-
Notifications
You must be signed in to change notification settings - Fork 619
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Delegating crypto to a RustCrypto traits implementation #390
Comments
A few additional points:
It would be great if we can brain-storm on these options and then work out a feasible path to implementation ahead. |
(Sorry for some naive questions, I'm just a user who plans to use rustls+webpki+ring additionally on Raspberry Pi.) |
Hey @Darkspirit! Those are good questions and not naive ones at all! :) I think it should be possible to find good and reasonable ways in which both Ring's AArch64 support improves as well as Rustls gains the ability to work with secure hardware elements. More choice for folks wanting to use Rust on AArch64 can never be a bad thing! :) Completely take your point that there is a balance to be maintained though. More than happy to discuss options! |
As a representative of the RustCrypto project, I am really interested in adding a pure-Rust backend to rustls and ready to contribute to it. In my understanding the required primitives are already mostly implemented (though I am not 100% sure about elliptic curves, @tarcieri is more knowledgeable about them) and the main blocker right now is
Note that |
The That said we've done practically no optimization work so I expect it will be significantly slower than ring. |
Hardware cryptographic implementations are generally asynchronous, so rustls will need asynchronous signing support. For hardware cryptographic accelerators, asynchronous bulk encryption will be needed as well, but that is a much lower priority. |
I'm really not sold on this, I'm afraid. A few points I want to make: a. rustls has an existing extension point for using long-term server and client authentication keys. I'm aware of several uses already of this extension point to make use of keys held elsewhere: HSMs, TPMs, etc. I assert that -- in practice -- nobody stores other keys used in TLS in a HSM/TPM, because they tend to have terrible performance and scalability, and because those keys are of similar value to the application data. Docs for that feature are here: https://docs.rs/rustls/0.18.1/rustls/manual/_03_howto/index.html#customising-private-key-usage b. I feel that supporting "bring your own AES" is of no benefit to 99% of users, but costs all users in terms of complexity. I can see the argument for embedded users, where you really need to be using a proprietary hardware crypto peripherals for performance/power reasons; but rustls does not target embedded workloads. c. I really have little interest in maintaining and testing rustls on top of the entire power set of rustcrypto trait implementations. It seems like a really thankless task to ensure that rustls is tested with this sha256, and that aes-gcm, and while one would expect them to be orthogonal, that's certainly not guaranteed. d. the number of traits implementation would be absolutely wild to parameterise a given rustls session as the API currently stands. At a rough count, the top-level rustls e. I'm quite unsure that the shape of the rustcrypto traits are right for rustls to depend on -- rustls's So I'm always willing to listen to the arguments here, but I want to maintain a high bar for far-reaching and foundational changes. |
Nobody expects you to.
We don't have to be so fine-grained. Another use-case is an ability to extend UPD: BTW support of custom ciphersuits was also proposed here as a way to allow experimentation with new algorithms. |
Thanks for your honest response. Your point a. makes total sense: the only keys which seem useful from a security perspective to be stored in hardware are the authentication keys. Now if you already have traits to implement to offload the signing operation to an external hardware where the private key is stored, that's excellent. We could implement those traits and test that with Parsec immediately. That pretty much answers my original issue which was how to combie rustls with our projects. Concerning the other subject, if there might be value in defining an interface (in the end it could be something closer to |
The |
Note that this point is somewhat misleading: the trait implementations of RustCrypto traits for ring implementations seem to be implemented by RustCrypto authors, not by the ring maintainer. |
I don't want to get all into this, except to note that in general I am working on making ring work on more targets, with the goal of working on all Rust Tier 1 and Tier 2 targets by EoY. In the case of embedded applications, that was the original goal for creating ring that's mentioned even in its README.md; things got side-tracked because I couldn't find other people interested in embedded who were willing to do open source, while people were more interested in traditional platforms. If you are interested in adding open source support for your hardware elements then please feel free to work with me on the ring project on it. |
In order to keep this discussion in one place, let's continue in #521. |
Hello 👋
As stated in the repository's README.md file, Rustls uses ring for cryptography. The RustCrypto team has also published a set of traits describing the functionality of crypto primitives. There is an implementation of some of those traits for ring.
The idea put forward by this issue would be for Rustls to perform cryptography through the RustCrypto traits instead of doing it directly through ring. A configuration option would be there to choose between RustCrypto traits implementors.
Apart from the ring implementation, we were also thinking of implementing those traits for our projects: the Parsec Rust Client and PSA Crypto wrapper.
The advantages for Rustls would be to have the flexibility of choosing the crypto implementation that fits the best the use-case.
In the case of the Parsec Rust Client, that would allow Rustls to perform its crypto on a real hardware (such as a TPM or HSM) abstracted by the trait implementation.
In the case of the PSA Wrapper crate, it would open the way to any PSA Crypto implementation such as Mbed Crypto or the crypto service of Trusted Firmware-M (for microcontrollers, assuming Rustls could be
no-std
).We would be very interested in knowing your opinion about this, and if it would be feasable at all.
cc @raw-bin
The text was updated successfully, but these errors were encountered: