1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
|
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<style type="text/css">
html{overflow-y:scroll;background-color:#042424}
body{font-family:"Noto Sans","Droid Sans","DejaVu Sans","Arial",sans-serif;line-height:1.5}
tt,code{background-color:#f0f0f0;font-family:"Noto Sans Mono","Droid Sans Mono","DejaVu Sans Mono","Courier New",monospace,sans-serif;font-size:1em;}
pre{margin-left:3em}
p,ul,ol,blockquote,pre{font-size:1.0em;line-height:1.6}
li p{font-size:1.0em}
blockquote p{font-size:1.0em}
h1{font-size:1.5em}
h2{font-size:1.3em}
h3{font-size:1.0em}
h1 a{text-decoration:none}
table{border-collapse:collapse}
th,td{border:1px solid black}
table a{text-decoration:none}
table tr{font-size:1.0em;line-height:1.6em}
table tr{font-size:1.0em;line-height:1.5}
tbody tr:nth-child(12n+1){background-color:#f0ffff}
tbody tr:nth-child(12n+2){background-color:#f0ffff}
tbody tr:nth-child(12n+3){background-color:#f0ffff}
tbody tr:nth-child(12n+4){background-color:#f0ffff}
tbody tr:nth-child(12n+5){background-color:#f0ffff}
tbody tr:nth-child(12n+6){background-color:#f0ffff}
tbody tr:nth-child(12n+7){background-color:#fffff0}
tbody tr:nth-child(12n+8){background-color:#fffff0}
tbody tr:nth-child(12n+9){background-color:#fffff0}
tbody tr:nth-child(12n+10){background-color:#fffff0}
tbody tr:nth-child(12n+11){background-color:#fffff0}
tbody tr:nth-child(12n+12){background-color:#fffff0}
.headline{padding:0;font-weight:bold;font-size:1.0em;vertical-align:top;padding-bottom:0.5em;color:#ffffff;background-color:#042424}
.navt{display:block;box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;margin:0;padding:0;vertical-align:center;font-size:1.0em}
.here{background-color:#042424}
.here{color:#ffffff}
.away{background-color:#042424}
.away a{text-decoration:none;display:block;color:#ffffff}
.away a:hover,.away a:active{text-decoration:underline}
.main{padding:5px}
.main{background-color:#ffffff}
.pagetitle{font-size:1.4em;font-weight:bold}
.logo img{width:100px}
@media only screen and (min-width:512px) {
.fixed{margin:0;padding:0;width:160px;height:100%;position:fixed;overflow:auto}
.main{margin-left:170px}
}
</style>
<title>
PQConnect: Security</title>
</head>
<body>
<div class=fixed>
<div class=headline>
<div class=logo><img src=topleft.png></div>
PQConnect</div>
<div class="navt away"><a href=index.html>Intro</a>
</div><div class="navt away"><a href=user.html>For users</a>
</div><div class="navt away"><a href=sysadmin.html>For sysadmins</a>
</div><div class="navt away"><a href=compat.html>Compatibility</a>
</div><div class="navt here">Security
</div><div class="navt away"><a href=crypto.html>Cryptography</a>
</div><div class="navt away"><a href=changes.html>Changes</a>
</div><div class="navt away"><a href=papers.html>Papers</a>
</div></div>
<div class=main>
<div class=pagetitle>PQConnect: Security</div>
<h2><a name="cooperative">Cooperative security</a></h2>
<p>PQConnect is not in competition with existing application-specific cryptographic layers,
such as TLS and SSH.
PQConnect adds an <em>extra</em> cryptographic layer
as an application-independent "bump in the wire"
in the network stack.
Deploying PQConnect means that the attacker
has to break PQConnect <em>and</em> has to break
whatever cryptographic mechanisms the application provides.
This layering has an important effect on security decisions,
as explained below.</p>
<h2><a name="non-nocere">Primum non nocere</a></h2>
<p>Modifying cryptography often damages security.
This damage can easily outweigh whatever advantages the modification was intended to have.
For example, upgrading from ECC to SIKE was claimed to
<a href="https://eprint.iacr.org/2021/543">solidly protect against quantum computers</a>,
but SIKE was shown
<a href="https://eprint.iacr.org/2022/975">11 years after its introduction</a>
to be efficiently breakable.
There are many other examples of broken post-quantum proposals;
out of 69 round-1 submissions to the NIST Post-Quantum Cryptography Standardization Project,
<a href="https://cr.yp.to/papers.html#qrcsp">48% are now known to not reach their security goals</a>,
including 25% of the submissions that were not broken at the end of round 1
and 36% of the submissions that were selected by NIST for round 2.
As another example,
OCB2, which was claimed to be an improvement over OCB1,
was shown
<a href="https://eprint.iacr.org/2019/311">15 years after its introduction</a>
to be efficiently breakable.</p>
<p>However,
for an <em>extra</em> layer of security,
the risk analysis is different.
A collapse of the extra layer of security
simply reverts to the previous situation, the situation without that layer.</p>
<p>We are not saying that it doesn't matter whether PQConnect is secure.
We have tried hard to make sure that PQConnect is secure by itself,
protecting applications that make unencrypted connections
or that use broken encryption.
We are continuing efforts to to improve the level of assurance of PQConnect,
and we encourage further analysis.</p>
<p>What we <em>are</em> saying is that,
beyond being designed for security benefits,
PQConnect is designed to minimize security risks.</p>
<p>Beyond the basic structure of PQConnect as a new security mechanism,
the rest of this page describes
some PQConnect software features
aimed at making sure that PQConnect will not damage existing security
even if something goes horribly wrong.
There is a
<a href="crypto.html">separate page</a>
regarding PQConnect's cryptographic goals.</p>
<h2><a name="virtual">Virtualization</a></h2>
<p>System administrators often run hypervisors such as Xen
to isolate applications inside virtual machines.
The PQConnect software supports
<a href="sysadmin.html#client-in-a-bottle">client-in-a-bottle</a>
and
<a href="sysadmin.html#server-in-a-bottle">server-in-a-bottle</a>
modes.
In these modes,
the PQConnect software runs inside a virtual machine
while protecting connections to and from the entire system.
The overall data flow of network traffic
is similar to what would happen if PQConnect handling were delegated to an external router,
but the router is within the same machine,
limiting opportunities for attackers to intercept unencrypted traffic.</p>
<p>Beware that virtual machines are not perfect isolation.
For example,
various Xen
<a href="https://xenbits.xen.org/xsa/">security holes</a> have been discovered,
and <a href="https://timing.attacks.cr.yp.to">timing attacks</a>
have sometimes been demonstrated reading data from other virtual machines.</p>
<h2><a name="memory">Memory safety</a></h2>
<p>The PQConnect software is written in Python
with careful use of libraries.
Using high-level languages such as Python
limits the level of assurance of constant-time data handling and key erasure,
but these are not memory-safety risks.</p>
<p>Cryptographic operations are carried out via libraries
that follow the SUPERCOP/NaCl API,
rather than libraries whose APIs inherently require dynamic memory allocation.
The relevant library code has been systematically tested under memory checkers such as valgrind.
Memory checkers do not necessarily exercise all code paths,
but all data flow from attacker-controlled inputs to branches or memory addresses
is avoided in the specific <a href="crypto.html">public-key cryptosystems</a> used in PQConnect.</p>
<h2><a name="file">File safety</a></h2>
<p>The PQConnect software is primarily memory-based.
The filesystem is used in a few limited ways
(e.g., storing the server's long-term keys),
with no data flow from attacker-controlled inputs.</p>
<h2><a name="port">Port security</a></h2>
<p>Malicious users on a multi-user machine,
or attackers compromising applications,
can bind to specific TCP ports or UDP ports,
preventing PQConnect from using those ports.
However,
the operating system prevents non-root users from binding to ports below 1024,
so you can simply choose ports below 1024 for running PQConnect.
For example, you are probably not using
port 584 ("keyserver") or port 624 ("cryptoadmin")
for anything else;
you can
<a href="sysadmin.html#ports">use those</a>
for a PQConnect server.</p>
<h2><a name="privsep">Privilege separation</a></h2>
<p>Privileges are used at run time
by the PQConnect software components
that hook into the networking stack
and that create and read/write packets on the TUN network interface.
The PQConnect software employs privilege separation
to isolate code that requires these privileges from the rest of the software.
Most of the code is run in a process as a non-root <code>pqconnect</code> user.
Untrusted data arriving on the network is piped from the root process to the non-root process for handling.</p>
<h2><a name="limit">Privilege limitation</a></h2>
<p>When the PQConnect software is run under systemd (as currently recommended),
various external constraints are applied to the system calls used by the software,
although this is generally less limiting than running in a virtual machine.</p><hr><font size=1><b>Version:</b>
This is version 2024.12.26 of the "Security" web page.
</font>
</div>
</body>
</html>
|
