/~solworth/ethos.html
Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: MD5 considered harmful today (2008), http://www.win.tue.nl/hashclash/rogue-ca/
Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collision for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) Advances in Cryptology—CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer (2009), http://eprint.iacr.org/2009/111/
Tor project: Anonymity online, https://www.torproject.org/
Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23(1), 37–71 (2010)
Ulevitch, D.: Want to do something that matters? Then read on, http://blog.opendns.com/2012/02/06/dnscrypt-hackers-wanted/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bernstein, D.J., Lange, T., Schwabe, P. (2012). The Security Impact of a New Cryptographic Library. In: Hevia, A., Neven, G. (eds) Progress in Cryptology – LATINCRYPT 2012. LATINCRYPT 2012. Lecture Notes in Computer Science, vol 7533. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33481-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-33481-8_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33480-1
Online ISBN: 978-3-642-33481-8
eBook Packages: Computer ScienceComputer Science (R0)