I-Paranoid iphrojekthi yokuthola ubuthakathaka kuma-artifact e-cryptographic
I-Los amalungu ethimba lezokuphepha le-Google, akhululiwe ngeposi lebhulogi benze isinqumo sokukhulula ikhodi yomthombo yomtapo wezincwadi "I-Paranoid", yakhelwe ukuthola ubuthakathaka obaziwayo enanini elikhulu lama-artifact e-cryptographic angathembekile, njengokhiye basesidlangalaleni namasiginesha edijithali adalwe kuzingxenyekazi zekhompuyutha ezisengozini kanye nezinhlelo zesofthiwe (HSM).
Le phrojekthi kungaba usizo ekuhloleni okungaqondile kokusetshenziswa kwama-algorithms nemitapo yolwazi anezikhala ezaziwayo kanye nokuba sengozini okuthinta ukuthembeka kokhiye namasignesha edijithali akhiqizwayo, noma ngabe ama-artifacts aqinisekiswayo akhiqizwa ihadiwe okungafinyeleleki kuyo ukuze kuqinisekiswe noma izingxenye ezivaliwe eziyibhokisi elimnyama.
Ngaphezu kwalokho, i-Google iphinde isho ukuthi ibhokisi elimnyama lingakhiqiza i-artifact uma, esimweni esisodwa, lingakhiqizwanga elinye lamathuluzi e-Google afana ne-Tink. Lokhu bekungenzeka futhi uma ngabe yenziwe umtapo wezincwadi u-Google ongawuhlola futhi awuhlole esebenzisa i-Wycheproof.
Umgomo wokuvula umtapo wolwazi uwukukhulisa ukubonakala, ukuvumela ezinye izimiso zemvelo ukuthi ziwusebenzise (njengeziphathimandla Zezitifiketi, ama-CA adinga ukuhlola okufanayo ukuze ahlangabezane nokuthobela imithetho), futhi athole iminikelo evela kubacwaningi bangaphandle. Ngokwenza kanjalo, sicela iminikelo, ngethemba lokuthi ngemva kokuba abacwaningi bathole futhi babike ubungozi be-cryptographic, amasheke azokwengezwa kulabhulali. Ngale ndlela, i-Google kanye nomhlaba wonke bangasabela ngokushesha ezinsongweni ezintsha.
Umtapo Wezincwadi ingaphinda ihlukanise amasethi ezinombolo ze-pseudorandom ukuze unqume ukwethembeka kwejeneretha yakho futhi, usebenzisa iqoqo elikhulu lezinto zobuciko, uhlonze izinkinga ezingaziwa ngaphambilini eziphakama ngenxa yamaphutha ohlelo noma ukusetshenziswa kwezigelekeqe zezinombolo ezingamanga ezingahleliwe ezingathembekile.
Ngakolunye uhlangothi, kushiwo futhi lokho I-Paranoid ifaka ukusetshenziswa nokulungiselelwa lokho athathwe ezincwadini ezikhona eziphathelene ne-cryptography, okusho ukuthi isizukulwane salezi zinto zobuciko sasinephutha kwezinye izimo.
Lapho kuhlolwa okuqukethwe kwerejista yomphakathi ye-CT (Certificate Transparency), ehlanganisa ulwazi olumayelana nezitifiketi ezingaphezu kwezigidi eziyizinkulungwane ezingu-7, kusetshenziswa umtapo wolwazi ohlongozwayo, okhiye basesidlangalaleni abayinkinga abasuselwe kumajika ama-elliptic (EC) namasiginesha edijithali asuselwa ku-algorithm awatholakalanga. I-ECDSA, kodwa okhiye basesidlangalaleni abayinkinga batholakale ngokuvumelana ne-algorithm ye-RSA.
Ngemva kokudalulwa kokuba sengozini kwe-ROCA, sizibuze ukuthi ibuphi obunye ubuthakathaka obungase bube khona kuma-artifact e-cryptographic akhiqizwe amabhokisi amnyama nokuthi yini esingayenza ukuze sibuthole futhi sibunciphise. Sabe sesiqala ukusebenza kule phrojekthi ngo-2019 futhi sakha umtapo wolwazi ukuze sihlole izinto eziningi zobuciko be-cryptographic.
Umtapo wolwazi uqukethe ukusetshenziswa nokulungiselelwa kwemisebenzi ekhona etholakala ezincwadini. Izincwadi zibonisa ukuthi ukukhiqizwa kwe-artifact kunephutha kwezinye izimo; Ngezansi kunezibonelo zezincwadi umtapo wolwazi osekelwe kuzo.
Ikakhulu Kuhlonzwe okhiye abangathembekile abangu-3586 ekhiqizwe ikhodi enobungozi obunganamathiselwe be-CVE-2008-0166 kuphakheji ye-OpenSSL ye-Debian, okhiye abangu-2533 abahlotshaniswa nokuba sengozini kwe-CVE-2017-15361 kulabhulali ye-Infineon, kanye nokhiye abangu-1860 abasengozini ehlobene nokuthola isahlukanisi esivamile se-DCM (i-DCM) ).
Qaphela ukuthi iphrojekthi ihloselwe ukuba ibe lula ekusebenziseni izinsiza zokubala. Ukuhlola kufanele kusheshe ngokwanele ukuze kusebenze inani elikhulu lama-artifact futhi kufanele kube nengqondo kumongo wokukhiqiza womhlaba wangempela. Amaphrojekthi anemikhawulo embalwa, njenge-RsaCtfTool , angase afaneleke kakhulu ezimweni zokusetshenziswa ezihlukile.
Okokugcina, kushiwo ukuthi ulwazi olumayelana nezitifiketi eziyinkinga ezisasetshenziswa luthunyelwe ezikhungweni zokunikeza izitifiketi ukuze zihoxiswe.
Ngokuba unentshisekelo yokwazi okwengeziwe ngale phrojekthi, kufanele bazi ukuthi ikhodi ibhalwe ku-Python futhi ikhishwe ngaphansi kwelayisensi ye-Apache 2.0. Ungabheka imininingwane, kanye nekhodi yomthombo Kulesi sixhumanisi esilandelayo.