Introduction
The ISARA Catalyst™ OpenSSL Connector lets you implement OpenSSL using the algorithms provided in the ISARA Radiate™ Quantum-Safe Security Solution Suite. ISARA Catalyst gives you the cryptographic building blocks to create applications that will resist attacks by quantum computers.
For more information about ISARA quantum-safe solutions, visit https://www.isara.com.
This User’s Guide assumes that you are already familiar with OpenSSL and have extensive experience using it.
Version 2.0 of the ISARA Catalyst OpenSSL Connector package contains:
-
Documentation and diagrams about the ISARA Catalyst OpenSSL Connector.
-
A set of patch files to be applied to the appropriate version of the OpenSSL source.
-
The ISARA Radiate toolkit library binary.
-
The ISARA Catalyst OpenSSL Engine built using OpenSSL and the ISARA Radiate Quantum Safe Security Solution Suite.
-
The source code for several demo applications that demonstrate how to use the ISARA Catalyst OpenSSL Connector.
-
Scripts that run OpenSSL utility applications and ISARA Catalyst OpenSSL Connector demonstration applications, and their expected output.
The patch files and engine have been tested against these versions of OpenSSL:
-
OpenSSL-1.0.2t
-
OpenSSL-1.0.2u
The resulting source code was built against version 2.0 of the ISARA Radiate toolkit library included in this package.
The User’s Guide covers the following topics:
Packaging
The ISARA Catalyst OpenSSL Connector package contains the following files and directories:
-
README.html — Information about the ISARA Catalyst OpenSSL Connector package
-
OpenSSL-Connector-Guide.html
— This file. -
OpenSSL-Connector-MPKAC-Tutorial.html — Information about how to create and verify ISARA Catalyst certificates.
-
<OPENSSL_VERSION>_ISARA.patch
— Patch to apply to OpenSSL where<OPENSSL_VERSION>
is one of the following:-
OpenSSL-1.0.2t
-
OpenSSL-1.0.2u
-
-
lib/libiqr_toolkit.so
— ISARA Radiate toolkit library (on Linux) -
lib/libiqr_toolkit.dylib
— ISARA Radiate toolkit library (on macOS) -
lib/libiqre_engine.so
— ISARA Catalyst OpenSSL Connector Engine Library -
lib/libiqr_toolkit.dll
— ISARA Radiate toolkit library (on Windows) -
lib/<OPENSSL_VERSION>/libiqre_engine.dll
— ISARA Catalyst engine (on Windows) -
demos/
— Demo source code showing some of the new features -
crypto_demo_script.txt
— Script used to demonstrate using OpenSSL with our quantum-safe crypto algorithms -
crypto_demo_script_expected_output.txt
— Expected output of thecrypto_demo_script.txt
-
TLS_demo_script.txt
— Script used to demonstrate OpenSSL client-server TLS secure handshakes and message communications using ISARA quantum-safe cipher suites -
TLS_demo_script_expected_output.txt
— Expected output of theTLS_demo_script.txt
-
crypto_demo_data/
— Configuration and output files for thecrypto_demo_script.txt
-
tls_demo_data/
— Configuration and output files for theTLS_demo_script.txt
Getting Help
The latest version of this User’s Guide and other ISARA Catalyst Security Solution Suite documentation is available on https://www.isara.com. The ISARA Radiate Quantum Safe Toolkit Developer’s Guide provides more insights into the meaning of the parameters and has references to algorithm specifications.
-
ISARA website (https://www.isara.com)
-
ISARA Catalyst OpenSSL Connector documentation (https://www.isara.com/openssl/2/)
-
ISARA Support email (support@isara.com)
-
+1-877-319-8576 Toll-free (Refer to your support contract.)
For more details and requirements, refer to the ISARA Radiate Quantum-Safe Toolkit 2.0 Developer’s Guide.
Introduction to ISARA’s Algorithms
The ISARA Catalyst OpenSSL Connector adds the following quantum-safe algorithms to OpenSSL:
-
Key Exchange Schemes
-
Frodo Diffie-Hellman Key Exchange (FRODODH)
-
NewHope Diffie-Hellman Key Exchange (NHDH)
-
Supersingular Isogeny Diffie-Hellman Key Exchange (SIDH)
-
Samwise Key Exchange (SAMWISE)
-
-
Key Encapsulation Mechanisms
-
Classic McEliece KEM (CMC)
-
Frodo KEM (FRODOKEM)
-
Kyber Lattice-Based KEM (KYBER)
-
NTRU Prime Lattice-Based KEM (NTRUP)
-
SIKE KEM (SIKE)
-
-
Signature Schemes
-
Dilithium Lattice-Based Signature Scheme (DILITHIUM)
-
eXtended Merkle Signature Scheme (XMSS)
-
eXtended Merkle Signature Scheme - Multi-Tree (XMSSMT)
-
Hierarchical Signature Scheme (HSS)
-
Rainbow Multivariate Signature Scheme (RAINBOW)
-
SPHINCS+ Signature Scheme (SPHINCS)
-
Note
|
The algorithm names in parentheses above are not the official names. They are the compact names of the algorithms used in the code of the ISARA Catalyst OpenSSL Connector and algorithm specifier in the applications. |
Many of the algorithm details are abstracted via the EVP PKEY API. For details, see Using libcrypto APIs For Quantum-Safe Public Key Cryptography.
All the algorithms have new ISARA defined OIDs and associated NIDs. These OIDs will be used in the same way that classical algorithm OIDs are used. For example, they are embedded in the algorithm identifier of `SubjectPublicKeyInfo" in X.509 certificates.
All of the signature algorithms support intrinsic signing so for
signatureAlgorithm
in an X.509 certificate and certificate signing requests,
the embeded OID will be the same as the one in the issuer’s
SubjectPublicKeyInfo
. The parameters
field must be absent.
Caveats
-
HSS, XMSS and XMSSMT keys can only produce a specific number of signatures. The total number of signatures available depends on parameter selection.
-
HSS, XMSS and XMSSMT private keys require special care during the signing operation. A new
-pkeyopt
option calledstate_filename
must be set to a file name. See the Special Note on stateful hash-based signature schemes for more details. -
We do not support converting a certificate signing request into a self-signed X.509 root certificate where the signing algorithm is HSS, XMSS or XMSSMT because that would use up two OTSs, which is undesirable. Both the
x509
andreq
commands can be used to directly create a root certificate thereby using only one OTS. -
All our new key exchange algorithms must initiate and finish in the same transaction. The operation cannot be restarted from a previously initialized state. This is to enforce ephemeralness.
-
All our new key exchange algorithms require that the participants know their identity (for example, initiator vs. responder, Alice vs. Bob). This is different from Diffie-Hellman requirements.
-
Our new ISARA Catalyst certificates (see Special Note on Catalyst Certificates) will have two private keys associated with each certificate. This is not compatible with the
PKCS12_parse()
API that will only return a single private key per certificate. -
Our new signature schemes only support intrinsic signing. Therefore, the use of the
-[digest]
parameters in some of the OpenSSL applications in combination with our signature schemes can cause errors. -
Unlike the
openssl verify
utility,openssl x509QSVerify
does not have an equivalent to the-check-ss-sig
to trigger verification of the self-signed root certificate. Instead, theopenssl x509QSVerify
utility verifies the root certificate by default, but this behavior can be turned off using the-skip-trusted
flag which will ensure that any certificate in the trusted store is not verified. -
Our
libssl
library has strict mode enabled by default (equivalent to setting SSL_CERT_FLAG_TLS_STRICT).
Applying the ISARA Catalyst OpenSSL Connector Patch to OpenSSL
The ISARA Catalyst OpenSSL Connector is supplied as a patch to OpenSSL. This patch can be applied using any commonly available patch utility. It is expected that you are maintaining your own version of OpenSSL with your own customizations to fit into your own system.
The source code for OpenSSL can be found on the OpenSSL.org website: https://www.openssl.org/source/old/
-
Unpack the OpenSSL source.
-
In the unpacked directory, apply the patch using the following command:
patch -p2 < OpenSSL_<version>_ISARA.patch
where<version>
is one of:-
OpenSSL-1.0.2t
-
OpenSSL-1.0.2u
-
If the patch doesn’t apply cleanly, start over and make sure you’re running
the patch
command from inside the OpenSSL directory. (For example, the
directory for OpenSSL 1.0.2u is named openssl-1.0.2u
.) Also ensure that you
are using the appropriate patch for your version of OpenSSL.
Build Instructions
After patching the source for OpenSSL, build it.
For Posix systems:
-
Configure OpenSSL. See the relevant
INSTALL
file in the OpenSSL directory for more information. For example:./Configure shared <OPENSSL_CONFIGURATION>
NoteYou must use shared
for dynamic engine support because the engine calls APIs inlibcrypto
and thus requires the symbols in the shared library for dynamic linking. -
Execute
make depend
-
Execute
make all
-
Execute
make test
-
Build the demo applications. Each`.c` file in the
demos
directory is a demo application, exceptopenssl_tls.c
.openssl_tls_server.c
andopenssl_tls_client.c
share code inopenssl_tls.c
. OpenSSL crypto and ssl libraries built in the previous steps need to be linked in when building the demo applications. -
Run the ISARA Catalyst OpenSSL Connector crypto demos and the OpenSSL standard utilities as shown in
crypto_demo_script.txt
and TLS demos as shown inTLS_demo_script.txt
to see if you get similar console output to what is shown incrypto_demos_script_expected_output.txt
andTLS_demos_script_expected_output.txt
and similar output files in thecrypto_demo_data
andtls_demo_data
directories.
For Windows:
-
Configure OpenSSL. See the relevant
INSTALL
file in the OpenSSL directory for more information. For example:perl configure VC-WIN64A
NoteRun the following ms/nmake commands from a VC++ x64 environment. This can be done by running VCVARSALL x64
from the command prompt. -
Execute
ms\do_win64a
-
Execute
nmake -f ms\ntdll.mak
-
Execute
nmake -f ms\ntdll.mak test
-
Execute
nmake -f ms\ntdll.mak install
-
Build the demo applications. Each`.c` file in the
demos
directory is a demo application, exceptopenssl_tls.c
.openssl_tls_server.c
andopenssl_tls_client.c
share code inopenssl_tls.c
. OpenSSL crypto and ssl libraries built in the previous steps need to be linked in when building the demo applications. -
Run the ISARA Catalyst OpenSSL Connector crypto demos and the OpenSSL standard utilities as shown in
crypto_demo_script.txt
and TLS demos as shown inTLS_demo_script.txt
to see if you get similar console output to what is shown incrypto_demos_script_expected_output.txt
andTLS_demos_script_expected_output.txt
and similar output files in thecrypto_demo_data
andtls_demo_data
directories.
Note
|
You will not get an exact match in output as there is some randomness
associated with these algorithms and potential differences across run
time environments. Also, crypto_demos_script_expected_output.txt and
TLS_demos_script_expected_output.txt do not contain the output to stderr .
|
Using OpenSSL Utilities For Quantum-Safe Public Key Cryptography
The functionality of the standard utilities from the OpenSSL package has not changed. These utilities are documented on the OpenSSL.org website: https://www.openssl.org/docs/man1.0.2/apps/
Since ISARA’s algorithms are implemented in an engine, use the -engine
parameter to specify the path and file name of the ISARA Catalyst engine. This
engine can print debug and status information to stderr
by defining the
following environment variable at runtime:
ISARA_VERBOSE=1
See the crypto_demo_script.txt
file for an example of how to do this.
The following standard OpenSSL utilities can be used with the indicated algorithms:
Algorithm | req | x509 | verify | cms | genpkey | pkey | pkeyutl | ciphers | s_server | s_client |
---|---|---|---|---|---|---|---|---|---|---|
FRODODH |
✓ |
✓ |
✓ |
|||||||
NHDH |
✓ |
✓ |
✓ |
|||||||
SAMWISE |
✓ |
✓ |
✓ |
|||||||
SIDH |
✓ |
✓ |
✓ |
|||||||
CMC |
✓ |
✓ |
||||||||
FRODOKEM |
✓ |
✓ |
||||||||
KYBER |
✓ |
✓ |
||||||||
NTRUP |
✓ |
✓ |
||||||||
SIKE |
✓ |
✓ |
||||||||
DILITHIUM |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
HSS |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
RAINBOW |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|||
SPHINCS |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|||
XMSS |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
XMSSMT |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Note: If you choose to use genpkey
to generate keys of a type that are not
supported by the engine, you must not specify the engine on the command
line. For example, do not use the -engine <iqre_engine>
flags if you
are going to generate RSA keys. Doing so results in an error.
Note: The ciphers
application lists all supported cipher suites. To try one
of the ISARA Catalyst cipher suites, run the ciphers
command to get a
list of all supported cipher suites and pick the one you want. When you
execute s_client
, pass in that cipher suite with the -cipher
command
line option.
Special Note on Ephemeralness
The following algorithms are not compatible with genpkey
in order to enforce
ephemeralness:
-
FRODODH
-
NHDH
-
SAMWISE
-
SIDH
These algorithms are specifically designed for ephemeral key exchange. They are
only used in the s_server
, s_client
and demo applications that run the TLS
protocol. They are also featured in the ciphers
application that shows the
name of the cipher suites and some demo applications that show how to use them
in custom applications.
These are exposed by the Derive/SetPeer EVP PKEY APIs, but pkeyutl
cannot be
used with these algorithms. A peer key file cannot be properly supplied for the
initiator because construction depends on the responder’s data. The responder
must have the initiator’s peer key first. The initiator’s peer key does not
exist yet; that is why you are running pkeyutl
.
The ISARA Catalyst OpenSSL Connector package includes simple demos of how to
use these algorithms. See openssl_*_with_asn1.c
.
Special Note on Stateful Hash Based Signature Schemes
HSS, XMSS and XMSSMT are all stateful hash based signature schemes and therefore have special files for maintaining the state.
For any applications that perform key generation, you can use one of the following options to specify the state file depending on which application it is:
-
-pkeyopt state_filename:filename.bin
-
-sigopt state_filename:filename.bin
For any appications that perform the signing operation (for example, req
,
x509
, pkeyutl
), you will be required to use the following parameters:
-
-keyform ENGINE -key /path/to/key.pem::/path/to/filename.bin
The value of /path/to/filename.bin
, also known as the state, must be
a valid file name with no whitespace. Never set the file to read-only status on
the file system as the state needs to be re-written after each signing
operation.
Classic McEliece KEM
If the application has an -algorithm
parameter, you can specify Classic
McEliece KEM with -algorithm cmc
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
ClassicMcEliece_6960119_r2 |
IQR_CLASSICMCELIECE_6 |
ClassicMcEliece_8192128_r2 |
IQR_CLASSICMCELIECE_8 |
Frodo KEM
If the application has an -algorithm
parameter, you can specify Frodo KEM
with -algorithm frodokem
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
FrodoKEM_976_AES_r2 |
IQR_FRODOKEM_976_AES |
FrodoKEM_976_SHAKE_r2 |
IQR_FRODOKEM_976_CSHAKE |
Kyber KEM
If the application has an -algorithm
parameter, you can specify Kyber with
-algorithm kyber
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
Kyber_768_r2 |
IQR_KYBER_768 |
Kyber_1024_r2 |
IQR_KYBER_1024 |
NTRU Prime KEM
If the application has an -algorithm
parameter, you can specify NTRU Prime
with -algorithm ntrup
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be the following:
p |
---|
NTRUPrime_sntrup761_r2 |
SIKE KEM
If the application has an -algorithm
parameter, you can specify SIKE with
-algorithm sike
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
SIKE_p503_r2 |
IQR_SIKE_P503 |
SIKE_p751_r2 |
IQR_SIKE_P751 |
Dilithium Signature Scheme
If the application has an -algorithm
parameter, you can specify Dilithium with
-algorithm dilithium
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
DILITHIUM_III_SHAKE_R2 |
IQR_DILITHIUM_128 |
DILITHIUM_IV_SHAKE_R2 |
IQR_DILITHIUM_160 |
eXtended Merkle Signature Scheme
If the application has an -algorithm
parameter, you can specify XMSS with
-algorithm xmss
.
You can use the following options when generating a key pair to specify the variant:
-
-pkeyopt tree_height:h
-
-pkeyopt strategy:s
-
-pkeyopt state_filename:filename.bin
Use one of these values for h
:
h |
---|
10 |
16 |
20 |
Use one of these values for s
:
s |
---|
cpu_constrained |
memory_constrained |
full |
See the Special Note on Stateful Hash Based
Signature Schemes for details about the state_filename
option.
See the IETF specification referenced in the ISARA Catalyst Security Solution Suite 2.0 Developer’s Guide for more details about these values.
eXtended Merkle Signature Scheme - Multi-Tree
If the application has an -algorithm
parameter, you can specify XMSSMT with
-algorithm xmssmt
.
You can use the following options when generating a key pair to specify the variant:
-
-pkeyopt tree_height:h
-
-pkeyopt tree_layers:l
-
-pkeyopt strategy:s
-
-pkeyopt state_filename:filename.bin
Use one of these combinations for h
and l
:
h |
l |
---|---|
20 |
2 |
20 |
4 |
40 |
2 |
40 |
4 |
40 |
8 |
60 |
3 |
60 |
6 |
60 |
12 |
Use one of these values for s
:
s |
---|
cpu_constrained |
memory_constrained |
full |
See the Special Note on Stateful Hash Based
Signature Schemes for details about the state_filename
option.
See the IETF specification referenced in the ISARA Catalyst Security Solution Suite 2.0 Developer’s Guide for more details about these values.
Hierarchical Signature Scheme
If the application has an -algorithm
parameter, you can specify HSS with
-algorithm HSS
.
You can use the following options when generating a key pair to specify the variant:
-
-pkeyopt sign_operations:so
-
-pkeyopt optimization:o
-
-pkeyopt strategy:s
-
-pkeyopt state_filename:filename.bin
Use one of these values for so
:
so |
---|
2E20 |
2E25 |
Use one of these values for o
:
o |
---|
fast |
small |
Use one of these values for s
:
s |
---|
cpu_constrained |
memory_constrained |
full |
See the Special Note on Stateful Hash Based
Signature Schemes for details about the state_filename
option.
See the IETF specification referenced in the ISARA Catalyst Security Solution Suite 2.0 Developer’s Guide for more details about these values.
Rainbow Signature Scheme
If the application has an -algorithm
parameter, you can specify Rainbow with
-algorithm rainbow
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
Rainbow_IIIc_std_r2 |
IQR_RAINBOW_GF256_68_36_36 |
Rainbow_Vc_std_r2 |
IQR_RAINBOW_GF256_92_48_48 |
SPHINCS+ Signature Scheme
If the application has an -algorithm
parameter, you can specify SPHINCS+ with
-algorithm sphincs
and specify the parameter set p
with
-pkeyopt parameter_set:p
where p
can be one of the following:
p |
Radiate Variant |
---|---|
SPHINCS_SHAKE_256_192s_r2 |
IQR_SPHINCS_SHAKE_256_192S |
SPHINCS_SHAKE_256_192f_r2 |
IQR_SPHINCS_SHAKE_256_192F |
SPHINCS_SHAKE_256_256s_r2 |
IQR_SPHINCS_SHAKE_256_256S |
SPHINCS_SHAKE_256_256f_r2 |
IQR_SPHINCS_SHAKE_256_256F |
SPHINCS_SHA2_256_192s_r2 |
IQR_SPHINCS_SHA2_256_192S |
SPHINCS_SHA2_256_192f_r2 |
IQR_SPHINCS_SHA2_256_192F |
SPHINCS_SHA2_256_256s_r2 |
IQR_SPHINCS_SHA2_256_256S |
SPHINCS_SHA2_256_256f_r2 |
IQR_SPHINCS_SHA2_256_256F |
New QSExtend Applications
The following new applications were created to support Catalyst Certificats, Catalyst CSRs and Dual Private Keys.
-
cmsQSExtend
-
cmsQSVerify
-
pkcs12QSExtend
-
reqQSExtend
-
x509QSDirectExtend
-
x509QSExtend
-
x509QSVerify
See ISARA Catalyst OpenSSL Connector 2.0 QS Certificate Tutorial for an in-depth explanation of these applications.
Using libcrypto APIs For Quantum-Safe Public Key Cryptography
All of ISARA’s algorithms are abstracted by the EVP PKEY API layer. Here are the relevant APIs for each of the algorithms:
Algorithm | CTX_new_id | Keygen | Sign | Verify | SetPeer | Derive |
---|---|---|---|---|---|---|
FRODODH |
✓ |
✓ |
✓ |
✓ |
||
NHDH |
✓ |
✓ |
✓ |
✓ |
||
SAMWISE |
✓ |
✓ |
✓ |
✓ |
||
SIDH |
✓ |
✓ |
✓ |
✓ |
||
CMC |
✓ |
✓ |
✓ |
✓ |
||
FRODOKEM |
✓ |
✓ |
✓ |
✓ |
||
KYBER |
✓ |
✓ |
✓ |
✓ |
||
NTRUP |
✓ |
✓ |
✓ |
✓ |
||
SIKE |
✓ |
✓ |
✓ |
✓ |
||
DILITHIUM |
✓ |
✓ |
✓ |
✓ |
||
HSS |
✓ |
✓ |
✓ |
✓ |
||
RAINBOW |
✓ |
✓ |
✓ |
✓ |
||
SPHINCS |
✓ |
✓ |
✓ |
✓ |
||
XMSS |
✓ |
✓ |
✓ |
✓ |
||
XMSSMT |
✓ |
✓ |
✓ |
✓ |
Note
|
These API names have been shortened and simplified. For example,
Derive refers to EVP_PKEY_derive_init() and EVP_PKEY_derive() .
|
Note
|
The EVP_PKEY API in libcrypto does not support the notion of KEMs. That
is to say, there are no encapsulate() and decapsulate() methods in
the EVP_PKEY API. Therefore, we expose them via the
EVP_PKEY_derive_init()/EVP_PKEY_derive_set_peer()/EVP_PKEY_derive()
APIs.
|
Loading the Engine
You must load the ISARA Catalyst engine before using the ISARA Radiate
algorithms. The following sample code shows how to load the engine, where the
engine
parameter is a string that specifies the path to the engine’s file:
> // SNIPPET_START_1
ENGINE *setup_engine(const char *engine)
{
ENGINE *e = NULL;
if ((e = ENGINE_by_id(engine)) == NULL) {
fprintf(stderr, "Invalid engine \"%s\".\n", engine);
fprintf(stderr, " Did you use the correct path?\n");
fprintf(stderr, " Did you configure OpenSSL to build shared libraries?\n");
fprintf(stderr, " Does your system know where your OpenSSL shared libraries are located?\n");
fprintf(stderr, " Does your system know where your IQR Toolkit shared libraries are located?\n");
return NULL;
}
if (!ENGINE_init(e)) {
fprintf(stderr, "The engine did not initialize correctly.\n");
ENGINE_free(e);
return NULL;
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
fprintf(stderr, "Unable to use this engine.\n");
ENGINE_free(e);
return NULL;
}
fprintf(stdout, "Engine \"%s\" set.\n", ENGINE_get_id(e));
return e;
}
int main(int argc, char **argv)
{
if (argc != 2) {
fprintf(stderr, "Failure to specify the correct parameters.\n");
usage(argv[0]);
return EXIT_FAILURE;
}
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
ERR_load_crypto_strings();
ENGINE_load_dynamic();
ENGINE *e = setup_engine(argv[1]);
if (e == NULL) {
usage(argv[0]);
return EXIT_FAILURE;
}
> // SNIPPET_END_1
Much of the code has been omitted in this example. See the full code in
openssl_engine_load.c
.
For security reasons, the ISARA Catalyst engine overrides the default RNG implementation in OpenSSL with ISARA’s HMAC-DRBG using SHA2-256. You can check to see if this override has taken effect with the following code:
> // SNIPPET_START_1
const RAND_METHOD *rm = RAND_get_rand_method();
if(rm == RAND_SSLeay()) {
fprintf(stdout, "After engine load, using default generator\n");
return EXIT_FAILURE;
} else {
fprintf(stdout, "After engine load, NOT using default generator\n");
}
> // SNIPPET_END_1
Much of the code has been omitted in this example. See the full code in
openssl_hmacdrbg.c
.
Identifying the Algorithms
Artifacts encoded as .pem
or .der
files have OIDs (Object Identifiers) that
define which algorithms they work with. The only place where you would
have to identify the desired algorithm is during key generation. You can either
do that with EVP_PKEY_asn1_find_str()
or with EVP_PKEY_CTX_new_id()
.
EVP_PKEY_asn1_find_str()
takes the algorithm name as a string and
EVP_PKEY_CTX_new_id()
takes an integer constant associated with the algorithm.
Here is a table of the associated strings and constants. These strings are case
insensitive.
Algorithm | EVP_PKEY_asn1_find_str() |
EVP_PKEY_CTX_new_id() |
---|---|---|
FRODODH |
"frododh" |
|
NHDH |
"nhdh" |
|
SAMWISE |
"samwise" |
|
SIDH |
"sidh" |
|
CMC |
"cmc" |
|
FRODOKEM |
"frodokem" |
|
KYBER |
"kyber" |
|
NTRUP |
"ntrup" |
|
SIKE |
"sike" |
|
DILITHIUM |
"dilithium" |
|
HSS |
"hss" |
|
RAINBOW |
"rainbow" |
|
SPHINCS |
"sphincs" |
|
XMSS |
"xmss" |
|
XMSSMT |
"xmssmt" |
|
Setting Parameters
FRODODH
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_FRODODH_ROLE_SET
when generating a key pair to specify if this is
the initiator or responder:
Role | Value |
---|---|
Initiator |
1 |
Responder |
0 |
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_FRODODH_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify
the parameter set:
EVP_PKEY_CTRL_FRODODH_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
FRODODH_976_AES_R2 |
FrodoDH_976_AES_r2 |
IQR_FRODODH_976_AES |
FRODODH_976_SHAKE_R2 |
FrodoDH_976_SHAKE_r2 |
IQR_FRODODH_976_SHAKE |
NHDH
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_NHDH_ROLE_SET
when generating a key pair to specify if this is
the initiator or responder:
Role | Value |
---|---|
Initiator |
1 |
Responder |
0 |
You can use the following option when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_NHDH_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify
the parameter set:
EVP_PKEY_CTRL_NHDH_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
NHDH_1024_V0 |
NHDH_1024_v0 |
N/A |
SAMWISE
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_SAMWISE_ROLE_SET
when generating a key pair to specify if this
is the initiator or responder:
Role | Value |
---|---|
Initiator |
1 |
Responder |
0 |
You can use the following option when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_SAMWISE_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify
the parameter set:
EVP_PKEY_CTRL_SAMWISE_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
SAMWISE_976_AES_V1 |
Samwise_976_AES_v1 |
IQR_SAMWISE_976_AES |
SAMWISE_976_CHACHA20_V1 |
Samwise_976_ChaCha20_v1 |
IQR_SAMWISE_976_CHACHA20 |
SIDH
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_SIDH_ROLE_SET
when generating a key pair to specify if this is
Alice or Bob:
Role | Value |
---|---|
Alice |
1 |
Bob |
0 |
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_SIDH_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify
the parameter set:
EVP_PKEY_CTRL_SIDH_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
SIDH_P503_R2 |
SIDH_p503_r2 |
IQR_SIDH_P503 |
SIDH_P751_R2 |
SIDH_p751_r2 |
IQR_SIDH_P751 |
CMC KEM
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_CMC_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_CMC_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
CMC_6960119_R2 |
ClassicMcEliece_6960119_r2 |
IQR_CLASSICMCELIECE_6 |
CMC_8192128_R2 |
ClassicMcEliece_8192128_r2 |
IQR_CLASSICMCELIECE_8 |
FRODOKEM
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_FRODOKEM_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_FRODOKEM_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
FRODOKEM_976_AES_R2 |
FrodoKEM_976_AES_r2 |
IQR_FRODOKEM_976_AES |
FRODOKEM_976_SHAKE_R2 |
FrodoKEM_976_SHAKE_r2 |
IQR_FRODOKEM_976_CSHAKE |
KYBER
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_KYBER_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_KYBER_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
KYBER_768_R2 |
Kyber_768_r2 |
IQR_KYBER_768 |
KYBER_1024_R2 |
Kyber_1024_r2 |
IQR_KYBER_1024 |
NTRUP
NTRUP has no parameters to set.
SIKE
u can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_SIKE_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_SIKE_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
SIKE_P503_R2 |
SIKE_p503_r2 |
IQR_SIKE_P503 |
SIKE_P751_R2 |
SIKE_p751_r2 |
IQR_SIKE_P751 |
DILITHIUM
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_DILITHIUM_PARAMETER_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_DILITHIUM_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
DILITHIUM_III_SHAKE_R2 |
Dilithium_III_SHAKE_r2 |
IQR_DILITHIUM_128 |
DILITHIUM_IV_SHAKE_R2 |
Dilithium_IV_SHAKE_r2 |
IQR_DILITHIUM_160 |
HSS
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_HSS_SIGOPS_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"sign_operations" when generating a key pair to specify how many times you
would like to perform the signing operation with the generated private key:
EVP_PKEY_CTRL_HSS_SIGOPS_SET | "sign_operations" |
---|---|
HSS_SIGOPS_2E20 |
"2E20" |
HSS_SIGOPS_2E25 |
"2E25" |
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_HSS_OPTIMIZATION_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"optimization" when generating a key pair to specify an optimization:
EVP_PKEY_CTRL_HSS_OPTIMIZATION_SET | "optimization" |
---|---|
HSS_OPTIMIZATION_FAST |
"fast" |
HSS_OPTIMIZATION_SMALL |
"small" |
You can use the following options when calling EVP_PKEY_CTX_ctrl()
with
EVP_PKEY_CTRL_HSS_STRATEGY_SET
or calling EVP_PKEY_CTX_ctrl_str()
with
"strategy" when generating a key pair to specify HSS tree strategy:
EVP_PKEY_CTRL_HSS_STRATEGY_SET | "strategy" |
---|---|
HSS_STRATEGY_CPU_CONSTRAINED |
"cpu_constrained" |
HSS_STRATEGY_MEMORY_CONSTRAINED |
"memory_constrained" |
HSS_STRATEGY_FULL |
"full" |
You can call EVP_PKEY_CTX_ctrl_str()
with "state_filename" when generating a
key pair to specify the XMSS private key’s state file name. See the
Special Note on Stateful Hash Based Signature Schemes
for details about the "state_filename" option.
RAINBOW
You can use the following options when calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_RAINBOW_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
RAINBOW_IIIC_STD_R2 |
Rainbow_IIIc_std_r2 |
IQR_RAINBOW_GF256_68_36_36 |
RAINBOW_VC_STD_R2 |
Rainbow_Vc_std_r2 |
IQR_RAINBOW_GF256_92_48_48 |
SPHINCS
You can use the following options when calling EVP_PKEY_CTX_ctrl_str()
with
"parameter_set" when generating a key pair to specify the parameter set:
EVP_PKEY_CTRL_SPHINCS_PARAMETER_SET | parameter_set | Radiate Variant |
---|---|---|
SPHINCS_SHAKE_256_192F_R2 |
SPHINCS_SHAKE_256_192f_r2 |
IQR_SPHINCS_SHAKE_256_192F |
SPHINCS_SHAKE_256_192S_R2 |
SPHINCS_SHAKE_256_192s_r2 |
IQR_SPHINCS_SHAKE_256_192S |
SPHINCS_SHAKE_256_256F_R2 |
SPHINCS_SHAKE_256_256f_r2 |
IQR_SPHINCS_SHAKE_256_256F |
SPHINCS_SHAKE_256_256S_R2 |
SPHINCS_SHAKE_256_256s_r2 |
IQR_SPHINCS_SHAKE_256_256S |
SPHINCS_SHA2_256_192F_R2 |
SPHINCS_SHA2_256_192f_r2 |
IQR_SPHINCS_SHA2_256_192F |
SPHINCS_SHA2_256_192S_R2 |
SPHINCS_SHA2_256_192s_r2 |
IQR_SPHINCS_SHA2_256_192S |
SPHINCS_SHA2_256_256F_R2 |
SPHINCS_SHA2_256_256f_r2 |
IQR_SPHINCS_SHA2_256_256F |
SPHINCS_SHA2_256_256S_R2 |
SPHINCS_SHA2_256_256s_r2 |
IQR_SPHINCS_SHA2_256_256S |
XMSS
You can use the following options when calling EVP_PKEY_CTX_ctrl_str()
with
"tree_height" when generating a key pair to specify the XMSS tree height:
"tree_height" |
---|
"10" |
"16" |
"20" |
You can use the following options when calling EVP_PKEY_CTX_ctrl_str()
with
"strategy" when generating a key pair to specify the XMSS tree strategy:
"strategy" |
---|
"cpu_constrained" |
"memory_constrained" |
"full" |
You can call EVP_PKEY_CTX_ctrl_str()
with "state_filename" when generating a
key pair to specify the XMSS private key’s state file name. See the
Special Note on Stateful Hash Based Signature Schemes
for details about the "state_filename" option.
XMSSMT
You can call EVP_PKEY_CTX_ctrl_str()
with "tree_height" and then "tree_layers"
to specify the tree height and layers when generating a key. Only the following
combinations are valid:
Height | Layers |
---|---|
20 |
2 |
20 |
4 |
40 |
2 |
40 |
4 |
40 |
8 |
60 |
3 |
60 |
6 |
60 |
12 |
You can use the following options when calling EVP_PKEY_CTX_ctrl_str()
with
"strategy" when generating a key pair to specify the XMSSMT tree strategy:
"strategy" |
---|
"cpu_constrained" |
"memory_constrained" |
"full" |
You can call EVP_PKEY_CTX_ctrl_str()
with "state_filename" when generating a
key pair to specify the XMSSMT private key’s state file name. See the
Special Note on Stateful Hash Based Signature Schemes
for details about the "state_filename" option.
Using libssl APIs For Quantum-Safe TLS Protocol Messaging
Quantum-Safe Cipher Suites
The libssl
library maintains its own list of cipher suites in priority order.
The client and server negotiate a common cipher suite based on their priorities.
Specifically, it provides quantum-safe cipher suites in addition to the classical cipher suites supported by OpenSSL. They are assigned from the IANA private range and are only compatible with other ISARA TLS implementations. The following is the list of all supported quantum-safe cipher suites in priority order from highest to lowest.
ECDHE-KYBER-DILM-AES256-GCM-SHA384 ECDHE-SIKE-DILM-AES256-GCM-SHA384 ECDHE-KYBER-SIKE-DILM-AES256-GCM-SHA384 ECDHE-NHDH-DILM-AES256-GCM-SHA384 ECDHE-SIDH-DILM-AES256-GCM-SHA384 ECDHE-NHDH-SIDH-DILM-AES256-GCM-SHA384 ECDHE-KYBER-ECDSA-AES256-GCM-SHA384 ECDHE-KYBER-RSA-AES256-GCM-SHA384 ECDHE-SIKE-ECDSA-AES256-GCM-SHA384 ECDHE-SIKE-RSA-AES256-GCM-SHA384 ECDHE-KYBER-SIKE-ECDSA-AES256-GCM-SHA384 ECDHE-KYBER-SIKE-RSA-AES256-GCM-SHA384 ECDHE-NHDH-ECDSA-AES256-GCM-SHA384 ECDHE-NHDH-RSA-AES256-GCM-SHA384 ECDHE-SIDH-ECDSA-AES256-GCM-SHA384 ECDHE-SIDH-RSA-AES256-GCM-SHA384 ECDHE-NHDH-SIDH-ECDSA-AES256-GCM-SHA384 ECDHE-NHDH-SIDH-RSA-AES256-GCM-SHA384 KYBER-DILM-AES256-GCM-SHA384 SIKE-DILM-AES256-GCM-SHA384 KYBER-ECDSA-AES256-GCM-SHA384 KYBER-RSA-AES256-GCM-SHA384 SIKE-ECDSA-AES256-GCM-SHA384 SIKE-RSA-AES256-GCM-SHA384
The quantum-safe key exchange and authentication algorithms used in the cipher suites are selected submissions to the NIST Post-Quantum Standardization evaluation process and are implemented in libcrypto.
As shown in the cipher suites above, the following quantum-safe algorithms are
supported.
Key exchange: KYBER
, SIKE
, NHDH
, SIDH
Authentication: DILITHIUM
(DILM
)
See section Using libcrypto APIs For Quantum-Safe Public Key Cryptography for more information on each of these algorithms.
In some of the cipher suites, more than one quantum-safe key exchange algorithms
are combined together, such as ECDHE-KYBER-SIKE
. Such hybrid key exchanges give
the same amount of protection as the most secure algorithm, and if one were
discovered to be insecure, others in the hybrid can continue to uphold the security
as they are all based on different categories of math problems, and therefore are
less likely to be broken at the same time.
Most of the cipher suites are also augmented with the classical ECDHE
key exchange
algorithm. These cipher suites are for the transitional period before large scale
quantum computers capable of breaking classical algorithms become available. The
security of such hybrid key exchanges is further underpinned by the tried-and-true
classical ECDHE
key exchange algorithm. In the event where all the relatively
new quantum-safe algorithms were found to be insecure, the overall security would
still be sustained with ECDHE
during the transitional period.
You can see the complete list of cipher suites by using the ciphers
command.
To programmatically get a list of available cipher suites you can use
SSL_get_ciphers()
or SSL_get_cipher_list()
which are documented on the
OpenSSL.org website at
https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_ciphers.html
To use a specific cipher suite:
-
Use
SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
withcmd
set to "cipher" andvalue
set to one of the strings from theciphers
command. -
Use
SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
withstr
set to one of the strings from theciphers
command. -
Use
SSL_set_cipher_list(SSL *ssl, const char *str)
withstr
set to one of the strings from theciphers
command.
SSL_CONF_cmd()
is documented on the OpenSSL.org website at
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html.
SSL_CTX_set_cipher_list()
and SSL_set_cipher_list()
are documented at
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_cipher_list.html.
API for Quantum-Safe Key Exchange Algorithm Parameters
The libssl
library provides a list of public functions to set and get
parameters for quantum-safe key exchange algorithms used during a TLS handshake.
Functions to set quantum-safe key exchange algorithm parameters
The following functions set the list of allowed parameters for TLS quantum-safe
key exchange algorithms. They are declared in openssl/ssl.h
.
When used on a TLS client, the parameters are sent to the server in client hello extension as the set of parameters supported by the client.
When used on a TLS server, the parameters are used to determine the set of parameters shared with the client.
int SSL_CTX_set1_kyber_parameters(SSL_CTX *ctx, int *nid_list, int nid_list_len); int SSL_CTX_set1_kyber_parameters_list(SSL_CTX *ctx, char *str_list); int SSL_set1_kyber_parameters(SSL *ssl, int *nid_list, int nid_list_len); int SSL_set1_kyber_parameters_list(SSL *ssl, char *str_list); int SSL_CTX_set1_sike_parameters(SSL_CTX *ctx, int *nid_list, int nid_list_len); int SSL_CTX_set1_sike_parameters_list(SSL_CTX *ctx, char *str_list); int SSL_set1_sike_parameters(SSL *ssl, int *nid_list, int nid_list_len); int SSL_set1_sike_parameters_list(SSL *ssl, char *str_list); int SSL_CTX_set1_nhdh_parameters(SSL_CTX *ctx, int *nid_list, int nid_list_len); int SSL_CTX_set1_nhdh_parameters_list(SSL_CTX *ctx, char *str_list); int SSL_set1_nhdh_parameters(SSL *ssl, int *nid_list, int nid_list_len); int SSL_set1_nhdh_parameters_list(SSL *ssl, char *str_list); int SSL_CTX_set1_sidh_parameters(SSL_CTX *ctx, int *nid_list, int nid_list_len); int SSL_CTX_set1_sidh_parameters_list(SSL_CTX *ctx, char *str_list); int SSL_set1_sidh_parameters(SSL *ssl, int *nid_list, int nid_list_len); int SSL_set1_sidh_parameters_list(SSL *ssl, char *str_list);
SSL_CTX_set1_xxxx_parameters()
sets the parameters in the SSL_CTX
object
for key exchange algorithm xxxx
(which is one of the kyber
, sike
, nhdh
,
and sidh
) using an int array of parameter NIDs via nid_list
, and the number
of NIDs via nid_list_len
.
SSL_CTX_set1_xxxx_parameters_list()
sets the parameters in the SSL_CTX
object for key exchange algorithm xxxx
using parameters in string format via
str_list
.
SSL_set1_xxxx_parameters()
and SSL_set1_xxxx_parameters_list()
are similar
to SSL_CTX_set1_xxxx_parameters()
and SSL_CTX_set1_xxxx_parameters_list()
,
respectively, except that the parameters are set in the SSL
object instead.
Each function returns 1
on success and 0
on failure.
Parameters are listed in order of decreasing preference in the array or string.
The following table shows all supported parameters for each quantum-safe key exchange algorithm in their NID and string format, listed in the default decreasing preference order.
Algorithm | Parameter — NID | Parameter — String |
---|---|---|
Kyber |
NID_Kyber_768_r2 |
"Kyber_768_r2" |
NID_Kyber_1024_r2 |
"Kyber_1024_r2" |
|
SIKE |
NID_SIKE_p503_r2 |
"SIKE_p503_r2" |
NID_SIKE_p751_r2 |
"SIKE_p751_r2" |
|
NHDH |
NID_NewHope_1024_v0 |
"NewHope_1024_v0" |
SIDH |
NID_SIDH_p503_r2 |
"SIDH_p503_r2" |
NID_SIDH_p751_r2 |
"SIDH_p751_r2" |
To specify multiple parameters with string format, use a colon to separate the
parameters, e.g., "Kyber_1024_r2:Kyber_768_r2"
.
If the API for setting parameters is not used, all parameters listed in table Quantum-Safe Key Exchange Algorithm Parameters in NID and String Format are set for each quantum-safe key exchange algorithm.
OpenSSL configuration command function and configuration file settings for quantum-safe key exchange algorithm parameters
Parameters can also be set using OpenSSL configuration command function:
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
See its documentation on the OpenSSL.org website at https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html for detailed usage information.
To use it for setting quantum-safe key exchange algorithm parameters via the
"command line commands" method, the following commands (cmd
) are supported:
-kyber_params
: Set parameters for Kyber. The value
argument should be a
colon separated list of Kyber parameters in order of decreasing preference, using
the string format. See section Functions to
set quantum-safe key exchange algorithm parameters for details about the string
format.
-sike_params
: Set parameters for SIKE. Same format for the value
argument as
-kyber_params
.
-nhdh_params
: Set parameters for NHDH. Same format for the value
argument as
-kyber_params
.
-sidh_params
: Set parameters for SIDH. Same format for the value
argument as
-kyber_params
.
To use it for setting quantum-safe key exchange algorithm parameters via the
"configuration file commands" method, the following commands (cmd
) are supported:
KyberParameters
: Set parameters for Kyber. The value
argument should be a
colon separated list of Kyber parameters in order of decreasing preference, using
the string format. See section Functions to
set quantum-safe key exchange algorithm parameters for details about the string
format.
SIKEParameters
: Set parameters for SIKE. Same format for the value
argument as
KyberParameters
.
NHDHParameters
: Set parameters for NHDH. Same format for the value
argument as
KyberParameters
.
SIDHParameters
: Set parameters for SIDH. Same format for the value
argument as
KyberParameters
.
These configuration file commands can also be used in OpenSSL configuration file to set quantum-safe key exchange algorithm parameters. For example, to set Kyber parameters, one can add the following to OpenSSL configuration file:
KyberParameters = Kyber_1024_r2:Kyber_768_r2
Functions to get quantum-safe key exchange algorithm shared parameter
The following functions get the shared parameter of a TLS quantum-safe key
exchange algorithm that has been negotiated for the TLS session. They are
declared in openssl/ssl.h
.
These functions can be used on both the client side and the server side.
int SSL_get_shared_kyber_parameter(SSL *ssl); int SSL_get_shared_sike_parameter(SSL *ssl); int SSL_get_shared_nhdh_parameter(SSL *ssl); int SSL_get_shared_sidh_parameter(SSL *ssl);
These functions shall be called after TLS handshake has already been successfully performed. The corresponding SSL object on which the connection is established needs to be passed in as input.
Each function returns the NID of the shared parameter for the corresponding key exchange algorithm, and 0 if there is no shared parameter (most likely the negotiated cipher suite does not contain the corresponding key exchange algorithm) or a failure occurs.
Special Note on Signature Scheme Usage in TLS
Due to the dynamic nature of the private keys, stateful hash-based signature schemes (HSS, XMSS, XMSSMT) are not appropriate for real-time signing of TLS messages. As such, these are only used for roots of trust and intermediate CA certificates within the X.509 certificate chain.
Due to large public keys and signatures, Rainbow and SPHINCS+ are not appropriate for use for TLS peer authentication.
Special Note on Catalyst Certificates and Dual Private Keys
ISARA has developed ISARA Catalyst certificates as a means of easing the
transition to Quantum-Safe algorithms for larger organizations with complex
infrastructures. These certificates contain alternative public keys and
signatures. As such, signing operations also require an alternative
private key and so we have developed private key files with an alternative
private key. We call them dual private keys. A quantum-safe private key is
converted to a dual private key by combining it with the associated classical
private key in privQSExtend.py
, reqQSExtend
or x509QSDirectExtend
.
In most cases, the dual private key can optionally be used instead of the
original private key since the alternative key in the dual private key file
will simply be ignored. However, s_server
and s_client
are notable
exceptions. They will only accept a single private key file. If a Catalyst
quantum-safe TLS connection is being negotiated, the dual private key must be
specified.
ISARA has created a tutorial document on how to create and use these kinds of certificates and private key files. See ISARA Catalyst OpenSSL Connector 2.0 QS Certificate Tutorial.
TLS Entity Authentication with Catalyst Certificates
The libssl
library can perform TLS entity authentication using ISARA Catalyst
certificates. Please read the tutorial document
ISARA Catalyst OpenSSL Connector
2.0 QS Certificate Tutorial to learn about Catalyst
certificates before reading the rest of this section.
The TLS client and server need to load the Catalyst certificates and the corresponding private keys before they can perform Catalyst entity authentication during the TLS handshake process. See TLS and Catalyst Certificates Tutorial on how to load Catalyst certificates and private keys into OpenSSL’s TLS context.
The client and the server use a new proprietary TLS private use hello extension
called "isara_catalyst" to signal to the peer that the end entity supports
Catalyst authentication. Any client or server that does not have this extension
in the TLS hello message is deemed as not Catalyst capable. All clients and
servers that use ISARA Catalyst OpenSSL Connector’s libssl
library will have
this extension automatically added to the entity’s TLS hello message. (This
extension is only added to the server’s hello message if the server has
received the same extension from the client’s hello message in the first
place.) Note that entities that are not Catalyst capable may still use Catalyst
certificates and the associated conventional keys to authenticate themselves
(and the "alternative" parts in the Catalyst certificates will not play a role
in such authentication).
The libssl
library has strict mode enabled by default (equivalent to setting
SSL_CERT_FLAG_TLS_STRICT) in order to properly use ISARA Catalyst certificates.
Without enabling strict mode, ISARA Catalyst certificates cannot be correctly
used by the libssl
library for TLS entity authentication.
Cipher Suite Selection and Server Authentication
How the server chooses the cipher suite for the TLS session can be strongly influenced by whether the client supports Catalyst and whether the client supports all the alternative signature algorithms in the server’s Catalyst certificate chain.
For instance, if the client supports Catalyst as well as all the alternative signature algorithms in the server’s Catalyst certificate chain, then the server is free to consider cipher suites with an authentication algorithm the same as the alternative public key type in the server’s leaf Catalyst certificate. On the other hand, if the client does not support Catalyst or if the client does not support some of the alternative signature algorithms in the server’s Catalyst certificate chain, then the server is limited to choosing from only the set of cipher suites with an authentication algorithm the same as the conventional public key type in the server’s leaf Catalyst certificate.
For server authentication, the server sends the server’s Catalyst certificate chain to the client and uses the private key corresponding to the authentication algorithm in the selected cipher suite to sign the server key exchange message. The client then checks which public key type in the server’s leaf Catalyst certificate matches the authentication algorithm in the selected cipher suite, and verifies the corresponding certificate chain, which is either the "conventional certificate chain" (consisting of all the conventional signature values) or the "alternative certificate chain" (consisting of all the alternative signature values), contained in the server’s Catalyst certificate chain. The client also uses this public key to verify the signature contained in the server key exchange message.
Client Authentication
Client authentication with Catalyst employs a similar mechanism as that of server authentication, except that the cipher suite no longer plays a role.
If the server advertises support of all the alternative signature algorithms in the client’s Catalyst certificate chain as well as the alternative public key type in the client’s leaf Catalyst certificate, then the client uses the alternative private key to produce the TLS certificate verify message. Otherwise, the client uses the conventional private key to produce the certificate verify message (which is also the case if the server is not Catalyst enabled).
The client sends its Catalyst certificate chain and the certificate verify message to the server for entity authentication. The server checks if it supports all the alternative signature algorithms in the client’s Catalyst certificate chain as well as the alternative public key type in the client’s leaf Catalyst certificate. If yes, it verifies the alternative certificate chain and uses the alternative public key to verify the certificate verify message. Otherwise, it verifies the conventional certificate chain and uses the conventional public key to verify the certificate verify message.
Application Level Changes
The following are descriptions of changes made to the applications and tests included with OpenSSL. It is important that you understand these changes as they would reflect changes that would be required in your own code. For more details, please see the patch file.
apps/s_cb.c and apps/apps.c
-
Add common code between multiple application to:
-
Load the alternative private key.
-
Handle Dilithium, HSS, XMSS and XMSSMT when outputting certificate types.
-
Allow loading large input files since artifacts for quantum-safe algorithms are generally larger than their classical counterparts.
-
apps/ca.c
-
Allow message digest to be NULL to accomodate intrinsic signing.
apps/crl.c
-
Add support for specifying the engine on the command-line because all quantum-safe algorithms are implemented by the engine.
apps/pkcs12.c
-
Output the alternative private key if present.
apps/pkeyutl.c
-
Accomodate larger input files.
apps/s_server.c
-
Load alternative key in the case of a dual private key being specified.
apps/s_client.c
-
Load alternative key in the case of a dual private key being specified.
test/testssl and test/testsslproxy
-
Explicitly specify that the tests should be run against classical algorithms because OpenSSL Connector gives the highest priority to quantum-safe cipher suites.
Notewe want the tests to continue to use classical cipher suites to show that our changes have not broken anything in the pre-existing algorithms and protocols. == Legal ==
The ISARA Catalyst OpenSSL Connector Binaries are licensed for use:
Copyright © 2017-2020, ISARA Corporation, All Rights Reserved.
The code and other content set out herein is not in the public domain, is considered a trade secret and is confidential to ISARA Corporation. Use, reproduction or distribution, in whole or in part, of such code or other content is strictly prohibited except by express written permission of ISARA Corporation. Please contact ISARA Corporation at info@isara.com for more information.
-
ISARA Catalyst OpenSSL Connector (ID
dab143f73d9e43d268bb97604f3f66990caff105
)