Introduction
Timing attacks on cryptosystems have long been researched since 1996. Various attacks, such as cache timing attack on AES, and defenses, such as timing attack resistant AES-GCM, over widely used cryptography algorithms have been developed and applied to well-known libraries, such as OpenSSL. Tools have been developed for analyzing the time-constancy of a crypto-function implemented in C or C++. The time-constancy of cryptographic libraries implemented in other languages remains an understudied area. Consequently, applications and websites based on these libraries may suffer from potential security vulnerabilities.
In this project, we aim to detect whether popular cryptographic libraries in Golang, JavaScript and Python 3 have constant-time implementations. Our contributions are:
- A constant-time assessment tool for Golang, JavaScriptand Python 3 evolved from dudect.
- A test suite against common cryptography primitives.
- Presentation and discussion of the results of evaluating the official Crypto library (and its extension) of Golang, PyCrypto, Cryptography, and PyCryptodome of Python3, and the official Cryptolibrary of Node.js
Ongoing Work
Future work will extend these preliminary investigations by
- expanding the test vectors with more implementation-specific inputs
- taking hardware optimization into consideration in measurements
- delving into the impacts of runtime/JIT of Python and JS on constant-time implementations.