{"id":570825,"date":"2019-04-02T09:00:15","date_gmt":"2019-04-02T16:00:15","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=570825"},"modified":"2020-06-08T10:19:02","modified_gmt":"2020-06-08T17:19:02","slug":"evercrypt-cryptographic-provider-offers-developers-greater-security-assurances","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/evercrypt-cryptographic-provider-offers-developers-greater-security-assurances\/","title":{"rendered":"EverCrypt cryptographic provider offers developers greater security assurances"},"content":{"rendered":"

\"\"<\/p>\n

Project Everest (opens in new tab)<\/span><\/a> is a multiyear collaborative effort focused on building a verified, secure communications stack designed to improve the security of HTTPS, a key internet safeguard. This post, about the high-performance industrial-grade EverCrypt cryptographic provider (opens in new tab)<\/span><\/a>, is the second in a series exploring the groundbreaking work, which is available on GitHub (opens in new tab)<\/span><\/a> now.<\/em><\/p>\n

If you\u2019re reading this blog post right now, you\u2019re likely using HTTPS, the most popular application of the Transport Layer Security (TLS) protocol. In fact, if you\u2019ve logged in to a website, checked your email, ordered a product, or banked online today, you\u2019ve used it. Just check out the URL in your address bar. An internet standard, TLS powers most secure communications over the internet, ensuring all clients and servers can interoperate with each other.<\/p>\n

Delivering an implementation of TLS that guarantees with mathematical certainty your communications will be confidential and protected is a vast and ambitious effort. Like the building of a pyramid, it requires a strong foundation. Such an implementation needs successive verified software layers, beginning with the raw cryptographic algorithms, followed by a cryptographic provider. A crucially important component, the cryptographic provider orchestrates these standalone algorithms into a unified collection to meet the security needs of the protocol. Today, we\u2019re happy to introduce the first fully verified cryptographic provider.<\/p>\n

EverCrypt (opens in new tab)<\/span><\/a>\u2014developed and verified by the Project Everest (opens in new tab)<\/span><\/a> team\u2014offers the same features, convenience, and performance as popular existing cryptographic libraries without the bugs that leave protocols and applications vulnerable. Usable by verified and unverified clients alike, EverCrypt emphasizes both multiplatform support and high performance. We accomplish this by producing both platform-agnostic C code and optimized assembly code for specific hardware targets through the combination of two components of Project Everest: the HACL* (opens in new tab)<\/span><\/a> cryptographic library developed jointly between Inria (opens in new tab)<\/span><\/a> and Microsoft Research and the Vale-Crypto library (opens in new tab)<\/span><\/a> of assembly primitives developed collectively between Microsoft Research and Carnegie Mellon University (opens in new tab)<\/span><\/a>.<\/p>\n

The case for verification<\/h3>\n

Historically, writing a high-quality, trustworthy cryptographic library has been a difficult task, and many of the bugs found in security applications like TLS turn out to be in this underlying layer. These bugs are often a result of extremely complex cryptographic implementations that have been designed to achieve maximum performance. For each algorithm, there are dozens of implementations, each hand-tuned to a specific platform so the implementation can leverage vector or crypto-specific instructions. This practice\u2014known as implementation multiplexing\u2014allows a library to provide high-performance implementations on popular hardware platforms while still providing a fallback implementation that\u2019ll work on any platform. For instance, one may find several versions of the AES block cipher (opens in new tab)<\/span><\/a>, some using SSE, AVX, or NEON, or even the dedicated AES-NI collection of instructions.<\/p>\n

In light of this complexity, it\u2019s no surprise existing crypto libraries have bugs. After all, who among us can truly scrutinize half a dozen slightly different assembly implementations and spot a bug\u2014for example, a forgotten carry-bit propagation\u2014that testing has an infinitesimally small chance of finding?<\/p>\n

The research community has recognized this as an urgent issue and over the past few years has produced several verified implementations of individual algorithms. While these developments have advanced our understanding of the research area, they do not provide the kind of industrial-grade features developers have come to expect from popular established libraries such as Microsoft Windows Cryptography API: Next Generation (opens in new tab)<\/span><\/a>, OpenSSL\u2019s libcrypto (opens in new tab)<\/span><\/a>, or libsodium (opens in new tab)<\/span><\/a>.<\/p>\n

A high-performance industrial-grade provider\u2014minus the bugs<\/h3>\n

To meet the needs and expectations of programmers today, a cryptographic library should possess three features:<\/p>\n