Discussion:
[Ur] Thoughts on cryptographic hashing for Ur/Web standard library?
Matt Rice
2018-05-19 21:13:56 UTC
Permalink
After a busy semester, I am going through the backlog of Ur/Web issue
reports. I'm hoping to make a new Ur/Web release soon, and here is the
first in what may be a series of community queries, to decide whether
certain changes are appropriate.
It has been pointed out that Ur/Web's Basis.crypt uses DES, a weak hashing
approach by today's standards. I can think of a few potential courses of
As in the linked PR, just add a comment essentially saying "hey, this crypto
isn't so great."
Switch to a different cryptosystem available in OpenSSL's libcrypto, which
is already linked with all Ur/Web apps.
Realize that literally no one is using this function and just delete it from
the standard library. (A less severe version is to ask a small but
nonzero-size user community to switch to using separate libraries for this
functionality.)
Any thoughts?
Somewhat like 3 i imagine, but I'm not terribly enthusiastic about the
string -> string -> string type signature,
when we could implement so called "perfect crypto" modules in the type
system itself,
then implementers of this signature could back it with whichever
crypto primitives they like

There is quite a long correlation between ML's sealing/opaque
ascription as signatures for perfect crypto
e.g. see this paper from the ML workshop 2004,
http://www.cis.upenn.edu/~bcpierce/papers/infohide3.pdf
basically dating back the pre-ml days of
http://www.erights.org/history/morris73.pdf

relegating mechanism to a phantom type.

Since it is related, the basis function val rand : transaction int
Is another place I would desire a phantom type, e.g. val rand : rng ->
transaction (rng number)

In general though, I don't know enough about the compiler
implementation to know if adding these extra layers of abstraction
are going to impose runtime overhead, this way tends to add a lot of
type conversions/identity function calls,
which in theory could but may not be inlined across modules, in a way
that can be turned into a type cast.

but it does have the benefit of not needing to really anoint any one
primitive crypto mechanism.
*shrug* we can dream right?
Adam Chlipala
2018-05-21 13:38:30 UTC
Permalink
Post by Matt Rice
I'm not terribly enthusiastic about the
string -> string -> string type signature,
when we could implement so called "perfect crypto" modules in the type
system itself,
then implementers of this signature could back it with whichever
crypto primitives they like
I'm certainly sympathetic with that strategy at an above-average level,
as I do research in formal methods for cryptography, and I have an idea
on the shelf (to revive some day) for more thorough use of typing to
organize composition of cryptographic components.

However, I'm not sure if, for Ur/Web today, the practical value of
fancier types would make up for the added standard-library complexity. 
In the long run, I would like to see secure applications coded with no
direct use of cryptography.  Rather, we would have higher-level
primitives that are implemented with cryptography.

I feel like your suggestion is likely to be controversial enough that it
probably belongs in a separate library, if anywhere.  I'd be interested
to read more opinions here.
Post by Matt Rice
In general though, I don't know enough about the compiler
implementation to know if adding these extra layers of abstraction
are going to impose runtime overhead, this way tends to add a lot of
type conversions/identity function calls,
which in theory could but may not be inlined across modules, in a way
that can be turned into a type cast.
It's probably possible to dream up worst cases where the following is
false, but in general the Ur/Web compiler can be counted on to inline
all uses of identity functions.  There should be no runtime overhead of
phantom types.
Benjamin Barenblat
2018-05-23 16:22:54 UTC
Permalink
It has been pointed out <https://github.com/urweb/urweb/pull/114> that
Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
[...]
2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
which is already linked with all Ur/Web apps.
3. Realize that literally no one is using this function and just delete
it from the standard library. (A less severe version is to ask a
small but nonzero-size user community to switch to using separate
libraries for this functionality.)
I think we should pursue both of these: Remove crypt from the standard
library, and replace its functionality with external libraries that
depend on OpenSSL.

I wrote bindings for the OpenSSL MD5, SHA-1, and SHA-2 APIs a while
back [1]. They're Apache-licensed. I'd love to see them get wider
use, and I'd welcome patches to add additional hash functions. I've also
written a bcrypt wrapper [2], so you've got two options if you want to
use bcrypt (the other being [3]). I AGPL-licensed my bcrypt wrapper, but
I'd be happy to relicense to Apache.

There may also be room for a general-purpose OpenSSL library for
Ur/Web. Such a library would bring the useful parts of the OpenSSL API
(data hashing, HMACs, password hashing, AES, ChaCha20/Poly1305, etc.) to
all Ur/Web applications and would effectively supersede [1]. I've been
working on something similar for Haskell [4], which could be a useful
model.


[1] https://benjamin.barenblat.name/git/urweb-crypto-hash-openssl.git
https://github.com/bbarenblat/urweb-crypto-hash-openssl

[2] https://benjamin.barenblat.name/git/urweb_bcrypt.git
https://github.com/bbarenblat/urweb_bcrypt

[3] https://github.com/steinuil/urweb-bcrypt

[4] https://github.com/google/btls
Adam Chlipala
2018-05-25 18:58:47 UTC
Permalink
That sounds like a pretty credible plan!  If no one objects by, say, the
end this coming Monday, I will feel free to remove 'crypt' from the
standard library, counting on others to figure out the right way to
materialize a more comprehensive freestanding library.
Post by Benjamin Barenblat
It has been pointed out <https://github.com/urweb/urweb/pull/114> that
Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
[...]
2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
which is already linked with all Ur/Web apps.
3. Realize that literally no one is using this function and just delete
it from the standard library. (A less severe version is to ask a
small but nonzero-size user community to switch to using separate
libraries for this functionality.)
I think we should pursue both of these: Remove crypt from the standard
library, and replace its functionality with external libraries that
depend on OpenSSL.
I wrote bindings for the OpenSSL MD5, SHA-1, and SHA-2 APIs a while
back [1]. They're Apache-licensed. I'd love to see them get wider
use, and I'd welcome patches to add additional hash functions. I've also
written a bcrypt wrapper [2], so you've got two options if you want to
use bcrypt (the other being [3]). I AGPL-licensed my bcrypt wrapper, but
I'd be happy to relicense to Apache.
There may also be room for a general-purpose OpenSSL library for
Ur/Web. Such a library would bring the useful parts of the OpenSSL API
(data hashing, HMACs, password hashing, AES, ChaCha20/Poly1305, etc.) to
all Ur/Web applications and would effectively supersede [1]. I've been
working on something similar for Haskell [4], which could be a useful
model.
[1] https://benjamin.barenblat.name/git/urweb-crypto-hash-openssl.git
https://github.com/bbarenblat/urweb-crypto-hash-openssl
[2] https://benjamin.barenblat.name/git/urweb_bcrypt.git
https://github.com/bbarenblat/urweb_bcrypt
[3] https://github.com/steinuil/urweb-bcrypt
[4] https://github.com/google/btls
_______________________________________________
Ur mailing list
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
Loading...