 Hello, all let's welcome Dmitry who will present the Russian crypto algorithms in the open source world Good morning. Yeah, that works. I will be speaking about the Russian crypto algorithms Some of you may probably know the world ghost some of you have visited the red heart death conference where one of my colleagues was speaking about the ghost cryptography in the open as a cell and the Requirements and the needs to support them. So I'm a software engineer, of course I work in the mostly in the embedded Linux world working now for more than 14 years and unlike Another Dmitry Ghost crypto algorithms started initially as a hobby time project for me Unlike Dmitry, I'm not affiliated with any of the commercial companies any of the actual developers of the Russian crypto algorithms, so it's just my spare time project and For some part of the history is quite important because I view it from not from the developers point of view but from the user and software developer point of view So the world ghost means government standard it there are standards for a lot of things started from the food from building from construction and In the last 20 years, we have started to have standards both on the crypto algorithms. Yeah, just like NIST Russian crypto algorithms have developed the full set of crypto primitives and Crypto algorithms on top of that. Yeah, just again just like NIST just like the rest of the world we have digital signature algorithms Based on the discreet algorithm problem on the elliptic curves. We have symmetrical encryption algorithms and we have hash functions On top of those standards. Yeah, those are standardized We are building a set of the recommendation for the standards are amendments for the current crypto standards like the others that you use in their everyday life like public encryption the certificates cryptographic message Syntaxes and all the all PCS extensions and last but not least and one of the most important topics is the CLS extension this TLS surface use and I will come to these a little bit later So let's start from the kind of history. Yeah, I promised to NICOS some kind of myth-busting. I Won't be going in a real deep technical details if you want we can speak about that after the short talk So the first myth crypto algorithms are all invented by the Russian secret service agencies to Be able to undermine of the cryptography users and to be able to actually read Russian email read and assign all the Russian Opposite sites certificate, etc. No, that's not actually true So the initial set was developed really by the secret service, but for the last 15 years The crypt algorithms are developed more by the commercial companies. Yes, they have licensed from the FSB But they are not the agents. They are just Security engineers like we are Crypto algorithms are ghost crypt algorithms are unsecure thanks to the works by a Nikola Kotoa and by the Most by him. It's like how involved in the a you see of that. Okay, it's easy to break Ghost crypto because once you have to power 64 Cypher text and plain text pairs You can get the key in two power 222 24 operations. Yeah, that sounds true, but once you have to power 64 plain Cypher text operation pairs, you don't need any more the key you have the dictionary and in fact Up to according to the current current Crypto analyst results all current standards are safe because well, we have to use them by law and the car for the Secure information and if if there will be any on security if there will be any actual Crypto analysis results our commercial companies would be against using them and For now we are safe and last The one of the most important myths that was brought Is brought regularly into the ITF meetings when another guy tries to write an RFC about the Russian Chinese Japanese any other Crypto standard. Okay, the rest of the world does not need the national crypto of the national another National crypto standard. We already have a yes. We have the SHA. So why do we need your? Crypto standard. Why do we need another SM primitive gas primitive? Camelia seed you name that well first We need Crypto agility if the if we all live in the AS and SHA world We are lower the possibilities to actually create new things to create diverse Software that will support more than just AS and SHA and different Sometime in the future There will be an interesting crypto analysis result for the AS for the SHA Well, we will be doomed because the software will not be able to be updated We have seen that several times when software was just using the SHA one and now With the a lot of with the addresses in the generation of collisions for the SHA one though that software Authors have started thinking. Okay, how can we upgrade if we did not embed the actual property that is SHA one So Crypto charity is important Second it's a full stack alternative if you do not trust American standards, you can use this one. You can use them together. You can use any combination of the ghost and Knees standards, but tell you would like in your own software again This is just another full set of primitives like the Chinese guys did and they are bringing that to the open as well the rest of this crypto software and more importantly as we open the Path to the Russian crypto to the IETF standards We have started seeing more and more interesting ideas and important ideas generated by the Russian crypto community by the Russian crypto engineers I Would name several of them one of the Rookine for the symmetric crypto for the symmetric encryption for the symmetric keys That means that once you use Predefined amount of the plain text you should rekey. You should change your key in the Predictable way so that there is no possibility to have an actual dictionary attack to have the twins attack on the on the Plane and cipher text amount that you have generated The multi linear Galo mode MGM And all are naming are the current our IETF drafts the MGM is a is an alternative to GCM mode It has the lower throughput compared to GCM, but it has more strong It is more strong compared to the GCM it cannot it uses the encryption both for to actual encrypt the Plane text and to generate the Mac value and so it is not as susceptible to the possible attacks as the GCM is TLS external Rookine this should be most probably interesting to the Incompetent to the previous talk and To the TLS users because it actually allows you to and enforces you to change the TLS keys that are used for to encrypt and to make each of the messages or each set of the messages in progress of the TLS transmission And the Another one of the password-integrated K exchange protocols of the CP says P a key This is now published as an RFC And You can also use that it was created by the Russian Clip to engineers Okay, the OSS port why do we need it? Why do we want it? Why do we? Why do we work on our spare time to provide the open the open source support for the ghost? It provides additional tests it provides additional test cases and test situations in the new TLS and the open SSL for the open SL it is more quite important because ghost crypto was initially created as the separate ghost engine and Dmitry and Detos Wagner from the Crypto com have faced a lot of the issues with the actual External engine support in the open SSL Gust engine was wasn't is used for some of quite some time as the main test case for the external engine support in the open SSL Gus support provides us a way to replace commercial software as I said In Russia, it's mostly developed. Gus support is mostly developed by the commercial or software vendors It's Closed source you cannot get the source you cannot read what's inside and if you want to check The signatures if you want to read the encrypted data You have to either use that commercial closed source software or you have to write your own support for example to check that The signature on my hem radio license is valid. I should I had written support for the For the August signatures in the gonna tell us That's just again that just to verify that my hem radio license is valid and Last but not least is fun So the current status Open SSL it was the primary target by my colleagues Twos it is supported science 20 or 420 or 5 It has a really long history because to actually support the guest algorithms the ghosted digital signatures My colleagues had to invent the and to enforce the use of the algorithm neutral API for public key encryption in the open SSL so that was a really long long long term project for them, but they Were successful and nowadays open SSL has the algorithm neutral public key Functions you can use them and you should use them for the success in the public key function set instead of the individuals Encoded, okay. This is this uses RSA that uses DSA. This is elliptical for digital signatures Oh, and nowadays they have another set of Public encryption and you have to add this and oh and you have to add this oh and this goes more and more and to a nightmare Libre SSL a fork of the open SSL by opening BSD guys They have thrown away most of the engine support. They have thrown away the external engines. So oh When that when that fork started we had to actually rewrite the ghost engine piece of code into the core Libre SSL functionality and Libre SSL was was one of the first major crypto library structure open source crypto libraries to gain the full ghost crypto support new TLS another major TLS implementation conflict has the Public key support it has the signature support and for the TLS Of the patch set is ready. It's waiting on the git lab Now is as a git lab magic based on the new TLS site. We are waiting for the I and a Numbers to be assigned to the actual TLS cyber suits So that will not be just using the private numbers in the in the final opens all software about really be using the assigned numbers and We will be using that so the main test suits of to check To cross check the open SSL and new TLS support for that lipstick creeped Software created by Werner Kohl another low-level library. It doesn't have TLS. It doesn't have actual PkC as a just low-level algorithms And it was one of the first targets by me to write to go support because it allows us to use the new PG With the ghost it allows us to use the rest of the software with new PG without actually having to implement it's in the clear part train the Rest of the KD the rest of the GNOME are software XML sex signatures for the XML for the XML There's a long there is a nurse now see on that and there is support in the XML sec library That was a great part bright okay on the other part of the Crypto library that is used by the new TLS and by some other projects the net library Unfortunately, the patches do exist the patches were accepted in the new TLS tree but the net Is slow and accepting them so GNOME TLS is using them. It's gonna is has the necessary code bundled instead of using the part of the net library Born SSL. Yeah, another boring story Night that my colleagues know me had time to port the open as a cell Code to the born SSL to another open as a fork it should be easy and it should gain us the Go support in chrome and chromium, but it just it is not yet done and We don't expect any serious problems except the code acceptance in the Google Street an SS the very famous and very big crypto library. It was the former standard for most of us Patches do exist for a really long on time since 20 or five. I think at 20 or six But the mazilla guys are very slow and very reluctant in resistance to accepting them most of because they do not see see the need to have another national National code and because of the Issues with the quality of the patch as well. They work, but They are not accepted Bint 9 DNS sec, you know that You know that both there is a guest RFC on the DNS sec The RFC is old. It uses the old and obsolete guest algorithms and Bint has dropped Bind has dropped the support for the guest encryption We should be updating both the standards and the bind 9 with the new algorithms and last but not least There is no open source a psec software that actually supports Russian crypto we are working on that there is a plan to write a new set of standards on the a psec using the a ad algorithms by using a d mode, but currently there is no a psec Yeah, last but not least of my marketing department has insisted on inserting this slide. So Yeah, thanks to them for allowing me to come to false damage to speak to you So that's all for now that I wanted to talk about the ghost crypto I did not go into technical details in my talk, but if you if you want we can discuss that either right now or later Any questions Any questions hello, so I don't know if this is a bad question, but can you share your thoughts on telegram? Sorry, what about telegram Ah Well, we are using 4g and Fiji that are developed by major vendors. There is no as far as I know there is no specific set to include the 3g 4g 5g messages So there are there is no special for phone encryption. We know The Backbone uses the famous SS7 protocol and so you don't have to really change encryption if if you can tap into the Phone providers by law By using the infamous SORM system for operation Instigation Matters which you have to install if you are the internet service provider or the telecom provider There is no special set of crypto standards Yes a question about have you had any pushback from the NIST or other government organizations? Well pressuring people not to accept the ghost standard not as far as we know so in fact Every well most everybody creating their own national standards and NIST is one of them NIST and I say Is pushing for accepting national standards because Accepting Russian standards into itf is a way to also accept and assay standards into itf So it's not good. It's not bad. It's just another argument for them So they yeah, they do not recommend using that of course because they have their own set of recommendations But there is no real pushback Hello, thanks for your talk. I wanted to ask how much comparative Crypto analysis has been done on ghosts compared to the NIST submissions Of course the amount of crypto analysis is so much lower And so the amount of public crypto analysis much lower compared to NIST I Do not have a full list of references to the crypto analysis with me in this slide said We can talk about that afterwards. I haven't on another set of slides created by one of my colleagues but Well, we all have received the crypto analysis both internally and externally Any other question? Do you do have any information comparing to AS or say salsa church algorithms in terms? comparison tables or benchmarks What is better other benefits? Okay, if you compare the If it compared to the AS it's quite interesting because If we do not use AS and I instructions the comparison will be much part and part because We use the more of the same constructions everywhere both AS and the latest items Kuznetchik Grasshopper, but if we allow one to use the AES and I instructions We allow one to use the PCL mild D a set of instructions specifically written to support ultra-fast AS. Yeah, of course AS will be One decimal order at least a faster than compared to the grasshopper the implementations that merged into the Libre script into the Nutella as into the Libre's a cell and I do not have an assembler optimized instructions So it's plain C. You can use that to actually understand the Algorithm you can use them to actually check what's work and how it's working and to actually analyze the set of the Instructions a set of algorithms and of course you are open to write the assembly in optimized way the open SSL engine has received the some parts of the assembly optimization and It is now getting a closer and closer to the AS implementation the open SSL So something that I always wonder about like the stuff like good to go cypher suite is the following So there are eight countries in the world that have a larger population in Russia There are 11 countries in the world that have a larger GDP than Russia Would what if all of those countries also had the same idea of coming up with their own crypto suite? Would it be desirable for like something like the public internet for all of them to also? Incorporated in crypto libraries That would fragment the internet quite heavily, right? I Couldn't get the last place Oh, sorry. Oh, I'll repeat the question. Sorry. I'll hold the microphone bit closer So there are eight countries that are larger than 11 ones that have a larger GDP What if each of those countries also made their own crypto algorithms and also put laws in place that required the use of Those crypto algorithms in their country would that be a workable sweet situation for the internet as a whole? I do not think that it will make the situation worse Chinese Government agencies are currently pushing the SM to SM friend SM for Signature hash and encryption standards into the major crypto libraries I Do not know about India well, well, we all know about United States and so that needs this and then I say I push and they're all of their standards into through the Open benchmarks or through the just through the RFCs. So things will not be worse You do not have to actually use them as the system administrator of the server You do not have to put a law of the crypto algorithms. In fact, so you Nearly all web service more probably have the limitation for the server suites in the configuration file to use only a specific set that this system in of them seems Sees as strong enough Good enough to be supported on on that web server. So no, this doesn't open a can of worms This doesn't open a full set of the eight nine ten crypt algorithms Japan has tried creating the Camelia and related said but they have mostly stopped doing that and they have I think mostly stopped Enforcing the use of the Camelia in the open internet. So there is Camelia GCM standardized, but it is not actually used So again If we support these if we allow one to use These primitives it doesn't enforce one to use them It does not enforce And it doesn't allow you to use them by default because you will not be allowed to or connect for example to the google.com By using the ghost cyphers So, let's all thank Dimitri