Opportunistic Security Increasing the cost of mass surveillance without fixing everything Daniel Kahn Gillmor ACLU April 2014 Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 1 / 21 Networked Communications Modern telecommunications use complex networks Example protocols: web browsing e-mail DNS text chat (IRC, XMPP) phone (landline, mobile) VoIP Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 2 / 21 Networked Communications Modern telecommunications use complex networks Example protocols: web browsing e-mail DNS text chat (IRC, XMPP) phone (landline, mobile) VoIP Heavily intermediated Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 2 / 21 Networked Communications Modern telecommunications use complex networks Example protocols: web browsing e-mail DNS text chat (IRC, XMPP) phone (landline, mobile) VoIP Heavily intermediated Usually two peers, sometimes broadcast Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 2 / 21 Communications security What properties do we want? confidentiality (no snooping) integrity (no tampering) proof of origin (no impersonation) anonymity (no linkability) Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 3 / 21 Communications security What properties do we want? confidentiality (no snooping) integrity (no tampering) proof of origin (no impersonation) anonymity (no linkability) Why? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 3 / 21 Communications security What properties do we want? confidentiality (no snooping) integrity (no tampering) proof of origin (no impersonation) anonymity (no linkability) Why? free expression free association privacy autonomy Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 3 / 21 Adversaries “Secure” against who? criminals competitors (industrial/corporate/academic) your ISP other network operators the remote peer(s) themselves your employer your housemates your own government (local, state, federal) foreign governments Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 4 / 21 Adversaries “Secure” against who? criminals competitors (industrial/corporate/academic) your ISP other network operators the remote peer(s) themselves your employer your housemates your own government (local, state, federal) foreign governments and for how long? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 4 / 21 Adversary capabilities What can they do? What? passive monitoring traffic injection traffic modification traffic blocking Where? link-specific global Daniel Kahn Gillmor (ACLU) Resources? storage processing power memory Opportunistic Security April 2014 5 / 21 Cryptography to the rescue? Fancy math We have powerful information manipulation tools capable of offering strong guarantees for the communications properties we want. ciphers message integrity signatures unlinkable messages But... Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 6 / 21 We don’t use it widely Deployment is hard The default is no encryption for almost all protocols and deployments. Consider: http://steinhardt.nyu.edu/ https://steinhardt.nyu.edu/ The latter works. Why is the first option available? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 7 / 21 We don’t use it widely Deployment is hard The default is no encryption for almost all protocols and deployments. Consider: http://steinhardt.nyu.edu/ https://steinhardt.nyu.edu/ The latter works. Why is the first option available? https://www.nytimes.com/ redirects to... Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 7 / 21 We don’t use it widely Deployment is hard The default is no encryption for almost all protocols and deployments. Consider: http://steinhardt.nyu.edu/ https://steinhardt.nyu.edu/ The latter works. Why is the first option available? https://www.nytimes.com/ redirects to... http://www.nytimes.com/ Why? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 7 / 21 Failure modes How to discourage people from deploying Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 8 / 21 Failure modes How to discourage people from deploying Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 8 / 21 Failure modes How to discourage people from deploying Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 8 / 21 Distinguishing Failure modes How can the user tell the difference? What could have gone wrong here? expired cert wrong hostname misconfigured server non-cartel CA active attack What are we defending against? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 9 / 21 Distinguishing Failure modes How can the user tell the difference? What could have gone wrong here? expired cert wrong hostname misconfigured server non-cartel CA active attack What are we defending against? Guess which ones are most common... Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 9 / 21 Other protocols Mail delivery is different Mail transfer (SMTP) prioritizes message delivery. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21 Other protocols Mail delivery is different Mail transfer (SMTP) prioritizes message delivery. If a secure connection fails... Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21 Other protocols Mail delivery is different Mail transfer (SMTP) prioritizes message delivery. If a secure connection fails... ...fall back to message delivery in the clear. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21 Other protocols Mail delivery is different Mail transfer (SMTP) prioritizes message delivery. If a secure connection fails... ...fall back to message delivery in the clear. Who can attack this? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 10 / 21 Other protocols XMPP Manifesto A Public Statement Regarding Ubiquitous Encryption on the XMPP Network “We, as operators of federated services and developers of software programs that use the XMPP standard for instant messaging and real-time communication, commit to establishing ubiquitous encryption over our network on May 19, 2014. ...” Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 11 / 21 Other protocols XMPP Manifesto A Public Statement Regarding Ubiquitous Encryption on the XMPP Network “We, as operators of federated services and developers of software programs that use the XMPP standard for instant messaging and real-time communication, commit to establishing ubiquitous encryption over our network on May 19, 2014. ...” What happens to unencrypted/unauthenticated hosts after the cutover? What happens to their users? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 11 / 21 Opportunistic Security “Just Make it Work” Encrypt and integrity-check everything by default, potentially anonymously. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21 Opportunistic Security “Just Make it Work” Encrypt and integrity-check everything by default, potentially anonymously. No harsh failure modes visible to the user. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21 Opportunistic Security “Just Make it Work” Encrypt and integrity-check everything by default, potentially anonymously. No harsh failure modes visible to the user. Nothing visible to the user. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21 Opportunistic Security “Just Make it Work” Encrypt and integrity-check everything by default, potentially anonymously. No harsh failure modes visible to the user. Nothing visible to the user. Peer may have no public authentication key. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21 Opportunistic Security “Just Make it Work” Encrypt and integrity-check everything by default, potentially anonymously. No harsh failure modes visible to the user. Nothing visible to the user. Peer may have no public authentication key. What about active attacks again? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 12 / 21 Pragmatic comparisons Instead of asking “Can it defend against active attackers?”, ask... Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 13 / 21 Pragmatic comparisons Instead of asking “Can it defend against active attackers?”, ask... “Is it better than plaintext?” Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 13 / 21 Similar models chat and voice Encrypt first, authenticate later: Off-the-Record Messaging (OTR) for text chat ZRTP for voice/video Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 14 / 21 Latches, Leap-of-Faith, and Key Pinning Once you know, no going back Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21 Latches, Leap-of-Faith, and Key Pinning Once you know, no going back Latches First time we see crypto, remember it, never use cleartext again (Strict-Transport-Security) Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21 Latches, Leap-of-Faith, and Key Pinning Once you know, no going back Latches First time we see crypto, remember it, never use cleartext again (Strict-Transport-Security) TOFU/LoF Once we see peer’s public key, remember it, don’t accept alternatives (SSH) Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21 Latches, Leap-of-Faith, and Key Pinning Once you know, no going back Latches First time we see crypto, remember it, never use cleartext again (Strict-Transport-Security) TOFU/LoF Once we see peer’s public key, remember it, don’t accept alternatives (SSH) Key Pinning peer asserts key and backup key(s) Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21 Latches, Leap-of-Faith, and Key Pinning Once you know, no going back Latches First time we see crypto, remember it, never use cleartext again (Strict-Transport-Security) TOFU/LoF Once we see peer’s public key, remember it, don’t accept alternatives (SSH) Key Pinning peer asserts key and backup key(s) But what happens when authentication fails? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 15 / 21 DNSSEC, DANE, Certificate Transparency Mechanisms to provide some authentication corroboration, via DNS or HTTP. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 16 / 21 DNSSEC, DANE, Certificate Transparency Mechanisms to provide some authentication corroboration, via DNS or HTTP. Still: what happens if the authentication fails? Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 16 / 21 Lower layers IPSec OE TCPCrypt MinimalLT CurveCP ObsTCP Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 17 / 21 Still missing DNS (query privacy, zone enumerability) mobile, landline phones end-to-end e-mail Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 18 / 21 Other risks Traffic Analysis (size, timing) VBR VoIP leakage metadata leakage (e.g. e-mail headers) Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 19 / 21 Other risks Traffic Analysis (size, timing) VBR VoIP leakage metadata leakage (e.g. e-mail headers) But these are not reasons to use cleartext. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 19 / 21 Observations Against a global passive monitor, Opportunistic Security is very appealing. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21 Observations Against a global passive monitor, Opportunistic Security is very appealing. Against an active attacker (even a non-global one like your coffee shop) OS doesn’t help much. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21 Observations Against a global passive monitor, Opportunistic Security is very appealing. Against an active attacker (even a non-global one like your coffee shop) OS doesn’t help much. If the attacker wants to stay secret, detection is nearly as good as prevention. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21 Observations Against a global passive monitor, Opportunistic Security is very appealing. Against an active attacker (even a non-global one like your coffee shop) OS doesn’t help much. If the attacker wants to stay secret, detection is nearly as good as prevention. Authentication is critical to defend against active attack. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21 Observations Against a global passive monitor, Opportunistic Security is very appealing. Against an active attacker (even a non-global one like your coffee shop) OS doesn’t help much. If the attacker wants to stay secret, detection is nearly as good as prevention. Authentication is critical to defend against active attack. Different protocol priorities suggest different failure modes. Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21 Observations Against a global passive monitor, Opportunistic Security is very appealing. Against an active attacker (even a non-global one like your coffee shop) OS doesn’t help much. If the attacker wants to stay secret, detection is nearly as good as prevention. Authentication is critical to defend against active attack. Different protocol priorities suggest different failure modes. Encrypt first, authenticate as needed Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 20 / 21 Discussion and Questions Thank you! Daniel Kahn Gillmor (ACLU) Opportunistic Security April 2014 21 / 21
© Copyright 2026 Paperzz