May 26, 2014

Catching up on recent crypto developments

Filed under: Crypto,Security — Nate Lawson @ 6:10 am

When I started this blog, the goal was to write long-form posts that could serve as a standalone intro to security and crypto topics. Rather than write about the history of the NSA as planned, I’ll try writing a few short notes in hopes that they’ll fit better within the time I have. (Running a company and then launching a new one the past few years has limited my time.)

Heartbleed has to be the most useful SSL bug ever. It has launched not just one, but two separate rewrites of OpenSSL. I’m hoping it will also give the IETF more incentive to reject layering violations like the heartbeat extension. Security protocols are for security, not path MTU discovery.

Giving an attacker a way to ask you to say a specific phrase is never a good idea. Worse would be letting them tell you what to say under encryption.

Earlier this year, I was pleased to find out that a protocol I designed and implemented has been in use for millions (billions?) of transactions the past few years. During design, I spent days slaving over field order and dependencies in order to force implementations to be as simple as possible. “Never supply the same information twice in a protocol” was the mantra, eliminating many length fields and relying on a version bump at the start of the messages if the format ever changed. Because I had to create a variant cipher mode, I spent 5x the initial design time scrutinizing the protocol for flaws, then paid a third-party for a review.

As part of the implementation, I provided a full test harness and values covering all the valid and error paths. I also wrote a fuzzer and ran that for days over the final code to check for any possible variation in behavior, seeding it with the test cases. I encouraged the customer to integrate these tests into their release process to ensure changes to the surrounding code (e.g., 32/64 bit arch) didn’t break it. Finally, I helped with the key generation and production line design to be sure personalization would be secure too.

I firmly believe this kind of effort is required for creating security and crypto that is in widespread use. This shouldn’t be extraordinary, but it sadly seems to be so today. It was only through the commitment of my customer that we were able to spend so much effort on this project.

If you have the responsibility to create something protecting money or lives, I hope you’ll commit to doing the same.


  1. Nice post. Thanks. I appreciate the mantra of “never supply the same information twice”. We’ve occasionally had small redundancies in the Tahoe-LAFS protocol for seemingly sound engineering reasons, and in the one case I can think of, we later squeezed that redundancy out while fixing a related problem. The bit about a version number at the front to allow schema evolution is really critical, is subtle and hard for people to understand, and is not really written down anywhere as a Best Practice, to my knowledge. Maybe that should be your next blog post! (And it should perhaps be a long one…)

    Comment by zooko (@zooko) — May 27, 2014 @ 10:02 am

  2. Can you describe your variant cipher mode?

    Comment by caf — June 27, 2014 @ 5:30 am

RSS feed for comments on this post.

Blog at WordPress.com.