Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...

Opportunistic SecurityIncreasing the cost of mass surveillance without fixing

everything

Daniel Kahn Gillmor

April 2014

Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 1 / 21

Networked CommunicationsModern telecommunications use complex networks

Example protocols:

web browsing

e-mail

text chat (IRC, XMPP)

phone (landline, mobile)

Heavily intermediatedUsually two peers, sometimes broadcast

Example protocols:

web browsing

e-mail

Heavily intermediated

Usually two peers, sometimes broadcast

Example protocols:

web browsing

e-mail

Heavily intermediatedUsually two peers, sometimes broadcast

Communications security

What properties do we want?

confidentiality (no snooping)

integrity (no tampering)

proof of origin (no impersonation)

anonymity (no linkability)

free expression

free association

privacy

autonomy

free expression

free association

privacy

autonomy

free expression

free association

privacy

autonomy

Adversaries“Secure” against who?

criminals

competitors (industrial/corporate/academic)

your ISP

other network operators

the remote peer(s) themselves

your employer

your housemates

your own government (local, state, federal)

foreign governments

and for how long?

Adversaries“Secure” against who?

criminals

competitors (industrial/corporate/academic)

your ISP

other network operators

the remote peer(s) themselves

your employer

your housemates

your own government (local, state, federal)

foreign governments

and for how long?Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 4 / 21

Adversary capabilitiesWhat can they do?

passive monitoring

traffic injection

traffic modification

traffic blocking

Where?

link-specific

global

Resources?

storage

processing power

memory

Cryptography to the rescue?Fancy math

We have powerful information manipulation toolscapable of offering strong guarantees for thecommunications properties we want.

ciphers

message integrity

signatures

unlinkable messages

But...

We don’t use it widelyDeployment is hard

The default is no encryption for almost all protocols anddeployments.Consider:

http://steinhardt.nyu.edu/

https://steinhardt.nyu.edu/

The latter works. Why is the first option available?

https://www.nytimes.com/ redirects to...

http://www.nytimes.com/

Failure modesHow to discourage people from deploying

Distinguishing Failure modesHow can the user tell the difference?

What could have gone wrong here?

expired cert

wrong hostname

misconfigured server

non-cartel CA

active attack

What are we defending against?

Guess which ones are most common...

Distinguishing Failure modesHow can the user tell the difference?

What could have gone wrong here?

expired cert

wrong hostname

misconfigured server

non-cartel CA

active attack

What are we defending against?Guess which ones are most common...

Other protocolsMail delivery is different

Mail transfer (SMTP) prioritizes message delivery.

If a secure connection fails......fall back to message delivery in the clear.Who can attack this?

Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails...

...fall back to message delivery in the clear.Who can attack this?

Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails......fall back to message delivery in the clear.

Who can attack this?

Mail transfer (SMTP) prioritizes message delivery.If a secure connection fails......fall back to message delivery in the clear.Who can attack this?

Other protocolsXMPP Manifesto

A Public Statement Regarding Ubiquitous

Encryption on the XMPP Network“We, as operators of federated services and developers ofsoftware programs that use the XMPP standard forinstant messaging and real-time communication, committo establishing ubiquitous encryption over our network onMay 19, 2014. ...”

What happens to unencrypted/unauthenticated hostsafter the cutover? What happens to their users?

Other protocolsXMPP Manifesto

A Public Statement Regarding Ubiquitous

Encryption on the XMPP Network“We, as operators of federated services and developers ofsoftware programs that use the XMPP standard forinstant messaging and real-time communication, committo establishing ubiquitous encryption over our network onMay 19, 2014. ...”

What happens to unencrypted/unauthenticated hostsafter the cutover? What happens to their users?

Opportunistic Security“Just Make it Work”

Encrypt and integrity-check everything by default,potentially anonymously.

No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.

What about active attacks again?

Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.

Nothing visible to the user.Peer may have no public authentication key.

Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.

Peer may have no public authentication key.

Encrypt and integrity-check everything by default,potentially anonymously.No harsh failure modes visible to the user.Nothing visible to the user.Peer may have no public authentication key.

Pragmatic comparisons

Instead of asking “Can it defend against activeattackers?”, ask...

“Is it better than plaintext?”

Pragmatic comparisons

Instead of asking “Can it defend against activeattackers?”, ask...

“Is it better than plaintext?”

Similar modelschat and voice

Encrypt first, authenticate later:

Off-the-Record Messaging (OTR) for text chat

ZRTP for voice/video

Latches, Leap-of-Faith, and Key PinningOnce you know, no going back

LatchesFirst time we see crypto, remember it, never usecleartext again (Strict-Transport-Security)

TOFU/LoFOnce we see peer’s public key, remember it, don’t acceptalternatives (SSH)

Key Pinningpeer asserts key and backup key(s)

But what happens when authentication fails?

But what happens when authentication fails?Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21

DNSSEC, DANE, Certificate Transparency

Mechanisms to provide some authenticationcorroboration, via DNS or HTTP.

Still: what happens if the authentication fails?

DNSSEC, DANE, Certificate Transparency

Mechanisms to provide some authenticationcorroboration, via DNS or HTTP.Still: what happens if the authentication fails?

Lower layers

IPSec OE

TCPCrypt

MinimalLT

CurveCP

ObsTCP

Still missing

DNS (query privacy, zone enumerability)

mobile, landline phones

end-to-end e-mail

Other risks

Traffic Analysis (size, timing)

VBR VoIP leakage

metadata leakage (e.g. e-mail headers)

But these are not reasons to use cleartext.

Other risks

Traffic Analysis (size, timing)

VBR VoIP leakage

metadata leakage (e.g. e-mail headers)

But these are not reasons to use cleartext.

Observations

Against a global passive monitor, OpportunisticSecurity is very appealing.

Against an active attacker (even a non-global onelike your coffee shop) OS doesn’t help much.

If the attacker wants to stay secret, detection isnearly as good as prevention.

Authentication is critical to defend against activeattack.

Different protocol priorities suggest different failuremodes.

Encrypt first, authenticate as needed

Observations

Discussion and Questions

Thank you!

Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...

Documents

Transcript of Opportunistic Security - Increasing the cost of mass surveillance … · 2014. 4. 15. ·...