Enhancing Network Security : Post-Quantum Cryptography Through Loadable Modules in Firefox and NSS : Integrating Future-Proof Cryptographic Techniques
Luoma, Daniel (2024)
2024
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
Hyväksymispäivämäärä
2024-12-19
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-2024112810610
https://urn.fi/URN:NBN:fi:tuni-2024112810610
Tiivistelmä
The possible emergence of cryptographically relevant quantum computers poses a significant threat to modern secure communication. The solution to combat this threat is to transition toward Post-Quantum Cryptography (PQC) algorithms based on problems that even quantum computers cannot efficiently solve. This transition is a global effort aimed at ensuring the continuation of secure communication.
The well-known open-source web browser Mozilla Firefox relies on its set of security libraries, the Network Security Services (NSS), for implementing the Transport Layer Security (TLS) proto- col and the cryptographic algorithms associated with it. Currently, testing cryptographic algorithms within the context of Mozilla Firefox and NSS is a labour-intensive process. Consequently, the cryptographic agility of NSS can be considered limited. There is a notable need for a framework to bridge this gap between NSS and the algorithm developers.
The primary objective of this thesis is to lay the foundation for such a framework. The proposed approach utilizes a shallow loadable module based on the Cryptoki Application Programming In- terface (API) defined by the PKCS#11 standard. The term shallow refers to the fact that the module itself will not include its own cryptographic implementations but will instead rely on exter- nal libraries to provide them. The module is loadable in the sense that NSS, with its native support for PKCS#11, can dynamically load the module when needed. This approach limits the need for modifications to the NSS codebase while enhancing its cryptographic agility.
The main results of this thesis are as follows: First, the selection of the initial starting point for the framework. The choice was an open-source implementation of a PKCS#11 software to- ken. Second, the identification of the areas that needed modification to align with the goals of this thesis and the project it is a part of. Third, applying these modifications to the initial framework. This primarily involved stripping unwanted dependencies from the initial framework and replac- ing them with alternative solutions. Finally, the definition and design of interoperability tests and internal tests to be conducted in the future phases of this project. The interoperability targets are the Cloudflare PQC servers and the Open Quantum Safe (OQS) PQC test servers for Post- Quantum/Traditional (PQ/T) hybrid key exchange and authentication. The internal tests focus on measuring the metrics associated with the TLS 1.3 protocol handshake.
The end result of this thesis prepares the framework for the next phase of including external PQC software implementations and allows for the continuation of the work to reach the goals set by the interoperability tests. The results also verify the applicability of the approach taken in this thesis and provide prospects for future contributions toward the PQC transition.
The well-known open-source web browser Mozilla Firefox relies on its set of security libraries, the Network Security Services (NSS), for implementing the Transport Layer Security (TLS) proto- col and the cryptographic algorithms associated with it. Currently, testing cryptographic algorithms within the context of Mozilla Firefox and NSS is a labour-intensive process. Consequently, the cryptographic agility of NSS can be considered limited. There is a notable need for a framework to bridge this gap between NSS and the algorithm developers.
The primary objective of this thesis is to lay the foundation for such a framework. The proposed approach utilizes a shallow loadable module based on the Cryptoki Application Programming In- terface (API) defined by the PKCS#11 standard. The term shallow refers to the fact that the module itself will not include its own cryptographic implementations but will instead rely on exter- nal libraries to provide them. The module is loadable in the sense that NSS, with its native support for PKCS#11, can dynamically load the module when needed. This approach limits the need for modifications to the NSS codebase while enhancing its cryptographic agility.
The main results of this thesis are as follows: First, the selection of the initial starting point for the framework. The choice was an open-source implementation of a PKCS#11 software to- ken. Second, the identification of the areas that needed modification to align with the goals of this thesis and the project it is a part of. Third, applying these modifications to the initial framework. This primarily involved stripping unwanted dependencies from the initial framework and replac- ing them with alternative solutions. Finally, the definition and design of interoperability tests and internal tests to be conducted in the future phases of this project. The interoperability targets are the Cloudflare PQC servers and the Open Quantum Safe (OQS) PQC test servers for Post- Quantum/Traditional (PQ/T) hybrid key exchange and authentication. The internal tests focus on measuring the metrics associated with the TLS 1.3 protocol handshake.
The end result of this thesis prepares the framework for the next phase of including external PQC software implementations and allows for the continuation of the work to reach the goals set by the interoperability tests. The results also verify the applicability of the approach taken in this thesis and provide prospects for future contributions toward the PQC transition.