I-Paranoid yiprojekthi yokufumanisa ubuthathaka kwi-cryptographic artifacts
Los amalungu eqela lokhuseleko likaGoogle, akhutshiwe ngeposti yebhlog baye benza isigqibo sokukhulula ikhowudi yomthombo welayibrari "Paranoid", yenzelwe ukukhangela ubuthathaka obaziwayo kumanani amakhulu ezinto zakudala ezingathembekanga ze-cryptographic, ezifana nezitshixo zoluntu kunye notyikityo lwedijithali oludalwe kwi-hardware esengozini kunye neenkqubo zesoftware (HSM).
Le projekthi kunokuba luncedo kuvavanyo olungathanga ngqo losetyenziso lwe-algorithms kunye namathala eencwadi ezinezithuba ezaziwayo kunye nobuthathaka obuchaphazela ukuthembeka kwezitshixo kunye neesignesha zedijithali eziveliswayo, nokuba i-artifacts eqinisekisiweyo iveliswa yi-hardware engafikelelekiyo yokuqinisekisa okanye amacandelo avaliweyo ayibhokisi elimnyama.
Ukongeza kuloo nto, uGoogle ukwakhankanya ukuba ibhokisi emnyama inokuvelisa i-artifact ukuba, kwimeko enye, ayizange iveliswe sesinye sezixhobo zikaGoogle ezifana neTink. Oku kuya kwenzeka kwakhona ukuba iveliswe yilayibrari uGoogle anokuyihlola kwaye ayivavanye esebenzisa iWycheproof.
Injongo yokuvula ithala leencwadi kukwandisa ukungafihli, ukuvumela ezinye i-ecosystems ukuba ziyisebenzise (ezifana ne- Certificate Authorities, ii-CAs ekufuneka zenze iitshekhi ezifanayo ukuhlangabezana nokuthotyelwa), kunye nokufumana iminikelo kubaphandi bangaphandle. Ngokwenza njalo, sibiza igalelo, ngethemba lokuba emva kokuba abaphandi befumene kwaye banike ingxelo yobuthathaka be-cryptographic, iitshekhi ziya kongezwa kwithala leencwadi. Ngale ndlela, uGoogle kunye nehlabathi liphela banokuphendula ngokukhawuleza kwizisongelo ezintsha.
Ithala leencwadi inokwahlulahlula iiseti zamanani obuxoki ukufumanisa ukuthembeka kwejenereyitha yakho kwaye, usebenzisa ingqokelela enkulu yezinto zakudala, chonga iingxaki ezazingaziwa ngaphambili ezivela ngenxa yeempazamo zeprogram okanye ukusetyenziswa kweejenereyitha zenombolo ezingathembekanga.
Kwelinye icala, kuyakhankanywa ukuba IParanoid ifaka umiliselo kunye nolungiselelo olo bathathwe kuncwadi olukhoyo olunxulumene ne-cryptography, okuthetha ukuba isizukulwana sezi zixhobo sasinesiphako kwezinye iimeko.
Xa kuhlolwa imixholo CT (Certificate Transparency) yobhaliso yoluntu, ebandakanya ulwazi kwi ngaphezu 7 billion izatifikethi, usebenzisa ilayibrari ecetywayo, izitshixo eziyingxaki yoluntu ngokusekelwe elliptic curves (EC) kunye neesignitsha digital esekelwe algorithm azifunyanwanga. I-ECDSA, kodwa izitshixo zoluntu eziyingxaki zifunyenwe ngokwe-algorithm yeRSA.
Emva kokubhengezwa kobuthathaka be-ROCA, siye sazibuza ukuba bubuphi obunye ubuthathaka obunokubakho kwi-cryptographic artifics eveliswa ziibhokisi ezimnyama kwaye singenza ntoni ukuze sizibhaqe kwaye sinciphise. Emva koko saqala ukusebenza kule projekthi ngo-2019 kwaye sakha ithala leencwadi ukuze sihlole inani elikhulu lezinto zakudala ze-cryptographic.
Ithala leencwadi liqulathe ukuphunyezwa kunye nokulungelelaniswa kwemisebenzi ekhoyo efunyenwe kuncwadi. Uncwadi lubonisa ukuba ukuveliswa kwe-artifact kuneziphene kwezinye iimeko; Apha ngezantsi kukho imizekelo yeempapasho esekelwe kuzo ithala leencwadi.
Ngokukodwa Kwachongwa amaqhosha angathenjwanga angama-3586 uveliswa yikhowudi kunye nobuthathaka obungafakwanga be-CVE-2008-0166 kwiphakheji ye-OpenSSL ye-Debian, izitshixo ezingama-2533 ezinxulumene nobuthathaka be-CVE-2017-15361 kwithala leencwadi le-Infineon, kunye nezitshixo ze-1860 kunye nobungozi obunxulumene nokufumana eyona isahluli iqhelekileyo (DCM). ).
Qaphela ukuba iprojekthi ijonge ukuba ibe lula ekusebenziseni izixhobo zokubala. Iitshekhi kufuneka zikhawuleze ngokwaneleyo ukuze ziqhube kwinani elikhulu lezinto zakudala kwaye kufuneka zenze ingqiqo kwimeko yokwenyani yemveliso. Iiprojekthi ezinezithintelo ezimbalwa, ezifana ne-RsaCtfTool, zinokufaneleka ngakumbi kwiimeko ezahlukeneyo zokusetyenziswa.
Okokugqibela, kukhankanyiwe ukuba ingcaciso malunga nezatifikethi eziyingxaki esele zisetyenziswa yathunyelwa kumaziko esiqinisekiso ukuze zirhoxiswe.
Ku unomdla wokwazi ngakumbi malunga neprojekthi, kufuneka bazi ukuba ikhowudi ibhaliwe kwiPython kwaye ikhutshwe phantsi kwelayisensi ye-Apache 2.0. Unokujongana neenkcukacha, kunye nekhowudi yomthombo Kule khonkco ilandelayo.