Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...

Opportunistic SecurityIncreasing the cost of mass surveillance without fixing

everything

Daniel Kahn Gillmor

April 2014

Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 1 / 21

Networked CommunicationsModern telecommunications use complex networks

Example protocols:

web browsing

e-mail

text chat (IRC, XMPP)

phone (landline, mobile)

Heavily intermediatedUsually two peers, sometimes broadcast

Example protocols:

web browsing

e-mail

Heavily intermediated

Usually two peers, sometimes broadcast

Example protocols:

web browsing

e-mail

Heavily intermediatedUsually two peers, sometimes broadcast

Communications security

What properties do we want?

confidentiality (no snooping)

integrity (no tampering)

proof of origin (no impersonation)

anonymity (no linkability)

free expression

free association

privacy

autonomy

free expression

free association

privacy

autonomy

free expression

free association

privacy

autonomy

Adversaries“Secure” against who?

criminals

competitors (industrial/corporate/academic)

your ISP

other network operators

the remote peer(s) themselves

your employer

your housemates

your own government (local, state, federal)

foreign governments

and for how long?

Adversaries“Secure” against who?

criminals

competitors (industrial/corporate/academic)

your ISP

other network operators

the remote peer(s) themselves

your employer

your housemates

your own government (local, state, federal)

foreign governments

and for how long?Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 4 / 21

Adversary capabilitiesWhat can they do?

passive monitoring

traffic injection

traffic modification

traffic blocking

Where?

link-specific

global

Resources?

storage

processing power

memory

Cryptography to the rescue?Fancy math

We have powerful information manipulation toolscapable of offering strong guarantees for thecommunications properties we want.

ciphers

message integrity

signatures

unlinkable messages

But...

We don’t use it widelyDeployment is hard

The default is no encryption for almost all protocols anddeployments.Consider:

http://steinhardt.nyu.edu/

https://steinhardt.nyu.edu/

The latter works. Why is the first option available?

https://www.nytimes.com/ redirects to...

http://www.nytimes.com/

Failure modesHow to discourage people from deploying

Distinguishing Failure modesHow can the user tell the difference?

What could have gone wrong here?

expired cert

wrong hostname

misconfigured server

non-cartel CA

active attack

What are we defending against?

Guess which ones are most common...

Distinguishing Failure modesHow can the user tell the difference?

What could have gone wrong here?

expired cert

wrong hostname

misconfigured server

non-cartel CA

active attack

What are we defending against?Guess which ones are most common...

Other protocolsMail delivery is different

Mail transfer (SMTP) prioritizes message delivery.

If a secure connection fails......fall back to message delivery in the clear.Who can attack this?

Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails...

...fall back to message delivery in the clear.Who can attack this?

Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails......fall back to message delivery in the clear.

Who can attack this?

Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails......fall back to message delivery in the clear.Who can attack this?

Other protocolsXMPP Manifesto

A Public Statement Regarding Ubiquitous

Encryption on the XMPP Network“We, as operators of federated services and developers ofsoftware programs that use the XMPP standard forinstant messaging and real-time communication, committo establishing ubiquitous encryption over our network onMay 19, 2014. ...”

What happens to unencrypted/unauthenticated hostsafter the cutover? What happens to their users?

Other protocolsXMPP Manifesto

A Public Statement Regarding Ubiquitous

Encryption on the XMPP Network“We, as operators of federated services and developers ofsoftware programs that use the XMPP standard forinstant messaging and real-time communication, committo establishing ubiquitous encryption over our network onMay 19, 2014. ...”

What happens to unencrypted/unauthenticated hostsafter the cutover? What happens to their users?

Opportunistic Security“Just Make it Work”

Encrypt and integrity-check everything by default,potentially anonymously.

No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.

What about active attacks again?

Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.

Nothing visible to the user.Peer may have no public authentication key.

Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.

Peer may have no public authentication key.

Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.

Pragmatic comparisons

Instead of asking “Can it defend against activeattackers?”, ask...

“Is it better than plaintext?”

Pragmatic comparisons

Instead of asking “Can it defend against activeattackers?”, ask...

“Is it better than plaintext?”

Similar modelschat and voice

Encrypt first, authenticate later:

Off-the-Record Messaging (OTR) for text chat

ZRTP for voice/video

Latches, Leap-of-Faith, and Key PinningOnce you know, no going back

LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)

TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)

Key Pinningpeer asserts key and backup key(s)

But what happens when authentication fails?

But what happens when authentication fails?Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21

DNSSEC, DANE, Certificate Transparency

Mechanisms to provide some authenticationcorroboration, via DNS or HTTP.

Still: what happens if the authentication fails?

DNSSEC, DANE, Certificate Transparency

Mechanisms to provide some authenticationcorroboration, via DNS or HTTP.Still: what happens if the authentication fails?

Lower layers

IPSec OE

TCPCrypt

MinimalLT

CurveCP

ObsTCP

Still missing

DNS (query privacy, zone enumerability)

mobile, landline phones

end-to-end e-mail

Other risks

Traffic Analysis (size, timing)

VBR VoIP leakage

metadata leakage (e.g. e-mail headers)

But these are not reasons to use cleartext.

Other risks

Traffic Analysis (size, timing)

VBR VoIP leakage

metadata leakage (e.g. e-mail headers)

But these are not reasons to use cleartext.

Observations

Against a global passive monitor, OpportunisticSecurity is very appealing.

Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.

If the attacker wants to stay secret, detection isnearly as good as prevention.

Authentication is critical to defend against activeattack.

Different protocol priorities suggest different failuremodes.

Encrypt first, authenticate as needed

Observations

Discussion and Questions

Thank you!

Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...

Documents

Transcript of Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...

Opportunistic Sensing:

A Game Theoretic Approach to Distributed Opportunistic ... · Banchs et al.: A Game Theoretic Approach to Distributed Opportunistic Scheduling Abstract—Distributed Opportunistic

CDC in Ethiopia · • Establishing a surveillance system for antimicrobial resistance • Expanding the number of field epidemiologists and increasing the number of surveillance

Northamptonshire COVID-19 Weekly Surveillance Report · Weekly Surveillance Report Data up to 2 August 2020 Due to increasing cases of COVID-19 Northampton, Corby, Wellingborough

Opportunistic viral infections after paediatric ...high, opportunistic infections may cause complications. This thesis focuses on opportunistic viral infection with cytomegalovirus,

Opportunistic fungal infection

From Opportunistic Networks to Opportunistic Computingfrank/INE6514/Artigos2012/From... · networks and opportunistic networks fostering a new computing paradigm: opportunistic comput-ing.

Opportunistic Infections: for VCU Medical Residents- Core ...gbearman/FINAL Housestaff Opportunistic Inf… · opportunistic infections. One cannot possibly cover all ‘opportunistic’

INTERCALIBRATION OF OPPORTUNISTIC MACROALGAE IN … · Intercalibration of Opportunistic macroalgae v4 2/12/2014 1 INTERCALIBRATION OF OPPORTUNISTIC MACROALGAE IN ... ANOVA shows

Opportunistic pathogens

Opportunistic Network Simulator

CMS UK Computing - Indico...QMUL - 14,934 N/A 2 TB RHUL - Opportunistic - 0 Oxford - Opportunistic - 41 TB Glasgow - Opportunistic - 174 DODAS N/A Opportunistic - N/A CMS @ home N/A

OPPORTUNISTIC IPSEC USING DNSSEC - schd.wsschd.ws/hosted_files/icann58copenhagen2017/1c/Paul Wouters... · 5 Opportunistic IPsec using DNSSEC OPPORTUNISTIC IPSEC USING DNSSEC •

Opportunistic Mycosis

Opportunistic IoT: Exploring the Harmonious Interaction ...guob.org/research/Opportunistic-IoT-JCNA.pdf · the development of opportunistic networks [3], which uses infrastructure-free,

Opportunistic Networking

opportunistic routing

Planning for Opportunistic Surveillance with Multiple Robotsmaxim/files/opportplan_iros13.pdf · Planning for Opportunistic Surveillance with Multiple Robots Dinesh Thakur , Maxim

HIV &Opportunistic Infections

Lewis.Tsurumaki.Lewis: Opportunistic Architecture