Giter VIP home page Giter VIP logo

opensk's Introduction

Post-Quantum fork of OpenSK

This is a fork of Google's OpenSK project created and published as part of my Master's thesis. It is mainly used for benchmarking post-quantum hash-based few-time signature schemes on the nRF52840.

The schemes implemented are:

  • a variant of the one-time signature scheme W-OTS+
  • a sequentially-updatable variant Merkle's signature scheme, which allows efficiently updating the public key after only a few signatures have been used
  • shallow-deep tree few-time signature scheme (sd-MSS), which uses two such updatable Merkle trees and is parametrized by their respective heights (s and d)

Getting Started

./setup.sh
./deploy.py --board=nrf52840dk --crypto_bench

License

Changes made by me on this fork are licensed under the MIT license.

These changes include:

  • adding the cryptoschemes wots.rs, merkle.rs, sdmss.rs to libraries/crypto/src/
  • updating libraries/crypto/src/lib.rs accordingly
  • adding my custom schemes to the crypto benchmark examples/crypto_bench.rs
  • commenting out benchmarks irrelevant to the comparison from examples/crypto_bench.rs (such as AES)
  • shortening of the original README file
  • adding this text above the line into the README file

All unchanged code authored by the OpenSK developers remains copyright of Google LLC and is licensed under the Apache 2.0 License.


OpenSK (orignal README, shortened)

This repository contains a Rust implementation of a FIDO2 authenticator.

Disclaimer

This project is proof-of-concept and a research platform. It is NOT meant for a daily usage. It's still under development and as such comes with a few limitations:

Cryptography

We're currently still in the process on making the ARM® CryptoCell-310 embedded in the Nordic nRF52840 chip work to get hardware-accelerated cryptography. In the meantime we implemented the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust as a placeholder. Those implementations are research-quality code and haven't been reviewed. They don't provide constant-time guarantees and are not designed to be resistant against side-channel attacks.

Installation

For a more detailed guide, please refer to our installation guide.

  1. If you just cloned this repository, run the following script (Note: you only need to do this once):

    ./setup.sh
  2. Next step is to install Tock OS as well as the OpenSK application on your board. Run:

    # Nordic nRF52840-DK board
    ./deploy.py --board=nrf52840dk --opensk
    # Nordic nRF52840-Dongle
    ./deploy.py --board=nrf52840_dongle --opensk
  3. Finally you need to inject the cryptographic material if you enabled batch attestation or CTAP1/U2F compatibility (which is the case by default):

    ./tools/configure.py \
        --certificate=crypto_data/opensk_cert.pem \
        --private-key=crypto_data/opensk.key
  4. On Linux, you may want to avoid the need for root privileges to interact with the key. For that purpose we provide a udev rule file that can be installed with the following command:

    sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/ &&
    sudo udevadm control --reload

Development and testing

Printing panic messages to the console

By default, libtock-rs blinks some LEDs when the userspace application panicks. This is not always convenient as the panic message is lost. In order to enable a custom panic handler that first writes the panic message via Tock's console driver, before faulting the app, you can use the --panic-console flag of the deploy.py script.

# Example on Nordic nRF52840-DK board
./deploy.py --board=nrf52840dk --opensk --panic-console

Debugging memory allocations

You may want to track memory allocations to understand the heap usage of OpenSK. This can be useful if you plan to port it to a board with fewer available RAM for example. To do so, you can enable the --debug-allocations flag of the deploy.py script. This enables a custom (userspace) allocator that prints a message to the console for each allocation and deallocation operation.

The additional output looks like the following.

# Allocation of 256 byte(s), aligned on 1 byte(s). The allocated address is
# 0x2002401c. After this operation, 2 pointers have been allocated, totalling
# 384 bytes (the total heap usage may be larger, due to alignment and
# fragmentation of allocations within the heap).
alloc[256, 1] = 0x2002401c (2 ptrs, 384 bytes)
# Deallocation of 64 byte(s), aligned on 1 byte(s), from address 0x2002410c.
# After this operation, 1 pointers are allocated, totalling 512 bytes.
dealloc[64, 1] = 0x2002410c (1 ptrs, 512 bytes)

A tool is provided to analyze such reports, in tools/heapviz. This tool parses the console output, identifies the lines corresponding to (de)allocation operations, and first computes some statistics:

  • Address range used by the heap over this run of the program,
  • Peak heap usage (how many useful bytes are allocated),
  • Peak heap consumption (how many bytes are used by the heap, including unavailable bytes between allocated blocks, due to alignment constraints and memory fragmentation),
  • Fragmentation overhead (difference between heap consumption and usage).

Then, the heapviz tool displays an animated "movie" of the allocated bytes in heap memory. Each frame in this "movie" shows bytes that are currently allocated, that were allocated but are now freed, and that have never been allocated. A new frame is generated for each (de)allocation operation. This tool uses the ncurses library, that you may have to install beforehand.

You can control the tool with the following parameters:

  • --logfile (required) to provide the file which contains the console output to parse,
  • --fps (optional) to customize the number of frames per second in the movie animation.
cargo run --manifest-path tools/heapviz/Cargo.toml -- --logfile console.log --fps 50

Reporting a Vulnerability

See SECURITY.md.

opensk's People

Contributors

cfsghost avatar gebogebogebo avatar gendx avatar ia0 avatar jmichelp avatar kaczmarczyck avatar krkhan avatar mingxguo27 avatar mshetairy avatar qkniep avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.