Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...
Transcript of Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...
Opportunistic SecurityIncreasing the cost of mass surveillance without fixing
everything
Daniel Kahn Gillmor
ACLU
April 2014
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 1 / 21
Networked CommunicationsModern telecommunications use complex networks
Example protocols:
web browsing
DNS
text chat (IRC, XMPP)
phone (landline, mobile)
VoIP
Heavily intermediatedUsually two peers, sometimes broadcast
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 2 / 21
Networked CommunicationsModern telecommunications use complex networks
Example protocols:
web browsing
DNS
text chat (IRC, XMPP)
phone (landline, mobile)
VoIP
Heavily intermediated
Usually two peers, sometimes broadcast
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 2 / 21
Networked CommunicationsModern telecommunications use complex networks
Example protocols:
web browsing
DNS
text chat (IRC, XMPP)
phone (landline, mobile)
VoIP
Heavily intermediatedUsually two peers, sometimes broadcast
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 2 / 21
Communications security
What properties do we want?
confidentiality (no snooping)
integrity (no tampering)
proof of origin (no impersonation)
anonymity (no linkability)
Why?
free expression
free association
privacy
autonomy
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 3 / 21
Communications security
What properties do we want?
confidentiality (no snooping)
integrity (no tampering)
proof of origin (no impersonation)
anonymity (no linkability)
Why?
free expression
free association
privacy
autonomy
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 3 / 21
Communications security
What properties do we want?
confidentiality (no snooping)
integrity (no tampering)
proof of origin (no impersonation)
anonymity (no linkability)
Why?
free expression
free association
privacy
autonomy
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 3 / 21
Adversaries“Secure” against who?
criminals
competitors (industrial/corporate/academic)
your ISP
other network operators
the remote peer(s) themselves
your employer
your housemates
your own government (local, state, federal)
foreign governments
and for how long?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 4 / 21
Adversaries“Secure” against who?
criminals
competitors (industrial/corporate/academic)
your ISP
other network operators
the remote peer(s) themselves
your employer
your housemates
your own government (local, state, federal)
foreign governments
and for how long?Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 4 / 21
Adversary capabilitiesWhat can they do?
What?
passive monitoring
traffic injection
traffic modification
traffic blocking
Where?
link-specific
global
Resources?
storage
processing power
memory
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 5 / 21
Cryptography to the rescue?Fancy math
We have powerful information manipulation toolscapable of offering strong guarantees for thecommunications properties we want.
ciphers
message integrity
signatures
unlinkable messages
But...
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 6 / 21
We don’t use it widelyDeployment is hard
The default is no encryption for almost all protocols anddeployments.Consider:
http://steinhardt.nyu.edu/
https://steinhardt.nyu.edu/
The latter works. Why is the first option available?
https://www.nytimes.com/ redirects to...
http://www.nytimes.com/
Why?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 7 / 21
We don’t use it widelyDeployment is hard
The default is no encryption for almost all protocols anddeployments.Consider:
http://steinhardt.nyu.edu/
https://steinhardt.nyu.edu/
The latter works. Why is the first option available?
https://www.nytimes.com/ redirects to...
http://www.nytimes.com/
Why?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 7 / 21
We don’t use it widelyDeployment is hard
The default is no encryption for almost all protocols anddeployments.Consider:
http://steinhardt.nyu.edu/
https://steinhardt.nyu.edu/
The latter works. Why is the first option available?
https://www.nytimes.com/ redirects to...
http://www.nytimes.com/
Why?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 7 / 21
Failure modesHow to discourage people from deploying
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 8 / 21
Failure modesHow to discourage people from deploying
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 8 / 21
Failure modesHow to discourage people from deploying
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 8 / 21
Distinguishing Failure modesHow can the user tell the difference?
What could have gone wrong here?
expired cert
wrong hostname
misconfigured server
non-cartel CA
active attack
What are we defending against?
Guess which ones are most common...
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 9 / 21
Distinguishing Failure modesHow can the user tell the difference?
What could have gone wrong here?
expired cert
wrong hostname
misconfigured server
non-cartel CA
active attack
What are we defending against?Guess which ones are most common...
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 9 / 21
Other protocolsMail delivery is different
Mail transfer (SMTP) prioritizes message delivery.
If a secure connection fails......fall back to message delivery in the clear.Who can attack this?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21
Other protocolsMail delivery is different
Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails...
...fall back to message delivery in the clear.Who can attack this?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21
Other protocolsMail delivery is different
Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails......fall back to message delivery in the clear.
Who can attack this?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21
Other protocolsMail delivery is different
Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails......fall back to message delivery in the clear.Who can attack this?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21
Other protocolsXMPP Manifesto
A Public Statement Regarding Ubiquitous
Encryption on the XMPP Network“We, as operators of federated services and developers ofsoftware programs that use the XMPP standard forinstant messaging and real-time communication, committo establishing ubiquitous encryption over our network onMay 19, 2014. ...”
What happens to unencrypted/unauthenticated hostsafter the cutover? What happens to their users?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 11 / 21
Other protocolsXMPP Manifesto
A Public Statement Regarding Ubiquitous
Encryption on the XMPP Network“We, as operators of federated services and developers ofsoftware programs that use the XMPP standard forinstant messaging and real-time communication, committo establishing ubiquitous encryption over our network onMay 19, 2014. ...”
What happens to unencrypted/unauthenticated hostsafter the cutover? What happens to their users?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 11 / 21
Opportunistic Security“Just Make it Work”
Encrypt and integrity-check everything by default,potentially anonymously.
No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.
What about active attacks again?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21
Opportunistic Security“Just Make it Work”
Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.
Nothing visible to the user.Peer may have no public authentication key.
What about active attacks again?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21
Opportunistic Security“Just Make it Work”
Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.
Peer may have no public authentication key.
What about active attacks again?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21
Opportunistic Security“Just Make it Work”
Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.
What about active attacks again?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21
Opportunistic Security“Just Make it Work”
Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.
What about active attacks again?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21
Pragmatic comparisons
Instead of asking “Can it defend against activeattackers?”, ask...
“Is it better than plaintext?”
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 13 / 21
Pragmatic comparisons
Instead of asking “Can it defend against activeattackers?”, ask...
“Is it better than plaintext?”
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 13 / 21
Similar modelschat and voice
Encrypt first, authenticate later:
Off-the-Record Messaging (OTR) for text chat
ZRTP for voice/video
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 14 / 21
Latches, Leap-of-Faith, and Key PinningOnce you know, no going back
LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)
TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)
Key Pinningpeer asserts key and backup key(s)
But what happens when authentication fails?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21
Latches, Leap-of-Faith, and Key PinningOnce you know, no going back
LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)
TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)
Key Pinningpeer asserts key and backup key(s)
But what happens when authentication fails?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21
Latches, Leap-of-Faith, and Key PinningOnce you know, no going back
LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)
TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)
Key Pinningpeer asserts key and backup key(s)
But what happens when authentication fails?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21
Latches, Leap-of-Faith, and Key PinningOnce you know, no going back
LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)
TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)
Key Pinningpeer asserts key and backup key(s)
But what happens when authentication fails?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21
Latches, Leap-of-Faith, and Key PinningOnce you know, no going back
LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)
TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)
Key Pinningpeer asserts key and backup key(s)
But what happens when authentication fails?Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21
DNSSEC, DANE, Certificate Transparency
Mechanisms to provide some authenticationcorroboration, via DNS or HTTP.
Still: what happens if the authentication fails?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 16 / 21
DNSSEC, DANE, Certificate Transparency
Mechanisms to provide some authenticationcorroboration, via DNS or HTTP.Still: what happens if the authentication fails?
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 16 / 21
Lower layers
IPSec OE
TCPCrypt
MinimalLT
CurveCP
ObsTCP
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 17 / 21
Still missing
DNS (query privacy, zone enumerability)
mobile, landline phones
end-to-end e-mail
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 18 / 21
Other risks
Traffic Analysis (size, timing)
VBR VoIP leakage
metadata leakage (e.g. e-mail headers)
But these are not reasons to use cleartext.
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 19 / 21
Other risks
Traffic Analysis (size, timing)
VBR VoIP leakage
metadata leakage (e.g. e-mail headers)
But these are not reasons to use cleartext.
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 19 / 21
Observations
Against a global passive monitor, OpportunisticSecurity is very appealing.
Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.
If the attacker wants to stay secret, detection isnearly as good as prevention.
Authentication is critical to defend against activeattack.
Different protocol priorities suggest different failuremodes.
Encrypt first, authenticate as needed
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21
Observations
Against a global passive monitor, OpportunisticSecurity is very appealing.
Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.
If the attacker wants to stay secret, detection isnearly as good as prevention.
Authentication is critical to defend against activeattack.
Different protocol priorities suggest different failuremodes.
Encrypt first, authenticate as needed
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21
Observations
Against a global passive monitor, OpportunisticSecurity is very appealing.
Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.
If the attacker wants to stay secret, detection isnearly as good as prevention.
Authentication is critical to defend against activeattack.
Different protocol priorities suggest different failuremodes.
Encrypt first, authenticate as needed
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21
Observations
Against a global passive monitor, OpportunisticSecurity is very appealing.
Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.
If the attacker wants to stay secret, detection isnearly as good as prevention.
Authentication is critical to defend against activeattack.
Different protocol priorities suggest different failuremodes.
Encrypt first, authenticate as needed
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21
Observations
Against a global passive monitor, OpportunisticSecurity is very appealing.
Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.
If the attacker wants to stay secret, detection isnearly as good as prevention.
Authentication is critical to defend against activeattack.
Different protocol priorities suggest different failuremodes.
Encrypt first, authenticate as needed
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21
Observations
Against a global passive monitor, OpportunisticSecurity is very appealing.
Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.
If the attacker wants to stay secret, detection isnearly as good as prevention.
Authentication is critical to defend against activeattack.
Different protocol priorities suggest different failuremodes.
Encrypt first, authenticate as needed
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21
Discussion and Questions
Thank you!
Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 21 / 21