Collaborating with NCSU to promote lightweight crypto validation and assessment
Cryptography is very important in today’s world. Improper or maliciously altered crypto implementations have been a concern for the industry in recent years. To alleviate the risk, Cisco has been working with the industry, the National Institute of Standards and Technology (NIST) and other international organizations on finding ways to validate crypto implementations and speed up crypto certifications like FIPS or Common Criteria. The output of these efforts is the Automated Cryptographic Validation Protocol (ACVP).
ACVP enables crypto implementations to interact with a server that provides crypto test vectors which the crypto implementation encrypts and sends back. The server can then check for correctness which would mean that the algorithms are implemented correctly. ACVP can be used for validations of the cryptographic modules. Cisco has open-sourced an ACVP client that implementers can use to validate and certify their algorithm implementations against NIST’s or 3rd party servers.
On the other hand, constrained environments cannot always use all the commonly accepted crypto algorithms available because of their constrained nature. A battery operated sensor, for example, cannot use 3072-bit RSA because it would deplete its battery faster and because of the processing load. NIST’s Lightweight Crypto Program is working on defining lightweight crypto algorithms suitable for these constrained endpoints. Some of the lightweight algorithms are documented in their Report on Lightweight Cryptography. Additionally, a recent paper from NIST’s 2016 LWC Workshop describes a methodology of using use Joules/byte as a metric for evaluating the algorithms’ energy efficiency.
What if we introduced ACVP in Lightweight Crypto for constrained environments? Could ACVP be used to validate lightweight crypto implementations and provide energy efficiency metrics for these modules that are important for constrained environments? These were some questions we were interested in answering and proposed to North Carolina State University (NCSU)’s Computer Science (CSC) Senior Design Center as a Senior Design Project.
The NCSU CSC students who jumped into this new project were Jack Thornton, Jake Inkrote, Sam Rappl and Ian McKinnon. The project was driven by Barry Fussel and Panos Kampanakis from Cisco and overseen by NCSU CSC Senior Design Center Director, Ms. Margaret Heil, and technical advisors, Dr. Lina Battestilli and Mr. Michael DeHaan.
The outcomes of this effort were:
- An extension of the ACVP client library to integrate and validate lightweight crypto library WolfSSL at https://github.com/sigmaJ/ncsu-wolfssl
- Defined enhancements to the ACVP protocol to be able to exchange crypto energy use information that could be used to characterize the energy efficiency of the crypto algorithm implementations of the module under test https://github.com/sigmaJ/ncsu-wolfssl/tree/master/.energyspec
We hope this work will be used and extended to expand the use cases of ACVP.
We would like to thank the NCSU CSC Department students, Ian, Jack, Jake and Sam, for the good work and collaboration. Also thank you to the Director of the NCSU CSC Senior Design Center, Margaret Heil, and CSC Senior Design technical advisors, Professor Lina Battestilli and Mr. Michael DeHaan. We hope it has been a good experience for them as it was a fun experience for us. The collaboration will continue…