23

Before everyone goes yelling: "NEVER DO YOUR OWN CRYPTO", I haven't, technically (I'm still half way), but apart from that I am making a TLS-like protocol, but way lighter.

I needed to secure communication between several embedded systems with very little RAM/ROM and processor power (well, it has 100 MHz, but a lot of it is in constant use and cannot be interrupted).

What I am going to do is use AES-128 with GCM (or CBC + HMAC) to secure the communication between the devices. Some devices can only use GCM, others use CBC + HMAC so (still working on it) I have to make a TLS-like structure to agree which one to use (device communicate through a server, not peer-to-peer, so having only 1 of the 2 isn't a problem; the server just needs both).

I've been doing a lot of research these past months (2 1/2), and I would like to say I have covered the basics. I'm now starting with implementing everything I have found (usage of keys, IVs, nonces, encrypt then MAC, etc.).

Now comes the question: when I'm finished I want to have the code I created checked. Obviously the deep level scrutiny TLS has gone through won't be achievable, but what ways are there? Are there sites where I can post my code for review? Are there companies which can 'certify' it? What would normally happen when a company created a secure communication and want to verify if it protects against the things they envisioned?

And yes, I know I'm not using a PKI. The hardware is in a secure environment, and no new devices can be added to the server (the server keeps a list of devices which can connect and monitors if one ever goes offline), so the company said PKI might be something they'd consider later on, but for a first version would not be necessary.

EDIT: I want to clarify (I'm taking back a few words). I will be using TLS to create this protocol, and the amount of TLS usages is of yet still unclear. When possible, I will simply try to remove everything I don't need from TLS and create it that way, I might take pieces of it (encrypt-then-mac, adding IV to ciphertext, etc.) and use that.

But either way, it is not TLS and even only removing stuff from TLS source code might introduce weaknesses so an 'audit' is still necessary.

Bernie White
  • 2,866
  • 17
  • 18
Vincent
  • 433
  • 3
  • 9
  • 9
    You have to understand: you are STILL trying to write your own crypto. This is bad. As @GZBK implied, you'll have to have your code audited by a third party in order to assess how well it fits your expectations but the fact that you're writing your own crypto will make that assessment waaaay more expensive. – Stephane Apr 20 '15 at 09:49
  • 11
    @Stephane the joke was I haven't written it yet (i'm in the process of writing it). and at least I'm not trying to create my own crypto primitive. Maybe i should have mentioned the primitives i do use are from libraries so I did not implement that my self. But yes, I am stitching it together my self. But sometimes you just have to which is why i need a good way to verify what I did is correct. – Vincent Apr 20 '15 at 10:02
  • 4
    It's simple: auditing code for security is expensive so the more you use already verified code the cheapest it'll be. In that context, not using a standard protocol like TLS is usually hard to justify – Stephane Apr 20 '15 at 10:05
  • Except TLS includes certificates, RSA, ECDHE all of which we are not using (and even though the company says they might in a later version, yeh no...) those are just way to costly. Our hardware can't do those in the time span we have. and since I have not found a approved TLS implementation with a cipher suite that does not include those there's not much I can do about it. – Vincent Apr 20 '15 at 10:18
  • 1
    Depending on the number of devices, would adding more power so they can use a standard protocol be a feasible solution? Or maybe a [coprocessor](http://en.wikipedia.org/wiki/SSL_acceleration)? This might end up being cheaper and more secure than the DIY + audit. (Of course you might have to worry about hardware certifications for certain environments, weight, heat dissipation, battery size, etc., etc., so that's not exactly simple either.) - edit: yea, if you're already late in the dev cycle then maybe not. – Bob Apr 20 '15 at 10:19
  • 5
    And I get it even Bruce Schneier makes mistakes But with sufficient prep someone should be able to combine a few crypto primitives to create a protocol. @Bob We have tens of thousands of devices in the fields, we cannot possibly afford to upgrade those, even if we wanted many customers won't approve of us opening up everything again to install a new one (customer would have to pay for this). So yes like you said, it's not simple if not impossible when taking into account the customer – Vincent Apr 20 '15 at 10:24
  • @Stephane If you can find out the security guarantees of TLS then you can surely find out the security guarantees of cryptographic primitives. The contrapositive is also true. – user253751 Apr 20 '15 at 12:03
  • ... of course, the hard part of security is finding out what things **aren't** security guarantees. – user253751 Apr 20 '15 at 12:12
  • 2
    @VincentAdvocaat [Bruce Schneier does not make mistakes.](http://www.schneierfacts.com/) He makes, and then others miss take. It is true that sometimes one must stitch together a high-level procedure from existing low(er) level crypto libraries. Audits are more about looking for loopholes in procedure and ways to *obviate the protocol you have created*, than checking whether a crypto algorithm is in the unprovable category of "cryptologically strong enough" or that an implementation of it is correct. "How to audit" is hard to answer; as formal audits are themselves of questionable utility. – zxq9 Apr 20 '15 at 14:13
  • Damn dude, I'm at work, clicked on it and laughed my ass off XD all my colleagues were like: what are you doing? are you ok? and i had to explain this to people who are about 40 and have no idea about Chuck Norris facts and.. well it was awkward. But definitely worth it, xD very nice. – Vincent Apr 20 '15 at 14:35
  • 1
    @VincentAdvocaat, "with sufficient prep anyone should be able to combin3 crypto primitives int9 a secure protocol." If onpy that were true! Secure protocols are just as hard to get right as secure primitives. If they were easy, we would have many more options than we hav3 today. very subtle errerrrs can cause very large problems, like message ordering, dropped messafes, duplicated messages, and even bad combinations of primitives ( for example, acryptogrampher pnce sh92ed me how using FIPS186 to generate an RSA key can result in vulnerabilities) – atk Apr 20 '15 at 14:45
  • It seems sometimes you use numbers where you shoulnd't. Yes i know you are right but sometimes i like to be stubborn. And obviously a lot of code and do's and don'ts can be 'taken?' from TLS. I will rephrase my wording a bit to make it less controversial. – Vincent Apr 20 '15 at 14:55
  • 2
    If speed is an issue you should consider using ChaCha instead of AES. ChaCha + Poly1305 has become a new de facto TLS standard spearheaded by Google and Android, introduced in order to decrease computation cost on devices without hardware AES. – aaaaaaaaaaaa Apr 20 '15 at 15:17
  • @eBusiness Yes i know but oddly enough AES is surprisingly fast, well it's acceptable, say I have 2 mili seconds to do all my computations, AES+HMAC takes about 1.5. There is a lot of voice recognition which could literally be life or death which needs to be real time giving a very small frame in between samples for me to do the computation. but chacha is indeed a very good alternative. – Vincent Apr 20 '15 at 15:21
  • 2
    Vincent, have you liked into using the lightweight TLS library with all ciphers disabled but the one you want to allow? – Neil Smithline Apr 20 '15 at 20:43
  • 2
    TLS has a pre-shared key mode (PSK) that does no assymmetric crypto. Everything is symmetric. That sounds like what you want. – Buge Apr 21 '15 at 03:34
  • I think you should take a look on [lightweight tls implementations](http://security.stackexchange.com/q/3204), if you didn't yet. This might reduce your development/verification cost. – ItsMe Apr 20 '15 at 14:00

3 Answers3

15

There are IT security companies which provide services like code auditing (most often along with other services like penetration testing, etc.). You contact them, describing your needs, then if this fall under their competences they will send you an estimate.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • 1
    I take it google is my friend in finding these companies? i know of FoxIT (dutch company) which does this and already has done this for a different project of ours, though that was more of a pen test. Do you have any other recommendations? – Vincent Apr 20 '15 at 10:04
  • 3
    Putting companies name here would be more advertisement than advices. Yes, I think that using Google to list available companies, their location, check what services they provide, what kind of customers they usually target (a SME targeting company will not have the same pricing than one targeting worldwide corporations... but on the other side they will not have the same level of expertise either), their certifications (employee + possibly company level certifications) and know what these certs actually imply... In other words, get a view of the market and make your choice :) – WhiteWinterWolf Apr 20 '15 at 10:15
  • 12
    You know, asking how best to evaluate a company for code auditing might not be a bad question – Stephane Apr 20 '15 at 12:26
  • You are fully right, there are several actions taken from public and private groups in order to provide evaluation criteria for IT security auditing companies and reduce some abuse... but that would be a totally different question. Feel free to ask it :) – WhiteWinterWolf Apr 20 '15 at 14:21
  • @VincentAdvocaat Meanwhile, if this answer fits your needs, do not forget to mark it as accepted, thanks :) – WhiteWinterWolf Apr 21 '15 at 13:10
5

Define a specification

If you are writing/developing a new protocol before you cut code, you should start by writing a specification like a Request For Comments (RFC).

Even if you never intend to publish your protocol the process is the important part. The RFC would be the basis of any assessment that you want to have done in the future.

In addition to how the protocol works you would want to decribe the reasons why you are developing a new protocol/suite and why someone should implement your protocol.

Validation

To validate your specification you could consider a combination of:

  • Security research organisations e.g. SANS
  • Universities
  • Security community through the publishing research papers
  • Third party risk assessment

Please consider that developing robust protocol takes time, and you will likely need to version it, so make provision for this. As you have mentioned, SSL/TLS have undergone a lot of review and have been versioned a number of times.

Implementation

After you have defined a specification that has had recieved review you will need to develop a reference implementation that can be complete code review and then pentration testing.

For the code review you would be looking for an assessor with specialist security skills in the programming langauge you are using and a background in penetration testing. They will be assessing your code against the specification.

For the pentration testing you would want to find an assessor who had the capability to develop they own custom test tools, and have reconised certifications such as ISO 27001 and Certified Ethical Hacker (CEH).

Other points

  • Obviously before commiting such a large time and money expense you would need to consider if it is really worth it for the potential lifetime of the system that you are developing.

  • Like others have said using an existing protocol implementation generally cost less and reduces security risks.

  • While you have a limited comput capacity there may be other ways to address this (instead of implenting a new security stack). Do you really need message privacy (in a controlled secure environment) or just message integrity checking? Or can you just encrypt/decrypt the envelope.

Anyway hope that helps.

Bernie White
  • 2,866
  • 17
  • 18
2

Depending on language and environment:

US DHS and a third party host SWAMP (software assurance marketplace). You must apply for access and membership, but it's worth looking into.

SWAMP