• By Sylvain Kerkour
  • Translator: Wang Jiangtong

Original text: kerkour.com/blog/rust-c…

Cryptographic protocol algorithm

This chapter will briefly introduce common concepts in cryptographic protocol algorithms, the algorithms covered in this introduction to Rust Ecology, and some commonly used related algorithms.

Security goals

Generally speaking, through encryption, we hope to achieve the following five goals for the transmission of information:

  • Confidentiality: Guarantees the Confidentiality and Confidentiality of information;
  • Authentication: Ensuring that the message is from the right person;
  • Integrity: Information has not been tampered with;
  • Access Control: prevents resource abuse.
  • Availability: Availability of resources.

Different attack modes may be used to attack different targets. For example, a Denial of Service (DoS) attack is an attack aimed at accessibility. It prevents a computer or network from providing normal services.

Description of algorithm

If we were to make a classification of common cryptographic algorithms, the structure would look something like this:

Symmetric encryption algorithm

Symmetric encryption (also known as private key encryption) is an encryption algorithm that uses the same key for encryption and decryption. In other words, both sides of the communication use the same key. Sometimes called traditional cryptographic algorithm, the encryption key can be calculated from the decryption key, and the decryption key can also be calculated from the encryption key. In most symmetric algorithms, the encryption key and decryption key are the same, so this encryption algorithm is also called secret key algorithm or single key algorithm. It requires the sender and receiver to agree on a key prior to secure communication. The security of symmetric algorithms depends on the key, and leaking the key means that anyone can decrypt the message they send or receive, so the confidentiality of the key is crucial to the security of communication.

Symmetric encryption algorithm has the advantages of small computation, fast encryption speed, high encryption efficiency, and hard to crack when using long keys.

The disadvantage of symmetric encryption algorithm is that it is difficult for communication parties to securely negotiate, exchange and keep keys. If the key is compromised, all communication between the two parties is no longer secure. Moreover, each pair of users using a symmetric encryption algorithm needs to use a unique key unknown to the others, which increases the number of keys held by both the sender and the receiver exponentially. At the same time, symmetric encryption algorithm cannot provide signature function because the key of both parties is the same.

To sum up, symmetric encryption algorithm can guarantee the confidentiality and integrity of information, but cannot guarantee the authenticity of information. In addition to the algorithm itself, the symmetric encryption algorithm also needs to agree/generate the key, exchange the key, and then encrypt and decrypt through the algorithm.

About key generation:

The Key Derivation Function (KDF, Key Function) can derive the required Key data from a shared secret bit string. In the process of key negotiation, the key deriving function acts on the shared secret bit string obtained in key exchange to generate the required session key or the key data required for further encryption.

HKDF (HMAC-based Key Function), proposed in RFC 5869 and published as RFC2104 in 1997, is the HMAC-based KDF that can be applied to various protocols (such as TLS, RPF) and the construction of applications. The HKDF logically consists of two parts. The first part uses input key material and “extraction”, which is a fixed-length pseudo-random key K. The second part expands the key to several random keys and outputs the desired length.

Symmetric encryption algorithms are often used to:

  • Ensure the confidentiality of information
  • Authentication Encryption (AEAD)
  • Calculate the MAC
  • SSH, SSL, and TLS are used to transmit information over network protocols

Common key generation algorithms and those mentioned in this introduction to Rust Ecology are:

  • blake2b
  • HMAC_SHA
  • PBKDF2 (Password-based Key Function2)
  • Argon
  • bcrypt, scrypt, SHA-crypt

Common key exchange algorithms and those covered in this introduction to Rust Ecology are:

  • Diffi-Hellman
    • X25519: DH protocol defined on elliptic curve Curve25519

Common symmetric encryption algorithms and those covered in this introduction to Rust Ecology are:

  • Stream encryption
    • RC4
    • chacha20, xsalsa20
  • Packet encryption
    • algorithm
      • DES, 3DES and AES
      • BlowFish
      • Deoxys
      • EAS
      • rabbit
      • hc256
    • model
      • ECB (Electronic Code Book)/Code Book
      • Cipher Block Chaining (CBC)/ciphertext grouping
      • OFB (Output Feedback
      • Cipher Feedback (CFB) or ciphertext Feedback
      • CTR (Counter)/Calculator mode
      • GCM ( Galois/Counter Mode)
      • CCM (Counter with CBC-Mac)
Key generation algorithm
blake2b

Blake2b was proposed in 2012, listed in RFC-7693, as an alternative to MD5 and SHA1, and is faster than them. Commonly used in blockchain digital currencies (Decred, SIA, Verge, etc.).

PBKDF2

PBKDF2 (Password-based Key Function 2) is defined in RFC2898 Sec 5.2 and Test set in RFC6070. NIST Special Publication800-132 also has an introduction to the PBKDF2 algorithm. The PBKDF2 algorithm uses multiple hashes to encrypt passwords. Hash the password and salt, and then hash the result as salt with the password. Repeat the process several times to generate the final ciphertext. This process may reach thousands of times, the difficulty of reverse cracking is too great, cracking a password may take hundreds of years, so PBKDF2 algorithm is safe. IBM Security Directory Server uses the PBKDF2 algorithm.

Key exchange algorithm: Diffi-Hellman

Diffie-hellman algorithm is a key consistency algorithm published by Whitfield Diffie and Martin Hellman in 1976. Diffie-hellman is a method in which both parties agree on a key, rather than an encryption method. The diffie-Hellman Key Exchange Algorithm and its Optimization The first published public-key algorithm appeared in the Diffie and Hellman paper, the seminal paper that laid the foundation for public-key cryptography.

The problem of Diffie-Hellman algorithm is that there is no information to verify the identity of both parties, and it is prone to obstructive attacks due to the intensive calculation of powers. Oakley algorithm is an optimization of Diffie-Hellman key exchange algorithm.

The algorithm is shown in the figure:

Symmetric encryption algorithm
Stream encryption: ChaCha20 and Xsalsa20

ChaCha stream ciphers, improved versions of Salsa ciphers, are more resistant to cryptanalysis attacks. “20” indicates that the algorithm has 20 rounds of encryption. ChaCha was proposed by Daniel J. Bernstein in 2005 and submitted to eSTREAM, the Eu password Verification Process project, in 2008. , because of the stream cipher is in bytes for encryption, security key in key stream generated by the process, which rely on the strength of the pseudo random number generator (PRNG), encryption process is the key section flow and clear word for word or get the ciphertext, on the other hand, the decryption is to do the cipher key flow again once get clear of an exclusive or operation.

ChaCha usually runs faster than AES. The ChaCha20 password strength is 256 bits.

ChaCha20Poly1305 see section MAC-Poly1305 below. Poly1305 was also proposed by Bernstein and the use of Chacha20-Poly1305 has been standardized in RFC 7905.

Xsalsa20 is salsa20-based stream encryption, immune to sequential attacks. Salsa20 has only 64bit nonce, xsalsa20 uses 192-bit nonce. Can be used for private key encryption and private key authentication encryption.

Packet encryption: DES, 3DES and AES

Data Encryption Standard (DES) is the predecessor of Advanced Encryption Standard (AES), which is proposed and determined by the National Bureau of Standards of the U.S. federal government. Triple Data Encryption Algorithm (3DES) is an improvement of DES. It is equivalent to applying the DES Encryption Algorithm three times for each Data block. It is an Encryption Algorithm transitioning from DES to AES. The security of the three gradually increasing, however, DES and 3DES has been confirmed by NIST security problems, in today’s computer computing power can be cracked using limited resources, so it is no longer described.

AES was published by the US federal government on FIPS PUB 197 on 26 November 2001 and became an effective standard on 26 May 2002. The block length of AES is fixed to 128 bits, 192 bits, or 256 bits. The corresponding names are AES128, AES192, and AES256 respectively. Its security is determined by the number of key bits. The key length of 128 bits or more can ensure that the algorithm cannot be deciphered with the current limited resources.

The advantage of AES is that it performs very fast computations, so it is generally used for efficient real-time data encryption communications, such as VPN or proxy encryption communications.

Although the algorithm itself is secure, the key can be cracked through Side Channel attacks in certain scenarios. At the same time, as a symmetric encryption algorithm, key transmission and storage are also potential problems using AES.

Specific algorithms visible links: Advanced Encryption Standard – Wikipedia, free encyclopedia (wikipedia.org).

Symmetric encryption algorithm application: MAC and HMAC

Message Authentication Code (MAC) is also called Message Authentication Code (Hash function with key). In cryptography, an authentication mechanism used by both sides of a communicating entity to ensure the integrity of message data. The constructor is proposed by M.Bellare. Security depends on Hash functions, so it is also called Hash functions with keys. Message authentication code is a value obtained based on key and message digest, which can be used for data authenticity authentication and integrity verification.

HMAC is a Hash-based Message Authentication Code. It is developed by H. krawezyk, M.Bellare, and A method of message authentication based on Hash function and key was proposed by r. canetti in 1996. It was published as RFC2104 in 1997 and is widely used in IPSec and other network protocols (such as SSL). Now it has become the de facto Internet security standard. It can be bundled with any iteration hash function.

The security of MAC and HMAC comes from the fact that it is impossible for existing calculations to find Collision results to forge a MAC. In other words, given the input x and its MAC result M(x), existing computations cannot find another input x’ such that M(x’) == M(x).

The Hash functions commonly used in MAC/HMAC computing and covered in this introduction to Rust ecology are:

  • SHA (SHA0, SHA1, SHA2: SHA224/256/384/512)
  • SipHash
  • MD series (e.g. MD5)
  • blake2, blake3
  • FSB
  • gost94
  • groestl
  • k12
  • ripemd160/256/320
  • shabal
  • SM3
  • Server relief

MAC/HMAC and the algorithms covered in this introduction to Rust Ecology are:

  • Poly1305
Hash: SHA

Secure Hash Algorithm (SHA) is a series of cryptographic Hash functions designed by the NATIONAL Security Agency (NSA), published by the National Institute of Standards and Technology (NIST), and certified by FIPS. It is widely used in TLS, SSL, PGP, SSH, IPsec and HMAC computing. SHA0 and SHA1 have been proved to be no longer safe.

Sha224/256/384/512 is sometimes called SHA2 and is the successor of SHA0 and SHA1. It is proposed in FIPS180-2.

Hash: SipHash

Siphash is a pseudo-random function, also known as a hash function), proposed by Jean-Philippe Aumasson and Daniel J. Bernstein in “Siphash: A Fast Short-input PRF” in 2012. The paper was published in INDOCRYPT 2012. Cryptographic Hash functions such as Siphash and SHA are computed differently. Superior to SHA in conflict prevention: unless the entire range of SipHash is used, for relatively small applications (e.g Using hash function to generate indexes in hash map can ensure no conflicts, thus preventing DOS attacks; Algorithms such as SHA cannot guarantee the absence of conflicts.

Siphash has the advantages of simple and fast operation and algorithm security. It is applied to operating systems (Linux Kernel, OpenBSD, FreeBSD). Library (OpenSSL libcrypto, Sodium, etc.) and some applications (Wireguard, Redis, etc.) Hash calculation.

SipHash, however, is not a traditional hash function that does not require a key. For security purposes, it requires a key to perform calculations.

Hash: MD5

MD5 message-digest Algorithm, a widely used password hash function, produces a 128-bit (16-byte) hash value to ensure complete and consistent transmission of information. The procedure of this algorithm is regulated in RFC 1321 standard. Since 1996, the algorithm has proved to have weaknesses that can be cracked, and for data requiring high security, experts generally recommend switching to other algorithms, such as SHA-2. In 2004, it was proved that the MD5 algorithm does not prevent collisions and is therefore not suitable for security authentication such as SSL public key authentication or digital signatures.

MAC/HMAC: Poly1305

Poly1305 is a message authentication code created by Daniel.J. Ernstein to check message integrity and verify message authenticity. It is now commonly used in combination with salsa20 or ChaCha20 stream passwords in network Security protocols (SSL/TLS). Chacha20-poly1305 is a new encryption algorithm used by Google. It is powerful, especially on the ARM platform, where the CPU is compact instruction set. It is four times as powerful as AES on phones with the same configuration. AES is faster and performs better than Chacha20-Poly1305. The use of Chacha20-Poly1305 is standardized in RFC 7905. Google chose ChaCha20 and Bernstein’s Poly1305 message authentication code to replace the OPENSSL-based RC4 cipher that has been used in Internet security in the past, and applied the new Chacha20-Poly1305 algorithm in OpenSSH.

Poly1305 message authentication code input is a 32-byte (256bit) key and a message bit stream of arbitrary length, which generates a 16-byte (128bit) digest through a series of calculations. The Poly1305 variant that does not rely on AES has been standardized in RFC 8439 by the Internet Engineering Task Force.

Asymmetric encryption algorithm/public key algorithm

Asymmetric encryption algorithm is also called public key algorithm. As the name implies, each person has a pair of unique corresponding keys: a public key (public key) and a private key (private key). The public key is public, and the private key is kept by the individual. Encryption with one key can only be decrypted with the other key. The typical representative of asymmetric encryption algorithm is RSA. The security of asymmetric encryption usually depends on the degree of mathematical complexity of the algorithm. Usually, the underlying mathematical problems involved are NP complete or NP hard. At present, there is no proof in the computational complexity theory of such problems, they can be solved in polynomial time like p-level problems. In other words, asymmetric encryption involves underlying mathematical problems that cannot be solved by using current limited resources, such as integer factorization (RSA) and discrete logarithm (DSA).

The asymmetric encryption algorithm realizes the basic process of secret information exchange as follows: The receiver generates a pair of keys and exposes the public key. Other roles (sender) that need to send information to the receiver use the key (receiver’s public key) to encrypt the secret information and then send it to the receiver. The recipient then decrypts the encrypted message with its own private key. When the receiver wants to reply to the sender, it does the opposite, encrypting the data using the sender’s public key, and decrypting the data using its private key.

The advantage of asymmetric encryption algorithm is that it solves the key difficulty of symmetric encryption algorithm and eliminates the need for users to exchange keys. The security of asymmetric encryption algorithm depends on the private storage of the private key, which improves the security compared with symmetric encryption algorithm.

The disadvantage of asymmetric encryption algorithm is that the encryption and decryption speed is not as fast as that of symmetric encryption algorithm because the security depends on the strength of complex algorithm, and sometimes even thousands of times slower depending on the different algorithm.

To sum up, symmetric encryption algorithm can guarantee the confidentiality and integrity of information, and also guarantee the authenticity of information due to the existence of public and private keys.

Asymmetric encryption algorithms are often used to:

  • Ensure the confidentiality of information
  • Digital signature and certificate
  • Because of the above use cases, it is also commonly used for network security mechanisms (SSL/TLS, VPN, etc.).

Common asymmetric encryption algorithms and those covered in this introduction to Rust Ecology are:

  • RSA
  • DSA
  • Elliptic curves: Curve25519, P256/384, BP256/384, K256, SM2
  • Elgamal
  • Rabin

Common digital signature algorithms and those covered in this introduction to Rust Ecology are:

  • ECDSA: ED25519
Asymmetric encryption algorithm
RSA

RSA was coined in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman, who combined the first letters of their surnames. RSA was patented by MIT in the United States in 1983. RSA allows you to choose the size of your public key. A 512-bit key is considered insecure, a 768-bit key is safe from anything but the NSA, and a 1024-bit key is almost secure. RSA is embedded in major products like Windows, Netscape Navigator, Quicken, and Lotus Notes.

RSA belongs to PUBLIC-Key Cryptography Standards (PKCS) #1. PKCS #1, published by RSA LABS, provides the definition and implementation of the RSA algorithm. PKCS #1 V2.1 was released as RFC 3447, and the latest version is V2.2.

Elliptic curve: Curve25519

Curve25519 is an elliptic curve encryption algorithm based on the Montgomery curve, officially published by NIST in RFC 7748, providing 128-bit security. Its key size is 256 bits. Since 2014, The Elliptic Curve Diffy-Hellman (ECDH) of OpenSSH uses Curve25519 by default. In 2018, RFC8446 was published as the new TLS V1.3 standard, mandating X25519, ED25519, X448 and ED448 algorithms.

X25519 and X448 define the DH protocol in ECDH key exchange.

ED25519 and ED448 are digital signature algorithms defined on Curve25519 and Curve448. ED25519 is an EDDSA algorithm, a digital signature mechanism implemented using Schnorr over Twisted Edwards Curves. The advantages are high efficiency and high security.

25519 series curve is currently the fastest elliptic curve encryption algorithm.

Rust ecology and libraries

Why is there no password library in Rust STD

The reasons are explained very succinctly in “Why there is no password library in Rust STD”, which you can read in the internal forum. The main reason, if outlined again, is that it takes a lot of time and effort to keep the standard library small and stable while meeting the standards for a secure library. However, the core members of the community did not have the time or energy to devote to development, and for various reasons, plans for a community encryption and decryption working group failed.

However, there are many security-related libraries available in the community, such as Rust-OpenSSL, Ring, and RustCrypto. But rust-OpenSSL was noted for poor code quality and lack of documentation; Ring has a lot of assembly code and C code, which is not convenient for later maintenance and development. Rustcrypto is implemented by pure Rust and is probably the most complete security library with decryption algorithm in the community.

The cryptology of Rust

According to the “Empirical Study of Patching in Cryptographic Libraries”, of the existing popular Cryptographic Libraries, 37.2% of system-level Vulnerabilities were rooted in memory issues, while 27.2% were algorithms themselves. At the same time, overly complex cryptographic systems make it easier for security problems to occur, and the detection period for problems is also long, with a median of 4.18 years. The OpenSSL library in C, for example, has one attack point per thousand lines, indicating that large C/C++ code may have a potential problem. As a memory-secure language, Rust’s tripartite cryptographic library may solve many problems that the C and C++ cryptographic libraries struggle to solve.

Overview of the Rust Cryptography Ecosystem

  • Sodiumoxide
  • Ring
  • Delek
  • rust-crypto
  • Rustls

Sodiumoxide

Sodiumoxide is a Rust wrapper of the popular C password library libsodium, used in Discord, Apache, Tuweni, Abot(Slack), RavenDB, WordPress, and more. Libsodium forks the C password library NaCl, so most of the documentation for Sodiumoxide comes from NaCl. The performance and versatility of Sodiumoxide goes without saying, but since it is packaged with Libsodium, There were maintenance issues of the C and C++ Libraries that were discussed in the “Empirical Study of Shapatching in Cryptographic Libraries” article. Meanwhile, Sodiumoxide is no longer being maintained.

Sodiumoxide implementation of the algorithm are:

  • Symmetric encryption algorithm
    • Verify encryption: AES256GCM, chacha20Poly1305
    • Key generation: Blake2b
    • Key exchange: X25519BLAKE2b
  • Asymmetric encryption algorithm
    • curve25519xsalsa20poly1305
  • HMAC: hmacsha256/512
  • HASH: SipHasher13, sha256/512

Ring

Ring is designed for use with small devices, microcontrollers, and IoT applications and is written in Rust, C, and assembly languages.

The Ring algorithm is as follows:

  • Symmetric encryption algorithm
    • Verify encryption: AES128/256GCM, Chacha20Poly1305
    • Key generation: HKDF_SHA256/384/512, PBKDF2_HMAC_SHA1, PBKDF2_HMAC_SHA256/384/512
  • Asymmetric encryption algorithm
    • Digital signature: ECDSA (P-256 Curve) + SHA256/384, ED25519, RSA_PKCS1_SHA1/256/384/512, rSA_PSS_SHA256/384/512
  • HMAC: HMACSHA256/384/512
  • HASH, SHA1, SHA256/384/512

Dalek

Compared with other libraries, Dalek focuses on Rust implementation of elliptic curve correlation algorithm, which is a collection of Rust libraries on Github.

Dalek implemented elliptic curve correlation algorithms as follows:

  • X25519
  • Curve25519
  • ED25519

rust-crypto

Rust-crypto is a large collection that incorporates most of the modules used in cryptography.

Rust-crypto involves the following algorithms:

  • Symmetric encryption algorithm
    • Verify encryption: AESGCM, Aessiv, CCM, Chacha20Poly1305, XSALSA20Poly1305, Deoxys, EAX, MGM
    • Key generation: Argon2, bcrypt, PBKDF2, scrypt, sha-crypt
    • Encryption:
      • Mode: CFB, CTR, OFB
      • Algorithms: Chacha20, Rabbit, Salsa20, HC256
  • Asymmetric encryption algorithm
    • Digital signature: ECDSA, ED25519
    • Elliptic curves: BP256/384, K256, P-256/384
  • HMAC: HMACSHA256/384/512
  • HASH: SHA1, SHA256/384/512, Blake2, FSB, MD series, GOST94, GroestL, K12, RIPEMD160/256/320, shabal, SM3

Rustls

Rustls is a Rust TLS library that uses Ring underneath and aims to provide security features and components for TLS 1.2 or later. According to the report, it is more efficient than OpenSSL in certain scenarios.

In the future, Rustls may replace SSL libraries of OpenSSL and BoringSSL.

Crate uses the overview diagram

The C library involved in Rust

NaCl

NaCl contains a variety of cryptographic algorithms, which are used for network communication, encryption and decryption, digital signature and other applications. It supports C, C++ and Python. Advantage is that the operation speed is very fast, will automatically choose the best encryption scheme for the user, prevent the use of encryption library may not understand the pros and cons of different encryption methods, at the same time there is no dynamic memory allocation and secret information data flow, to a certain extent to ensure memory security and prevent cache timing attacks.

NaCl library basically implements the same algorithm as Sodium.

Sodium

Sodium is a portable, cross-platform, compilable fork of the NaCl library, but extends the NaCl library.

Sodium is implemented using the following algorithms:

  • Symmetric encryption algorithm
    • Verify encryption: AES256GCM, chacha20Poly1305
    • Key exchange: X25519, Blake2B-512
    • Encryption:
      • Algorithm: xchacha20
  • Asymmetric encryption algorithm
    • Digital signature: ED25519ph, ED25519
    • Elliptic curves: BP256/384, K256, P-256/384
  • HMAC: HMACSHA256/512
  • Hash: blake2b, siphash, Argon2, Scrypt, Server relief
  • Anonymous message box (holding the other party’s public key and sending messages anonymously) : X25519, xSALsa20-Poly1305

reference

Overview of the Rust Cryptography Ecosystem, kerkour.com/blog/rust-c…

Is Triple DES Secure? , cryptosense.com/blog/is-tri…

Cryptography application base, ilearning.huawei.com/next/learnC…