Szilárd Pfeiffer - CryptoLyzer

Cryptographic settings analyzer library

Cryptographic settings analyzer library

Can you introduce yourself and your project?

I am a free software fanatic developer with my own projects mostly related to cryptography and a security and privacy committed engineer experienced in the fields of software quality/security, computer networks, and cryptography. I am also a free-culture enthusiastic journalist who strives to create free cultural works and a manager who believes in hacker culture and agile software development.

CryptoLyzer is a cybersecurity tool that can analyze the cryptography-related settings of clients and servers in the case of several different protocols. The tool’s primary purpose is to support end users as well as system administrators, security engineers, auditors, etc., in their work by telling them the details of the currently applied setting and informing them about the potential weaknesses and vulnerabilities. It is fast, flexible and analyzes cryptographic protocols (TLS, SSL, SSH, DNSSEC) and related security setting (HTTP headers, DNS records) and a fingerprint (JA3, HASSH tag) generator with Python API and command-line interface. In short, a cryptographic settings analyzer.

What are the key issues you see with the state of the internet today?

Unfortunately, there are many issues, not just a few key issues. We still use network protocols from the ancient times of the internet -- such as SMTP and DNS -- where the secure by design principles were not applied. However, protocols designed to be secure -- such as TLS and SSH -- also suffer from a few theoretical issues, not to mention implementation and configuration issues. These protocols and other security methods are considered secure as is, while the reality is that we have to care about the details to avoid a false sense of security.

How does your project contribute to correcting some of those issues?

CryptoLyzer tried to be as comprehensive as possible, without getting lost in the details. As a developer of that software, I should keep in mind that a tiny cryptographical flaw may be interesting or important for a security-committed engineer, such as me, but is just a question of details with a low risk for a maintainer. I use the proven traffic light rating system to help maintainers distinguish the issues that require more attention from the ones that can be handled later on. There are detailed descriptions of the flaws to give justification and the possibility to read further and get more understanding and possibly come to a different decision. It is important to note that some can use Cryptolyzer not just as a command-line tool, but also as a Python library since automation is a key concept of modern security.

What do you like most about (working on) your project?

There is no single answer to this question. First of all, I was able to learn a lot about cryptography, internet protocols, and the related standards as a security-committed engineer. Secondly, I could practice programming, test-driven development, continuous integration, and delivery developing a pet project without the constraints of a commercial product. Last but definitely not least I could give a hopefully useful tool for the community which means a lot for a free software enthusiastic developer.

Where will you take your project next?

The project has taken me to disclose a denial-of-service (DoS) attack, D(HE)at, against the ephemeral variant of the Diffie-Hellman (DHE) key exchange protocol and to publish a full technical paper about it. The discovery resulted from the intention to analyze the SSH group exchange parameters comprehensively. I would come along that path by trying to make the project even more comprehensive than it is now. On the one hand, it could be done by supporting modern cryptographic protocols, such as QUIC, and the good old ones such as DTLS, SIP, or IKE. On the other hand, config generation might be useful for all those who have found issues with that tool.

How did NGI Assure help you reach your goals for your project?

NGI Assure gave me the most important resource that a software developer needs, namely time. I already had the idea, also a working software with basic functions. The funding gave me the chance to bring the project to a level, where it can be a worthy competitor to the existing solutions or even better than them from a certain point of view. Meanwhile, I didn't have to worry about bureaucracy during the proposal submission or later, when I requested a payment. The focus was on the working software the whole time giving me a great deal of freedom in scheduling my time helped me a lot to be effective.

Do you have advice for people who are considering to apply for NGI funding?

First of all, you need a good idea. It doesn't necessarily have to be unique, but it must offer users more than existing projects in some way. If only proprietary software exists to solve a problem the fact that you give a real alternative with free software can be that offer. However, if free software exists to solve the problem, your project should stand out from them in one way or another. It can be the functionality, the usability, the documentation, the automation capability, or all of these together. The point is to provide value to users. If you have it, apply for funding. If you failed once, try harder in a second time. If you fail a second time try harder at a third time ...

Acknowledgements

Image: courtesy of Szilárd Pfeiffer.

oqsprovider received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.