Topic Title: Ali Proprietary Cryptographic Library and Support System

 

Technical Area: Security, Cryptography

 

Background

 

The cryptographies and cryptographic protocols are effective technologies to protect the entire life cycle of data in cloud computing and other shared or open computing environments. Cryptographic libraries are used by individuals in just about any country in the world when conducting secure online transactions, communicating via secure email or video, and in numerous B2B (business-to-business) and B2C transactions. As a result, there have been a number of open source crypto libraries that have been developed in order to help developers create projects that are secure while avoiding these risks associated with creating secure applications. Many large organizations such as Google, Amazon or Microsoft have their own proprietary cryptography libraries. The benefits are of multi-folds. It is not only secure but also easy to maintain a consistent security approach for the organization. 

 

However, Cryptographic computing is facing with various new and effective attacks, such as side-channel attacks. The construction, analysis, design, and implementation of cryptographic algorithms/protocols are all related, and even related to the "holes" inherent in their implementation. At present, the industry does not have a highly secure and efficient cryptographic algorithm/protocol library that can prevent various types of attack methods that have been discovered. This directly leads to insecure use of cryptography in production environments. In addition, for a implemented cryptographic library, how to verify its security is also a big problem. For this purpose, it is expected to develop a highly secure and efficient cryptographic algorithm/protocol library that can be applied to cloud and other shared or open computing environments, with verifiable security, compatible with widely used OpenSSL, s2n, LibreSSL, Bouncy Castle, etc. And it will be used in C/C++ and Java development environments.

 

Target

 

This project should absorb the successful experience of the existing open source cryptographic library, and should aim at the follow 4 objects:

 

1. Systematically design and implement a fundamental cryptographic and security protocol library, which should be a high-adaptive security framework and architecture, compatible with existing widely-used algorithms, SM series of Chinese National cryptographic algorithms, cryptographic/protocol library APIs, and some special algorithms (such as IoT, etc.) in special industries scenarios. More importantly,the library should have some mechanism to support formal security verification and diagnosis;

 

2. Systematically study and summarize cryptographic algorithm attack theories and methods, and tries to turn them into formal rules or paradigms. Then, we should develop some advanced, comprehensive, and effective verification algorithms to check the proposed cryptographic and security protocol library in object 1. What we expect is to get an efficient anti-attack cryptographic algorithms and security protocol library and can gradually eliminating possible attacks.

 

3. Implement a formal analysis and verification method of the side-channel/implicit channel of the cryptographic/protocol library and its engineering implementation. Through scanning the source codes of cryptographic algorithms, we should can find most of the channels.

 

4. Give a good set of methodologies and corresponding tools to optimize the performance and improve the efficiency of the cryptographic algorithms in the library. With the tools, we can scan the source codes of the cryptographic algorithms to find all points where should be optimized. We also hope the optimization can achieve a trade-off between security and effectiveness.

 

Related Research Topics

 

The related research topics are cryptography, source code analysis, and formal security verification.