Friday, May 19, 2017

ICMC17: REvisiting Thread Models for Cryptography

Bart Preneel, imec-COSIC KU Leuven, Belgium

Rule #1 of cryptanalysis: search for plaintext first :-)

With the Snowden documents, we learned that the NSA is foiling much of the deployed encryption - using super computers, turnkeys, backdoors, etc.

If you can't get the plain text - try just asking for the key, then you can do the decryption.  About 300,000 NSA letters for keys have  been issued since 2001.  Most come with gag orders, so it's difficult to get this information.

Yahoo fought the security letter they received. Others, like Silent Circle and Lavabit just shut down.

So, think about PFS - if someone gets one of your keys, can they get your older data as well?  You can replace RSA with DH for perfect forward secrecy.  logjam, though, was able to subvert the system by downgrading the negotiation and then read your data.

If you can't get the private key, try substituting the public key (because you have the private key for your public key!)  The most recent attack in this area was fake SSL certificates or SSL person-in-th-middle attacks.

this brought about "Let's Encrypt" that has been live since 2015.

If you can't get the key, try cryptovirology (book by Young and Yung).

Or, how about a trapdoor in your PRNG (Dual EC DRBG, in Juno's ScreenOS).

What other technology might be similarly subverted?

If you can't undermine the encryption, how about attacking the end systems?

Hardware hacking: intercepted packages are opened carfully and a "load station" implants a beacon. If you don't want your  routers to come with "extra bits", you might want to pick them up from the manufacturer (pictures shown of this  happening to Cisco routers).

There is a chip that can be installed between monitor and keyboard, can be powered up remotely by radar and then the remote attacker can read what's on your screen.

Maybe we need offense over defense?  How many 0-days do our governments have? Are they revealed to vendors? If so, when?  NSA claims that they have released more than 90% of the 0-days to vendors, but didn't say anything about how long they hold onto the attacks before doing the notification.

another good way to fight encryption - complicated standards! Does anyone really fully understand IPsec, for example. Backdoors are another way, but we should be able to see from DUAL_EC_DRBG where the backdoor was backdoored....

There are 18Billion encrypted deployed devices to protect industry - not you. Like DRM to control content.

There are 14B encryption devises to protect users, but there are issues. Look at encryption on phones - it's not end to end, so still issues. Consumers might have "encrypted harddrives", but without key management, the hard drive can just be pulled out and put into another machine and read.

There are issues with many messaging services - they back up your messages in the clear in the cloud.

Secure channels are still a challenge with lack of forward secrecy, denial of service, lack of secure routing, and lack of control over meta data (which is still data!)  TOR hides your IP address, but not your location, so it is limited.

when doing design, avoid a single point of trust that becomes a single point of failure. stop collecting massive amounts of data.

distributed systems work: Root keys of some CAs, Skype (pre-2011) and bitcoin.

We need new ways to detect fraud and abuse.  We need open source solutions, open standards, effective governance and transparency for service providers.  And finally, deploy more advanced crypto.