Public Key Infrastructure Fundamentals - Bart Preneel

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

morning everybody let's get start public-key infrastructure from the so the goals of this lecture are to understand how you can distribute public keys so cryptography is all about moving protection of information to keys and at first this is symmetric cryptography and it's about moving information to secret keys but then of course because secret keys are kind of hard to distribute it's especially on a large scale and you have a very big weak because you end up with a database of secret keys but you would like to do this is public key cryptography so for lie scale crypto systems we usually a public apocrypha although there are exceptions while accepting the chance am system which is actually a huge scale system with billions of users it's based on symmetric cryptography but at least for open systems because GSM is closed in some sense you only have security between you and your operator there is no security between you and the recipient of the call anywhere in the world so for large cases you need public key cryptography where you move protection to authenticity of public keys and this seems to be kind of easy or we thought it would be very easy I think in practice it's quite hard because this is where you really end up interacting with real users and real systems and real organizations and structures and so I think in some sense cryptographers have been very naive we thought that we could bend the world to our view of how public distributed of course should be the other way around you should organize how you distribute public keys according to how the world is organized and the world is complex so this is also a complex problem so I hope most of you already know something about certificates but we'll go back in detail to explain you what the CIA does and of course the big problem with CH political authorities who destroyed public Keys is that there is not one if there was one the world would be easy but the problem is there is many and they all operate in a different way and depending on the application sector so there is a range of them about 60 to 70 for the Internet there is some for the financial sector reason for the government sector and so how can all this interoperate but so in general there is many ways to destroy public keys so between people it's pretty easy cryptographers may be an exception there so many cryptographers just print the hash of that public key on their business card and so in fact if you meet them the first time we actually get the hash of the public key and then later on they can email you their public key over in secure Channel and you can then if you trust authenticity of the piece of paper you received you have an authentic copy of their public it's kind of easy so there is my or you can also we could decide to put your public key or the hash of it in many places so organizations could decide to print it in a newspaper this was what originally was conceived this kind of technique so if it's between two people it's kind of easy right I mean the worst case you just read the hash over the phone then the second viewer approach was to say well how do we distribute public numbers well we did this for a long time in a telephone directory those things are disappearing but for those of you very young this is the stick book that used to be appearing once in a year in your mailbox and when you had the phone number of everybody okay and so the idea was that you would do the same with public keys produce a big phone directory with public keys and then you would authenticate him in a clever way so you would actually authenticate them all together by hashing them together in a tree shape and you only have to authenticate the root value and this would be in the newspaper set or would be in many places it was just a small problem with is that if one public key changes and of course you have to recalculate the whole tree so number of changes but a new root value appears so kind of this never flew because a public key change too quickly and this kind of application trees are not very practical in that sense so the easiest way to check where as public is correct is just ask somebody I need a public key or I have a public users correct you asked go to a central place and say is this up-to-date yes or no in fact and this is the main mode which we should use today because we have an online world an online world you just create a central server which has all the public keys and if you want to know about like if you say hey public you this person or you have your public key you can ask is he still up to date and you're given also yes or no and today we actually use it I mean the name OCSP and so this is maybe how public keys should work but the problem is that when public a decision was invented in 1978 there was no online world people were offline and so the models conceived her offline and the problem is we still stuck with those even in an online world so for an offline world what was conceived were certificates this is a concept invented by coin founder and a master student at MIT was working with Rivest and so more or less immediately after the invention of RSA you cope with the idea of a certificate so and then about 18 years later a Pavano shot actually was so kind to boramy several slides to his presentation he actually coined the name public enforcement and the vision behind is that every organization would have an infrastructure order ecommerce or the finance world or the government world it's just you with public keys so what is behind this idea is that in a building you have water electricity and maybe gas and also keys and what small as a vision behind this it would be an infrastructure would give you peace so unfortunately we have were very far from this in spite of all the ambition and plans and then if I have time I will discuss a very cute and weird cryptographic idea which is due to Shamir is a very creative character and the first practical systems have appeared about 10 years ago which is identity based public key cryptography now the idea is very simple your name is your public key so in fact this is great because if your name is your public key you don't need to distribute public keys anymore you just need to determine names and so for example your email address can be your name and your name is your public key this is great because you now solve the problem right so it sounds like cool thing and when Shamir conceived it in the mid 80s people thought if we could only do this and so about 10-12 years ago some Japanese researchers conceived something and then Dan Bonet and Mike writer and a similar idea reddit ID and so in fact now there is practical solutions but the more you think about this it doesn't work okay so it looks great in practice it is great to go to venture capitalists and ask for money and say we have a great idea but if you start implementing this you will see it doesn't work we'll come back to this at the end so I guess what we all do today so difficult has never heard of certificates oh nobody dares to confess it or you've all heard of it okay certificate is like your electronic identity card which links your public key to your name that's essentially what it is it has a distinguished name is comes this terminology comes from this the ITU world so you should also imagine that so the ID is 1978 the standards are 1988 or it run around that time late 80s at that time the telecom still ruled the world they had a monopoly in every country and they had the structure in base in Geneva called ccitt now called ITU and they ruled the world so they make decisions and so the whole public key idea as we have it today is conceived by the telecoms and so they had a hierarchical view of the world and so it's kind of a problem because we still suffer from some of the ideas that they had at the time for example terminology and so on is still based on their view of the world like distinguished names country names and so on of course like an emetic artist has a serial number and has a beginning and flippity date and then something which you don't have an identity card is a link to our vocation list because issuing keys is easy revoking keys is hard if anybody comes with a great idea how to distribute keys you always ask the question and how will you revoke them and then you will find out what the method works or not because giving out stuff is easy but revoking stuff is hard this is more or less essential of course you have a public key there any of the name of a CA so what was the idea conceived to revoke keys you just have a CR L so the C a difficult Authority would actually publish every day or every hour a signed list of all without certificates and again it has a limited date begin and end it has a name and it has a list of revoked certificates why doesn't it have the list of public-key owners and certificates and public keys it because for privacy reasons so you don't want to publish like who for example is left organization most companies don't want to publish a list every day who they fire today right this is something which is typically private it's also a problem actually in our certificates because in fact again most organizations don't want the public who is working for them with their job titles so this is also why's it getting certificates is hard in getting secure email is hard because if you want to send an email to say somebody working at Siemens or IBM IBM is not so keen to publish their whole company hierarchy with names and contact information and public keys because this is private information for the company and the same for citizens right I mean Belgium came out publish a list of all the citizens with the email addresses so this was something which I think the public key world or the telecom world had not conceived because of course telephone numbers were made public and so this is what they had in mind and of course we can't have this in practice so in terms of cryptography and we have not solved the problem at all because we move to problem again because it difficult assigned by the private key of the CA and so if you want to verify such a signature you need a public key of the CA so remove the problem of secret keys to public keys of users and now we move one more time the problem of public keys of users to public key of the CA so now the question is how do i distribute the public key of this yet well and there is solutions depending on application but the standard solution today is write it in the browser is it secure no because any virus can actually update those things and in fact the different browsers have slightly different lists and also as a manager in a company a security person it's very hard to control this because users can individually add certificates and remove certificates so in fact it's very hard to essentially control there is also other channels you quit publish it in a newspaper in Belgium in the identity cards the certificate is of the CIA is also written on your identity card so it means that actually your levity card has it and even if there is not just to a browser you actually have this certificate of course then you don't know where it's correct but this is another source of the same information so you can match against the previously so I think the important message to remember is this whole thing was is very 70s technology wise conceived in the 80s and it's it's now everywhere and this is why it doesn't work very well because in fact it's it has a completely different view of the world and we're now stuck with it and of course I'm exaggerating a bit as I always do to make the point of course in practice the technology has been adopted to modern technologies and modern ideas but we still are with leftovers from the past and this is often a problem so we look at briefly at Keita lifecycle management at the building blocks of the PKI we not look at the architecture how you build it up it will spend more time on trust models and first models is actually a way of looking at how multiple CS can interact so I will skip this slide because for the interest of time so essentially what this slide explains is how you can actually secure an email with certificates is anybody sent secure email here which are difficult one two three using PGP for using certificates really as mime or uses s/mime here three people you see it for C this is actually the state of the art today even the security people don't use it or ten percent of them used okay I think in general population it's less than a percent of a percent so a security community we fail there there is of course usability issues definitely but I think there is also other issues and I think one which is underestimated is the problem of privacy the fact that in fact it's hard to get someone is public key because organizations are not keen to give this out okay so if the first generate keys and hopefully you this properly as we will see this afternoon or on Friday it turns out that especially key is generated in embedded devices tend to be not random and if they're RSA keys they can be factored easily the latest news is that the same problem has popped up in the identity cards of Taiwan and those are produced on Common Criteria certified cards scarier so even if you have tested and certified card it turns out that the key generated I bad in case of RSA it means we can factor it then you get a certificate okay hopefully you use the key which means there is validation a regular validation of the key and then of course at some moment the key expires and a very common practice is just resign the key and that's it which is of course not a very good practice you should refresh the key and generate a new one and start the whole process anew but so in the industry a very common practice is if the key expires you just sign it again and they continue as if nothing happened of course there is an advantage in changing a key whatever has been compromised you actually now can gain new security you can also use it occasion to increase the key length and so on so it's not a very good practice to not change your key for every update and of course it should all happen in automated way you don't want users to see pop-ups and say please refresh your keys please enter some random digits please choose your exponent for RSA you don't want those things right this is the mistakes of the 90s and when people try this is cool we're going to implement public key crypto computers are now fast enough for it but of course if you make the system unusable or if you ask non-technical people to like generate or choose RSA exponents and you're really really bad shape okay but Saudi the vision was behind PGI that you would have an infrastructure where this is all done for you this is more or less what was the idea I think this works for individual applications but the vision was much broader towards unified security and I think this has failed this is a vision from the mid 90s and she now today does not work so the idea was you would have secure email with PKI but as you've seen even after I guess the PKI hype started in the mid-90s so you see even after 15 years we're still not there you don't have secure email or the user secure email is still quite marginal secure desktop I guess yes since 2000 every Windows box has its own CA built-in and I'm not saying that our desktops are more secure but at least we have public key technology in there for code updates and for all kind of other things you can use public key technology enterprise resource planning like I say P like systems and PeopleSoft K 11 is a big user I don't think they have any security except for a password so there I think it didn't happen there was no integration whatsoever you log in and you have access to everything nothing is being signed for VPNs so for IPSec we do have public keys but these small key systems people prefer to install them manually because it's so complex to do it automatically but it can be done I guess there is large scale deployments that use it for the web there we have millions of certificates issued and I guess we all use e-commerce on a daily basis or secure access to websites so there we have a massive usage but this infrastructure is deeply flawed in my opinion but it seem that we don't care or we don't care enough to really invest in it and to fix the problems so but overall there is no PKI that covers all these things there is a PKI island for the web there is email is spotty desktop yes but the vendors do this I mean you can be sure that of course also the mobile phones have PKI to to guarantee updates and guarantee control on your device ppm is a separate Island ERP I guess it exists as a product and some people use it but it's not massive financial sector has of course created large PKI the biggest PKI known is of course the EMV which has I gather any more than a billion cards issued this is the biggest PKI in operation which is used on a daily basis and I guess there is more in individual sectors for example governments have also rolled out large-scale PKS so the central part of PGI is a CA education Authority so it da has to create a key pair and probably in a private key hopefully this CA also has both the hardware module and a backup and then hopefully the CA has rented space in a secure building so a bunker with biometric access with secure cards for access with 24-hour seven guards and dogs and guns and the whole protection so because in fact I said what we need is an attempt a copy of the public key of the CI we need also something else we need that the CA keeps it private key private or secret because if that key leaks out then you're really in trouble okay and so there is something else we forgot I will discuss at the afternoon not only maybe is the case that this key is in the hardware model cannot get out you also need to make sure that nobody can use this private key in inappropriate way what we've seen in recent attack so the key is in a secure box but some rogue software or hacker test control the PC talking to this box and then get sting signs and then there is no point in having your key secure if you can have malware have anything submitted for signing right so in fact CI need to secure environment okay so there is of course a concentration in this industry and more CAS put all their equipment in central building so to share the cost and to reduce the cost what is very important is the policies or EVC a signed certificate what does it mean - what is it liable what has it checked of course how long is a certificate valid typically this is one year okay initially it was one year because the CSO added an annual revenue of course identity cards and passports they also have CAS and they typically have five or ten year Liberty which algorithms can be used which key lines which are all the rules that control stuff so in general you get quite a long policy and so it essentially says for what the CA is liable and another lawyer but if you read those policies they're very long and they say they're not liable for anything that's mostly what most policies say right and it's kind of amazing I think we have the problem less in Europe but in particular in the annual sock in world the concept of identity there is very different from here so here and this is something we can thank Napoleon for Napoleon needed soldiers for his big Wars so everybody choose a name he made a public registry so you could find the soldiers and changing your name was kind of against the Constitution so it's very difficult in done most of europe except with anglo-saxon world to change your name well in in ukraine us we can just change your name like this i think the only exception is if you're in a lawsuit you actually can't do it for a while because the judge may be confused before the rest we can change your name every other week if you if you really feel like this and so in those kind of worlds of course this is very difficult to check something so if you move to the UK you'll find out that if you want to open a bank account they will ask for your gas bill electricity bill to identify you because they don't have an identity card and a government register and so you can see that the CA in the anglo-saxon world even has checker identity but it has to use gas bills electricity bills and this is painful so they'll typically just believe you right so there is a big problem there of course in the banking world banks do know their clients and of course the government especially in the null anglo-saxon world also knows who people are but even there we've seen fraud cases with a Belgian guy who happen to have three identity cards right so those things happen but at least it depends on the different culture but in the anglo-saxon world checking who somebody is is actually quite much harder than it is I would say in Belgium in France or in Germany then of course you need to start with certificates in a database repository and I forgot to mention this but so the standards for you this repository was x500 directory so x500 was supposed to be the directory like the electronic telephone book and the mail program was x400 i guess there is not many people who still have used X 400 mails in the 80s very interesting mails as those who didn't arrive what usually didn't work X 400 and if it worked you were really happy and all the messages were very very long because there's a lot of headers inserted that nobody understood and nobody could deal with but so this is what the telecoms it so they made a mail program X 400 which a mail interface which unfortunately Sapir or for disappeared and x500 was a directory an x.509 certificate standard so this is this stammer who specifies how a certificate should look this is an x.509 stand and so the access to the database was x500 and was also horrible so after a while the industry got rid of it and they created LDAP LDAP stands for lightweight directory access protocol so it was lightweight because x500 was heavyweight ok so it was kind of they got fed up with x500 and they made something simpler so I'm not an expert in databases but what I know for sure is that there is even less time as a stand-in CAS so of course as a naive academic or as a naive young person you may think that you create CA standards and certificate standards and you make sure that everybody can understand every L certificates ok there is interoperability now of course the CA industry this is kind of the Gold Rush of the 90s so some people got very very rich I mean Baltimore is a famous example in Ireland but there is also Mark Shuttleworth from total so he used his money to go on the space shuttle right so it was kind of a gold rush and the model was to make sure that you would lock in your customer so you would define certificates it could not be understood by anybody else and for this purpose x.509 got extensions and so every vendor has its own extensions and so in fact so they made sure that if you this difficult on vendor it could not be understood by software and vendor B and vice-versa they try to lock in their clients and so it was very difficult to actually go change vendors or was difficult to have multiple vendors supplying you piccola infrastructure so apparently the database experts told me that for databases was even worse so and when this problem happened so in the mid-90s if you were a large company you had to have at least 10 CA projects then PK eyesore you were not really doing well and then of course we also got not calm hype and all of mergers and then when people started to merging two companies they realize that the databases are completely incompatible and so same for certificates and whatever so it was really a very inefficient world and so then it led to a very large concentration on the one hand and in terms of security that you are raised to the bottom to be cheaper and less secure and then you've got a bigger market share and you could actually win it was more or less what happened so not a very nice story from a security point of view I would say and of course as I mentioned these databases are not public so they can be used internally but you cannot send secure email based on this directories to other companies because they don't want to open up the directory to you Henry vocation so all these systems of course bow down to a vocation if you look at the key management infrastructure or products of a vendor or a solution you always ask what about your vocation okay and so for all the flaws of the financial systems and I guess Stephen will tell you about the flaws he found in EMV one thing that the financial sector knows how to do is we VOC stuff right they even revoke things when you don't want it as you probably have experienced already but they're very good at this okay so there is a number you can call and immediately everything is revoked this is something they know how to do very well social difficult and like identity cards they were designed to be offline so if somebody shows you a certificate and tries to log in for example together service the question which you have as relying parties is a certificate still valid has it not been revoked but if you really want to know the latest information you have to go online right because if it was revoked one minute ago how would you be able to know only by going online of course this was not feasible initially was too expensive so what they did was CRLs and the idea was that in the morning you would download a black list and you would check weather certificate what's on this black list is what quite similar to what happened in the shops in the 80s with the bank cards they had lists of withdrawn carrot cards in fact they were hanging up there a small list and of course you disco to bigger it became books in the idea to move to an online system so something similar happens so if in a web browser except for certificates of your browser except terrific of a servant survey should actually download the CRL every morning and then check whether this service certificate is revoked or not now you should again move back to the 90s mid 90s and people did not have 10 megabit ADSL lines right people had still kilobit modems 56 kilobits madam's so downloading the CRL of a few megabytes people just didn't do it so how was this discovered well in even in 2001 I believe Verisign a big operator signed to Microsoft developer keys which were actually not Micra to developer keys so they could now be used to inject fake Microsoft software into the system apparently the guy at Verisign was fired because he didn't check properly that these were really Microsoft employees so what was the problem well very simple very sad as to revoke those two certificates right they did that and then they found out that nobody checked revocation lists so ie even Explorer did not check revocation lists they weren't established but they didn't bother to check them why would you do this it slows down the browsing experience ok so then there was a quick patch to IE to actually implement this avocation mechanism so it should actually be done in a transparent way and of course ideally you want to do it online and this what we do today I'll come back to this it still doesn't work so you can think about what happens so your browser gets certificate say for Microsoft and then it will now contact a server and ask whether they certificate is still valid or not ok and there is three possibilities you give an answer back yes it's ok again answer back no it's not ok and three there is no answer now I'll let you guess what happens if there is no answer think about it I'll tell you the answer later but it's not good so he should be updated automatically so users should not know about this when keys are updated ideally should all be transparent and especially if you use certificates to encrypt information then up is very critical because if somehow a key update happens and something goes wrong then you lose access to all your information this is also the reason why in Belgium it was decided to issue two keys to every card in fact there is three keys there is a card management key without certificate but the government has a database of this there is an authentication key to log into websites and there is assigning you to digitally signed documents and you would think naturally you also have an encryption decryption key pair to decrypt messages but I think the government and we thought it was too risky because if actually somebody encrypts all his files with his key and then puts this card in his shirt and the shirt in the washing machine then all the keys are gone and then also the data is gone and then they may come after the government right and say what did you do you created damage so if you want to use key pairs for encryption decryption of data you should have a backup somewhere right and the government did not want to provide a backup because if they would offer you a backup then they would always say people are spying on us and the government wants our keys but at least in a company you want a backup well because the data is owned by the company and anyway if the employee watches the thing if loses this password he damages the card or whatever something goes wrong you want to be able to recompute it but so in general is quite painful and in Belgium I know as a citizen you can actually apply for new certificates for your existing card but I don't know anybody who's ever done it except maybe people some people not group to test the procedure but ideally it should be transparent to the user if the user has to do something forget it so your security experts you know what certificates are in public keys but you can't expect that the average person in the street and instances and of course who plays the key not the expiration date so the other interesting thing weighted to key update but also a vocation is what about CI keys for example the CL Keys when they were issued initially say 95 that is 37 you put an expiration date of 2005 this was 10 years in the future by that all the people who find with the company were already sitting on a tropical island and they didn't worry about it but of course 2005 those we're working at the sea-ice said now we have a problem our CI key has to be updated how do we do this okay or always also in the beginning of this year so today all these always are done by the big five or big four consulting companies but in the mid-90s these companies didn't even know what PKI was so the deity's orbits with me and I always asked the question to the CA and what will happen if your private key is compromised and the only answer I ever got was silence this will never happen that's what they said so I even know a case and I cannot give the details of a large bank or there was his big signing ceremony deciding ceremony then the keys are generated and there is a whole process being described here is a whole algorithm and procedure and the obvious comment and the CEO the company comes in and then the security officer generates the keys and makes a backup on this and whatever so there is a hole and then everybody signs off for it and so what happened at a large bank was that security guy actually made a backup copy off the private key of the CI put it in his pocket and then later on when they cut his budget he blackmailed a CEO when this was very stupid and he was fired actually but it just shows you that you have all these consultants and all these big guys coming in and saying look we're going to check out everything is secure and in the while they're watching this guy just makes a backup copy right because who understands what's really happening no one except for the security people so it's actually a very interesting lesson to remember and so if you want to blackmail your company don't do it while you're still working for them that's not a very good strategy to become rich right find some better attack okay okay so key backup and recovery where we've discussed this briefly so you really want backup of keys right because if you don't have a backup and your keys somehow die the HSM dies the smart card dies or you just forget their password and count this is for a software based system then you lose on your data or people leave for the requested to leave or they leave by themselves spontaneously or maybe a bad accident happens so in all these cases you want access to backup information okay so of course it is only for signing that's very for encryption and decryption keys for signing keys you should really think twice whether you want the backup or not and under influence of the Germans who are very rigid in security in fact European signature directive does not allow you to make a backup copy of signing keys why not because if there is a backup copy in fact you could afterwards say well I didn't sign somebody took the backup and signed in my name so I'm not sure what I want to go into full detail of the whole story but essentially in the 90s so the early 90s government still try to control crypto so the 80s policy was you should not know about crypto you should not have crypto as citizens and if we if you have crypto we give you a weak one like the GSM phones and then in the early 90s when it became clear that it was impossible to control crypto because people are publishing crypto books and people were downloading crypto software from everywhere so then the idea of the government was let's control the keys and so the Clipper Chip was designed at a time clipper chip was respond in response to a TNT so a TNT was bring out a secure phone with Triple DES encryption for it was oriented towards business users not government users but business users of course then US government started panicking because that would mean that they would lose access to eavesdrop phones and so then they proposed an alternative called clipper and clipper was encryption for phones and for PCs for data but the idea would be of the government has a backup of your key and so US government was pushing this and then we're telling companies look if you implement a backup copy we're happy to actually keep backup copies of all your keys so in fact if there is a problem we can always help you and essentially they were nurturing companies to accept this by saying if you give us backup copies you allowed to export crypto because it was impossible to control the use of crypto with exporting crypto was still illegal and in fact this story ended in 99 in 99 or 2000 finally inside Europe but also between Europe and the US it became possible to export crypto but when we did projects in the 90s when we write software we gave it to somebody of Zeman's and he indicated in the library then the guy from Zeman's applied for an export permission to actually give us back the software or i also know that we were they had to give with this project a demonstration in the north of Italy at the Garda Lake and the PCs were coming from Siemens and Siemens try to get an import and export permission from Switzerland to drive from Munich to the garlic the never could get it so they had to go to Austria so this is this is 98 this is not 20 decades ago or something or this is not midtone this is only 15 years ago so in the end US government had to give up on these controls but in fact to try to nudge people into key escrow they actually said if you give us key escrow it goes the key then you can export yourself so one of the reasons why they had to abandon this was because that the right now algorithm designed in Belgium actually won the AES competition if they wouldn't have changed the laws if the two winners would have gone to the US with AES on their laptop and flown out again they could be arrested for export violations right because they would take their own algorithm back home so it was so ridiculous that they probably realize that they had to do something about this okay so there is two things here well government what access to communication keys because they're used to eavesdrop in communications as a company you don't need back of communication keys most companies don't eavesdrop on their staff communications and if they need to they can do it at the endpoints while of course the key escrow of the backup company the backup problem for companies is for stored information and that the government doesn't meet your keys at all so this is by confusing these two matters communication storage the government tried to create some incentives and so as a response the u.s. symmetry directive said you can't regulate CAS this was a very important move which is maybe now hard to understand but so the government tried to control crypto to CAS and the directive of the use that you can't regulate or you can't forbid somebody to operate the CA so you can't force em to give them to give the government copies of keys that's one thing and the other have to say you not allowed to take backup copies of signing keys now I think this is pretty stupid because I can imagine that for example if you look at large companies they need of course redundancy and you would like to use the same key in multiple servers also important CAS from life financial institutions of course I mean the visa public key is in 10 million terminals you really think that they don't have a backup copy of their private key you need a something happens to this machine that they're going to put a new public key in 10 million terminals of course not and in fact you can do much better you can do threshold crypto in threshold crypto you have a key you split it in five pieces and you store this in five servers and if three servers work you can reconstruct the key inside stuff and it's also more secure because if you compromise one or two servers you can't even sign a meeting so this is actually a much better mechanism to do stuff threshold cryptography so it's it has been deployed as technology which is fed back to the crypto research of the mid 90s it was first deployed by Serco who actually I think sold it to Visa I don't know what happened to shortcode the company probably been absorbed by somebody and I think it's public that Swift uses this for example for the ICA so they have actually the key goes to notary publics and so I don't know I can't reveal how many shares but they have shares be notary publics and directors of the company and so even if somebody is in vacation I'm a notary public has passed away they can still reconstruct the key so it's an example of great people technology which is not widely used and which could have stopped many attacks ok so then on appreciation so initially the practice was to for efficiency reasons and for simplicity reasons to use the same key pair for encryption and signatures this is of course a problem in the sense that you want the backup of your decryption keys but not ideally not of assigning keys or you can argue about this at least it should be different ways of backing things up the signing key the backup should be made by the signer for decryption key you can argue the backup should be made by the organization so that they can access the information in case they need to okay so you also you want independent life cycles I mean decryption keys ideally you would like to be able to decrypt in the future if you have data which you store today right even if the key has expired you may still want to the equip you could of course we encrypt everything but this is kind of painful for assigning keys if they expire you will definitely destroy the signing key afterwards you can still verify signatures but not sign yes Jim well essentially I mean I'm also in two months of this I would prefer to have a backup of my signing key but essentially I think the reason for this is that in Europe we try to prevent control of use of crypto and to the CAS okay so there was this guy in the UK typically in France they said we're going to control use of crypto by controlling CAS and so if CAS want to be in business they have to get a license from the state that was the vision of their states and in fact every time they issue a key pair they have to keep a copy of the private key and give it to the government okay and of course it's for decryption keys but initially in especially in the 90s most companies had just one key pair okay and so the other argument I so this is one thing so you you what and of course if the government has a copy of your signing key you can always say they frame you the same thing in your organization right I mean you assign an important transaction which you shouldn't have signed and then you're called by the manager you say well you know the system manager has done this in my name because yes it's actually a database with the backup keys I think my argument or my view point is the signing key you should be have your own backup because if I put my empathy card in a washing machine I would ideally I would like to actually have a backup and get a new identity card with the same signing keys so the outside world should not see my signing keys have my symmetry should remain the same but it's a difficult question it's come this coming up it's coming up there's quite some work on this and and also the afternoon or on Friday I will talk about this so so in the end I think Europe did a good thing here by saying you can't license EAS and so in fact we do have a much more free regime so the control of kippa - sea ice never happened this is a good thing of Europe which actually most people don't realize we discussed already have different policies for every key there so now the big problem is cross certification so as I said everybody tried to grab market share and even a company like Siemens they probably had more than 10 ca projects at the same time in the late 90s with the finance division was doing its own CA perd engineering division probably the power division if you want to be cool you have to have a CA it's like today if you want to be cool you have to have an app for something in your company today at that time you have a CA and of course the problem is now what to do if there is more than one CA so of course if it's peer to appear its kind of clearer than one signs the other you sign each other public keys and you have a cross relationship okay but in the financial world is very different you have a hierarchy and so we'll come back to this in more detail I'll skip it here but I just want to point out whether the problem that the whole thing was conceived of course by ccitt to have only one CA in Geneva and they would sign all the national telecoms and they will sign all the companies so that was an in the users that was the vision to have a three level hierarchy and this is how the world would work would be a nice source of revenue and a great world a great way to control the world so maybe I can already make one comment so every certificate has of course typical policy every CA a certificate practice statement also has policies which essentially say what they do to check a certificate what you do to check for replication what you do every significant Reverb and so on so of course as an engineer you can now immediately see the next paper you will write but I have to disappoint you it has already been written if you have a graph of CAS which have signed each each other's public keys you have two users which are subscribed to or certified by random CAS is there a trust path in between the two can they trust each other's public keys so you have to find actually a path in a directed graph and then the question is what if there is more than one path should you take the shortest path you to combine the path you can see all the papers that have been written right now this is all engineering this is great but now you forgot the lawyers because every c8 assigned something comes with 80 pages of legalese what it means so now if you take a path so a CA signs a key of a public key of a user which 80 pages of legalese its eyes to see a key of another CA which 80 pages of legalese and this CI sighs give you to th are the page of legalese now you get to meet 40 pages of legalese what does it mean well you then hire 10 lawyers you put them in a room and you get 17 answers right nobody knows what it means if you concatenate to root 40 pages of legalese what does it mean and this is where the whole thing goes wrong it's not in the finding a path in the graph it's actually what does it mean in practice and who will pay when something goes wrong and they all say I'm not going to pay time stamping this is also very interesting because everybody agrees for a long time that you need time stamping I would like you why but in fact in practice it's only rarely implemented even today I think there I see I said have it and I think if you went to the RSA Conference say 6 7 8 years ago there were several time stamping companies selling servers but today they have all gone so I hope that this means that everybody now has time setting service in their own offering I don't know so of course need to do this legally because for many legal reasons you need to be able to prove when something happened for example in patent disputes when you filed a patent or when you did the research or if you file documents and so on so also business transactions you have to be able to fix them in time if only for accounting write it transaction happen in 2012-2013 so this is definitely important but it also is important for revocation because essentially you have to look at two scenarios so now your one I sign a document which is legally binding in which kind of implicates my company in a serious way and one day later I discovered that my private key is compromised right I detect the virus on my machine to which I had a smart card inserted in my own body so I now have a real problem so I will revoke my signing key but it's clear but if I sign something yesterday and I work my key today the signature of yesterday is still valid okay on the other hand of course if my key is compromised yesterday and today a signature of me shows up clearly this signature is not valid because at least not if I contacted the CIA and say hey stop proving my key put my key in your vacation list so actually nobody should actually accept my key as valid right so but this only works so how can you distinguish two cases in one case first signing the annual vacation the other one first application then siding you can only do this when you know who is what when you signed okay now you can say oh I have a solution because as a signer I will insert a time in every signature does this work even more asleep than I am it seems it doesn't work because of course if I have the signing key of somebody I will put an old debt in there in a signature I will say this imagery of last month when the key was still valid so it doesn't protect you because if I put a date in as an attacker I put an old date in there when the key was valid so you can only really have known appreciation of binding signatures when every signature is certified in time by an external party so you have to have an external log or an external time stamping services says this signature existed at a certain time this is kind of obvious once you think about it but still CAS may offer all services without offering time stepping stones okay so initially there was also a major problem because the whole PKI hype happened in the late 90s say between 96 and 99 but in fact at that moment epi companies were ready to give you software to generate public keys and certificates and all the standards were being written but the applications would not be able to deal with public kicks so the SI piece the email programs the desktop software the OSS would not be able to deal with it so it took a very long time to actually adjust all the application software and is still not being done and it's also very hard to do it because of this arcane stammers and all these complex formats and because everybody has different certificates and so on so in fact because certificates are extensible this is great as a flexible business tool but in fact form an implementation point of view if you want to verify certificate it's a nightmare and I think it's still popping up today that a lot of difficult verification software is buggy and wrong so if you take average difficult education software it will actually not work or will make serious mistakes and accept certificate that it should not accept so this vision is very nice but so it's beautiful slide made by Palvin or shot and it's marketing people in 1996 but it that's not how the world works so forget about this so I guess if you look at all these things you ready see that PKI is complex so although the principles are very simple I can explain to you in two or three slides what it is if you want to detail everything and all the interfaces and so on and then you realize that everybody had different options so if you go to pickax the ITF group with standards you will find there dozens of rfcs and probably more than thousand pages of standards and so the code to actually generate certificates verify certificates I check time stamping and whatever is all quite complex okay and it's not helped by the fact that x.509 certificates we still use is based on asn.1 which apparently people can't buy decent code for ok it's always buggy and there is many problems so in principle it's simple in practice it's complex so if you want to look at the standards so of course the original standards are hard to get because they're x.509 standards so the ccitt which are not on the internet but of course they became iso standards and then they were profiled so specialized in IETF and so that work is the work I think used by the industry mostly so there is a difficult crl profile certificate management protocols and there is a whole world map even describing you how all the documents stick together but there is lots of documents and lots of options it's incredibly complex once you start looking at the details this I will skip so interesting question is also key generation so where do you generate keys I guess after the recent incidence of about a year ago we know that you should not generate them in embedded devices because they actually don't have enough entropy so the problem it is embedded devices these routers and so on and the access points they boot up there is no user interaction and in fact unless you add a special hardware random number generator they actually generate a small set of public keys which can be easily broken so it's actually pretty tricky to make good software and ideally you want Hardware support and so my advice would have been use a smart card because it's a physically protected moment and there is random number generators in there which have been certified or a hardware security module now after the Taiwan story I'm not so sure about smart cards anymore and as soon as I saw the attack so this is about one one year and one month ago we sent a formal request to the Belgian government to ask to get all the public key so we can check out any vulnerable or not we still haven't received the public keys so the Belgian government prefers to stick their head in the sand and say if nobody is a public reason they can all the way that they actually are vulnerable or not so this is what their approach is anyway but so the initial idea which was pushed by governments is key generation is hard let the CAS do it for you so they can actually give us a copy of the private key this was more or less the philosophy right it's hard so that we can generate your keys this is fine so then of course you end up with the problem because it means that there is CA based in Geneva or in Belgium say in Brussels which has all the private keys and how did you get the keys of the users now you get a big key management problem okay because we can't send them and keep it under a password over the internet right so I'm not a big fan of this you can say let the user do it but then of course what will the user do right when you first put this identity card in a microwave oven for 10 minutes and then see what kind of keys come out so it's also not ideal so you can also say the outsources so the solution we've chosen for the Ballad idk I'm not saying is perfect but I think it has kind of a compromise is that the keys are generated on the card while the card is in control of the card manufacturer but it's not like the bridge of the chip not the a material or the operating system is when the card is produced in fact the chip is produced is inserted in the card the plastic guide by zetas and at that moment it was a command issued generate key player and we've checked the software there is seems to be no command to extract the secret key from the car to the private key you can only exact the public key this public agent sent to the government who sends it to a global sign for signing and then the certificate goes back to the card so this is kind of a compromise solution the key is generated while the card is in the hands of a private company but the private key should never come out the key generated on the card this is kind of one way of doing it but if you want backup copies you have to do it yourself obviously so now comes the more interesting part is trust model so how do we actually integrate CAS with the real world so the ccitt view of the world was very simple we are in charge so will control the world to be control the keys and everything is great of course it turns out that there is no competition and yet the telecoms are not the only powerful players we have some players like the banks are very powerful the government's are in the market there is some small companies like Google and Apple and so on they seem to have quite some power over us as well so it's quite unclear what's happening the initial model was very simple there will be a ccitt or ITU label they will be able to see in Geneva you will all trust them because you have to trust them because you trust your telecom because they are good okay this was more or less their idea and so you will all trust em this is the dotted arrow up and so in exchange they will sign your public keys okay so of course this was kind of an inconvenient model because if every citizen in the world or every company has to go to Geneva to get the public inside this is kind of impractical so they came up with a slightly better model where route CA would be in Geneva and every country would have it national CA it's called subordinate CA s but as a citizen you would still and so what you do is as a root CA you assign the public here with subordinate CA as the Borden's here you assign the public key of the company or the user but the user still trusts ccitt or ITU so you will still trust Geneva guys to set the policies so all the rules are met in Geneva and you as a user get a card with the logo and this logo would say ccitt or to the ITU that was the vision do we have this model today anywhere yes we have this model Visa and MasterCard if you get a Visa card or MasterCard with the PKI it has a Visa or MasterCard logo and Visa or MasterCard they have a CA and they sign the bank keys and the bank signed your keys but the bank cannot just operated two NCAA decide what they do in fact visa specifies exactly what they should do to issue cards what should be in certificate the real boss is visa is not the bank okay so I guess the registration procedure can be bank dependant but in the end the bank is liable if they make a mistake if they give Visa cards to the wrong people then they're liable but the rules I set by visa which kind of all that has to happen which kind of certificate format and so on so the rule set by visa and you as a user you trust the visa logo or the merchant just a visa logo so you may go to Australia right nobody has heard of KBC because they see the visa logo the relying party trust s' your card of course in companies it doesn't work like this in the sense that say yeah for example Microsoft and Apple and Microsoft has its own CA and the Microsoft employees trust the Microsoft logo and brand and CA and the Apple employees trust the Apple brand or logo so and you get locally signed certificates so this is fine as long as there is no interaction but so assume that Microsoft would decide to put office on the iPad at some moment they will have to talk right so at that moment maybe it's decided that Microsoft will sign the Apple public key and Apple design the Microsoft public key and so now somebody from the team in Microsoft to do put port office to the iPad can now talk to somebody of an apple from the team that deals with office for the iPad and the interfaces and so they actually now is at rest part and everything works except for the small detail which I told you which is the legalese okay so technology wise is quite simple so a justice which checks to so difficult the signature of CA the Microsoft CA on the CA of Apple I'm a signature of Apple CA on the public key of the Apple employee B so it is technically easy of course illegal easy something else what does it mean what if something goes wrong what about your vocation and so on and so on this is going to be complex of course your world can be more complex and I think typical example there is the pharmaceutical industry or also the automobile industry so what happens there of course is you have a few big players say in the US you have the big three but then of course there is how much of supplying companies and so you know maybe Ford and General Motors decided to collaborate for something so decide which of the public is and then it turns out that there is a supplier of General Motors that actually is certified by General Motors and then for some reason the suppliers certifies the public key of Ford and so you actually created a very complex network with hundreds of companies which each at ONC a and signing each other public keys and so this is actually how business develops there is no hierarchy there is no single authority that can say in the automobile business where the boss if you want to be in our business we will sign your public key it doesn't work because just for General Motors and Chrysler they can't accept one authority right they're competitors and they don't in typically don't want to create a neutral authority that sets the rules for everybody so the users you still trust only your local CA you don't trust any of the others okay so of course after a while it becomes unworkable and so then the so-called hub-and-spoke model was invented so this I think originated in the NX the automobile exchange network and I believe the pharmaceutical industry has the same model so there you create kind of a central party which everybody certifies okay so everybody signs the public key of the central party which is the hub the central party signs the public key of every player but there is no hierarchy you may agree on formats and you may agree on stuff but in the end it's a mutual agreement and what is very important is the users still only trust their own CA okay the users don't know about this hub this hub is not the boss this hub does not set the rules okay this is for business-to-business has worked quite well and yeah now the browser model so-so in the browser model as we discussed how the CA the Stooges public here today so at least for those who certify website is very simple you go to Mozilla Microsoft Apple and the likes and you ask them to put your public key in the browser so now the browser will actually sign the public key of the server so if you have an e-commerce server so you tomorrow you're going to start your business selling security gadgets and you want to actually do this electronically well then you have to create your own CA un server of the CA so we have to create with a key pair and you go with your public key you can choose to who you go maybe you go to global sign or you go to Verisign or tweet altar or any of the 65 others and you ask them to sign your public key so as a user if you use your browser in fact you trust all these signing authorities and a typical browser has about 600 although the industry says there is only 65 because some of them have kind of related to each other so there is what the industry numbers I heard last week is there is always 65 CAS that actually do issue certificates and that have their own kind of worlds but they may have different sub CS so as a user if you go to a website and with your browser the lock closes you now have secure communication so difficult and protocol or sa protocol has been run this relies on the public key of the server which has been used and this public key of a server has been certified by somebody who we don't know in fact the only thing your browser tells you is the public key of this server has been signed by one of the CAS in the browser we already looked at OCS nobody one person I mean I'm not going to do this because I have to interrupt the presentation but we can do it before lunch you should do this it's it's quite tricky because I keep forgetting how to get there and the brows just keep changing it because to make sure it is hard to get there but if you go there you will find hundreds of names and you will actually find out that you trust of course very sign and total and Baltimore is still in there low the company is under for several years I don't know who both techies I should still find out maybe the Mafia but the German government is in there the Turkish government the Chinese government there is even a company known to be owned by the CA which is in there to spoof connections so in fact if you use your browser and you don't edit those certificates you trust although see else and if you really want you can figure out who signed this certificate if you just use a browser so you don't find out and you trust anybody so in fact you trust as a user this whole universim there is actually not much check okay so it yes it's going to be difficult to get into but the C egg the CI CI a seems to be able to get in there so it can't be that difficult we just need some money yes but of course yeah so there is a forum I heard about it last week the see a browser forum which sets all these rules and polices this and they say that everything is fine there is no problem of course if you do an open CA and you say I'm not going to charge for certificates you are undermining their business model so they will try to stop you right the eco system is not designed to create security it's designed to make money right this is something very important to understand that the whole CA and SSL mechanism is is designed to make some people very rich I don't think these companies made a lot of money but at least what happened is that the founders group made a lot of money because some people believed they would be making more money that was essentially what happened but so of course there is some control so you can't just enter there you have to pay some money and you have to undergo some orbit and there's some rules but as we find out these rules are quite thick it's more like about dealing with money and promising not to undermine the business model so in fact it's sometimes you can see that the cartel okay so the e FF Electronic Frontier Foundation in the US has a very bright guy Pedro equius Liam is able to do a study of the SS le verse three years ago a very interesting paper and so he scanned the whole internet and he found about 11 million servers that starting as a cell handshake and about half of them has a valid certificate chain okay so by the way for example in my group it may well be we set up a server for circumference and we don't even bother to ask for certificate so if you then go to the server you get a pop-up saying this key is untrusted but if it's really only for a conference review who care why should we actually go to all the pain I mean so this is the if you uses our experts because we're security people anyway for security conference you can deal with this but if you don't have your key sign then you get a pop-up which says this server key is untrusted you want to accept it and I think browsers have made it harder than in the past to go past it in the past was one click now you have to click several times to go past an untrusted key yes yes definitely so Peter Eckersley found 650 CA to search trusted by windows of Firefox now what does see a browser form said last week is well in fact there is only 65 real ones and the other ones are sub CA so everyone is about 10 sub CA so there is only 6 only 65 players ok which includes of course many governments about 24 governments so there is one point four unique leaf search for example 300,000 leave certs I signed by one GoDaddy search so if that ever gets compromised then 3 Armitage and servers have to change their key I have to do something this is really kind of a concentration which is not optimal and it's a consequence of the race to the bottom so I presume that GoDaddy has been the cheapest everybody goes there right of course you have to you have to save money right Jimmy that's what they say last week I didn't have time to investigate the claim but it's for example it is true that for example Verisign has like many keys in there and so they claim also that I don't know the exact details right I should I didn't have time to do my research but I can see that that for example it may well be that Turk Trust is not not a case but could be a Turkish soap is a separate vector of global sign right the Turkish government decides not to put their own CA out but but actually goes to global sign and then two actors will be separately in your browser but in fact tourist thing is under global sign control so I think they probably have 65 members who claim to control all the or present all those CAS that's I think how you can read a statement it makes a difference for me whether it is 65 or 650 right I only want to trust maybe 5 as a person I can probably check five organizations 65 650 I just want to give you their response because I find it interesting that they respond to this right this is their response it's only 65 so 80 distinct keys are used in multiple CIA certs there is several CS assigned the IP address 192 that ones 68 at 1.2 I hope you see the humor of this it's actually not funny you should never sign such an IP address just shows you that people are plainly incompetent or careless there is to leave certs I still have 500 8-bit keys this can be factored today in a couple of hours okay and of course in 2006 what happened is that some not was my person looked at the Debian open SSL open SSL code and he found the randomness used to generate RSA keys and he found this very weird that calls were made to strange things and so he commented all of this out as a consequence all the keys generated by this particular open SSL version and belong to a very small set of 28,000 and anybody of you can go get this code run it and get all those keys the public keys and the private keys ok and so this actually this software version was in use for about 3 weeks so fortunately only 530 of those at this moment validate but only 73 have been revoked so you would think that as a responsible industry something like this happens you immediately the next day you issue a crl for 28,000 public keys that can never be accepted anywhere but they didn't do this they only evoke one if you ask for it explicitly and then happened to know one organization which was a victim where I'm involved and we actually got the replication which was really painful so it just shows their interests in making money but not in really caring might security right so how to fix this mess so the see a browser forum guy gave a talk last week at the beginning of a panel and he said in fact we did we have quite some incidents and I will come back to this but we didn't do it so badly it's actually not so bad because every year we issue two million certificates and in total only about thousand are fake so we have a very good track record be very reliable that's their view right only thousand are fake and then most of them are DigiNotar one so in fact this is only one incident so we do a quite good job so very very interesting point of view ok so I think it's some yes yes exactly that's the thing so what are the incidents or the covered or incidents or nine-fold inserts were issued by Comodo NSA it's only nine right and we issue two million per year only nine foreign search but of course the foreign search allows real bad attacks right then of course the big case was the nota you've probably all heard of this but 504 dancers were issued so what happened is that in fact a PC which actually controlled the harddrive module had no antivirus no firewall no protection an Iranian hacker got in there and could issue five hundred requests for certificates how did they find out due to OCSP requests coming from Iran and also Google does some checks about who issued certificates for it and so it turned out that this Iranian guy is used to genotype to issue certificates for Google which are fake and no certificates were then later used to actually to a combination of a DNS attack and these fake certificates to attack users in Iran and to intercept the connections to Gmail and Facebook and so on and so probably people are in jail because of this attack is not a joke it's a serious attack with major implications okay so you note I didn't survive this they went bankrupt a few weeks after the incident was announced and there is a very interesting paper by Fox IT which you should really read to see what can go wrong okay so apparently it's an Internet that played over the last two years so there is a Turk trust incident so tourists in Turkey also has been issuing certificates for google.com and so the whole official story is it's an error in configuration made during migration and backup it's a mistake I'm sorry but I don't believe this right so the Turkish government again could intercept communication if you get a fake certificate for google.com for a different google.com public key it actually means you can intercept communication internet for google.com and so it means you can actually intercept communication Android phones communication from people who want to recharge email account to the Google+ account you can actually intercept it and meet in the middle Google so this Iranian hacker claims he has hack global sign but there is no evidence of this and Verisign as well there is kind of course the industry doesn't show you all victims of their incidents right so there is thousand Keys known to be fake we don't know how many thousands are we don't know that they're fake ok so also bitten I'm at a very big incident and this is a company that provides software network security services it seems that they're not actually using their own security software and so they lost a signing key last month that's fun so but it shows that indeed what we have seen in this industry is a race to the bottom ok so you don't try to be very secure as initially and have secure solutions but the business model is try to save money first you go to the docs then you get rid of the guards then you get rid of the antivirus then of the firewall and you keep reducing your costs and nobody notices anything you see your income stays the same and your security costs go down so your profit goes up and so the board is happy and the shareholders are happy of course you have no security which is a small detail so the government of Malaysia also has signed with the key malware they also had 500 bit keys being certified all these kind of weird things so I don't have a good answer yet so the CIA industry in spite of the claims that everything is great what their representative says they've actually responded and they responded as they are in chaos there is permanent chaos so as far as I understand there is at least four initiatives and I mean I only saw the presentation last Thursday I didn't have time to do more research but in ITF there is at least four initiatives to improve stuff and one is then and then has one weakness it assumes that the NS psyche is widely widespread which is it not it has taken a long time to deploy the NSX more than ten years before the route was signed but even now today is not widely used and so if it's widely used you can actually protect your SSL so with this day in protocol you can say that a given server my server can only get certificate from this particular CA this would stop the attack on DigiNotar because google would say we only want say Verisign CS or Google CAS and so if your browser would see a certificate for Google issued by digi not argue but we checked it okay so the comment of Google on this proposal is it would need a heart fail if you then see it's difficult by something else you should not accept it right otherwise it makes no sense okay then there is theater is Asian this is more this is you'd tell the CA that if you're not one of the CAS on this list don't issue certificates for this domain so this would be a slightly different approach there for example you start your server and you tell the CA or you get help from the CA a second I only want stiff Achatz from Google or from Verisign okay so this is a message from the server to the CA of course the problem is then you may end up in lock-in because if you one chose once one CA it may be much harder to change your CA because once you then change the CA you actually will make some certificates invalid right your clients may be in trouble and so on if it's a similar mechanism for clients called pinning it seems to me the easiest to roll out in particularly for the large servers this is for clients a message saying you know you've seen a Google certificates issued by Google or say by Verisign okay if you in the future detect another one raise an alarm in fact and this is how many of the CI compromises have been detected because there is already this feature present in chrome that you actually check who issued certificates before any of this CA changes you actually respond okay so of course if the comment by Google was that if you see an error it's probably not because there is a breach but because there is miss configuration yes no no but so that was a debate so some people said can only be done for large sites but indeed Google is prepared and the other some of the other players but not all are prepared to actually collect sites certificates on many sites and in fact that not only for the five big ones I believe visit but also for thousands of smaller ones you actually get preloaded certificates in your browser but then of course you get your vacation issues there as well and maybe a hacker can change this and so and the final one is sir transparency this is kind of yet another thing and this is actually something which is kind of baffling to me that they still have to work on this but the idea is the following we're going to make public the certificate are being signed so at least if you as the genotype publish is difficult for Google it will be public well today if a server a CA root signs is difficult it keeps it private it doesn't make it public in a public list with certificates so in fact if Peter actually collects all the certificates that you have to write a crawler for this that goes over all internet and finds those there is no database where you can go to get all those certificates and if you would have a database then you would see who is hacking stuff okay of course government don't like this because if they are impersonating Google right and also companies do this then of course they actually have a problem right because then it becomes obvious so this is good it would have stopped many attacks if you just set transparency but of course the industry is very worried as a competition issue because it would see it would mean that you could see who is assuming what and you could maybe try to get each other's customers and so on so from an engineering point of view it's a no-brainer but from a business point of view it seems to be quite of quite problematic so what is interesting so I went to this Pamela I have one comments which I still have to digest but essentially you see there is at least four approaches and there is probably more and then for some of those approaches like pinning there is two solutions okay by different vendors you see that every vendor either browser companies or CAS have their own approach of solutions and some help law and there is the problem is that technology wise they probably all have advantages disadvantages but there is always this interference with business issues and that's the big problem because it's a big business still and so for this reason it's a big chaos and it's not that the industry can agree on three major improvements and let's make them now pending seems to be the one that can be rolled out quickly and is being rolled out for all the other things you have to wait for DMS SEC or people say well in five years we'll be done with to allow this kind of things so don't expect a quick solution and it's still a very big chaos out there that's the main message of what I got from this so of course we discussed this of course if your server certificate server key is not in a certificate or cognized by your browser you get this kind of error message and then of course you actually have to decide what to do and of course as a cryptographer or as a somebody went to this course you can start looking okay this is not in the browser but this is certificate and so on and so on I'm going to accept this I'm not gonna accept this but of course ask this to your grandmother or your mother I mean this is Chinese to them right I mean this is completely hopeless okay so I guess the summary is there is no easy fix technology wise it would be kind of easy to improve stuff but because of all the competition and business issues everybody wants different solutions and for example Google has both the browser and a server and so they have a very different view then people have only a browsers only observers okay they can do different things so don't expect quick fixes of each solutions but some basic improvements will be replaced and so I guess I'm not easy to call for regulation and I guess for this reason of Independence and reduce government control I was always against regulation but if you see what the mess the sea-ice make I think they should be regulated there is also a very big debate about whether people should be allowed so some governments insist that they can impersonate so the Chinese government obviously wants to impersonate all the major servers so and they keep pushing ITF for offering this service companies by the way companies to do deep packet inspection they don't like SSL connection to their firewall so the in fact what they do is they impersonate they put a fake certificate in the in the browser's of their people and they meet in the middle all their employees systems it's quite unethical and also quite insecure because you open yourself up to other attacks yes well I haven't studied that one in detail I've seen other things but I'm not going to discuss it at them but in detail there is there is more stuff to be done okay but I just want to wrap up because I'm running out of time so there is many trust models there is the PGP mobile by you sign the public keys of your friends okay you can have this rep of trust this is great because it really works and you don't have to trust anybody else it's also a disaster because if you know the security expert you don't know how it works you don't understand it and revocation is a nightmare right if you issue new keys every five years after 20 years you have four keys which are everywhere over the world and there is no way you can revoke them but there is of course they have no kind of service where you can do this but it's still kind of problematic because it's not hierarchical so the real problem is in your vocation I will skip that here I mean the general discussion so I have to say something about this which is very important so what we have today is mostly invalid certificates so we have actually CR ELLs and optimizations and we have OCSP which is online information so CL this offline once a day or CSP is every time you need to check now of course for performance reasons there is caching of OCSP which comes very close to CRL and it was also crl refreshing every minute and this is very close to a CSP right so you can actually depending on your network infrastructure do both and be more or less secure people have also proposed the opposite whitelisting so you would have a certificate only valid for an hour and you get a new one every hour but I'm not sure this works for most systems so TRL's are kind of simple to give an example of potential problems in Belgium so we have about at the five or six million identity cards and about one person in four decides not to use their key pairs so but the way the system works is the key pair is generated and we an put on hold and then when you get your identity card in the commune the public key pair is activated but if you choose not to activate it it remains revoked this means in fact that Belgium has about more than a million revoked certificates ERL is huge plus it keeps growing because of course if public Keys roll over people can do identity cards so this is a quite big deal and so in particular for mobile applications or language applications so the belgian crl the full one is several megabyte which was something we weren't the government about but they decided to take this approach anyway so OCSP this is kind of nice as I told you you do query a CA or a delegate of it you send me to the public key in certificates the high public key in the CA and a serial number and you get an answer which has good revoked or unknown and you also get information on the freshness of this answer but there is a fourth possibility which I don't have on this slide namely no answer near there is no answer it's assumed to be yes this is how all the browser's work today because you don't want to break the internet and so when you criticize the vendors about this also about the other things the answer of comodo was well you can't change the wheel on a bicycle when it's writing that's their answer so the problem is that the CI system how crappy however crappy it is it's now massively in use and any change breaks a small part of the web and nobody wants to take be responsible in particular in a competitive environment so if the browser company moves first they will lose market share so they have to move together and they seem to be unable to agree to move together or they occasionally move but very very slowly okay so this slide mentioned is that in fact well two things so you may get all the information freshly signed so may have a crl updated every week but you get by the minute right OCSP response what does that buy you and so the other thing is no answer means in fact okay so it's very simple if you see a as an attacker if cg- else you just suppress that and then the browser will say okay it's still the major problem so for the final few minutes so Trust models who is involved who certifies public is how our crushed relationships maintains how granular are they and how do they support existing business models or societal months of trust so in Europe this is for example very clear that in Belgium hydra-matic arts and public use are issued by communes by local authorities in Greece is by the police in Sweden by the post in Norway by the banks so depending on who you trust in society it actually get difficult in Germany there is three separate ones one by the communes one by the employment agency one by the health agency so it depends on who you trust and you cannot just come at crypto and create new trust and I think this is the big problem of all these CAS that they say I'm very sign trust me why should you okay so criminality of course Ragna call the visa model is your oath to trust visa there is not much granularity in the browser you have to trust the six hundred fifty or fifty sixty five companies in the personal level you can choose in PGP who you trust and who you don't trust okay there's more granularity in business to a basis of course the enterprise model is much more suitable suitable because there is no hierarchy between companies and the other two I would say are more or less in between so there is no easy choice for a trust model it depends on where you're going to roll out your public keys and what you're going to do with it okay this is small as the wrap-up so the personal model is okay I mean if you have a civilization body of eight or ten people and you meet every three months it's fine to actually in the meeting share public keys and let alone use this and if a guy leaves to revoke him and even you guy comes to add them so the small scale it works okay the browser model well I don't think you can say it works but on the other hand it does work because there is people making money and e-commerce works so as a security person I can criticize the decisions but on the other hand some people get something out of it okay so the hierarchical model I mean visa is proven it works and MasterCard so in the financial sector it seems that some people actually are in charge and can make the rules and this works and I guess this is the nice thing that we don't need to have 75 cards if we go to 75 countries so there is some benefit to having a hard cool system there so between peer organizations so in an industry sector for example like from a suit achill or automobile I think the enterprise dress model works quite well and you have a lot of flexibility but also unfortunately complexity that goes with it and so global PKI so people said after the PKI hi PKI is dead but if you understand crypto you know PKI cannot be dead because you can do crypto without public keys so it's just that I think we have a very hard time figuring out how to do stupid publicity is the browser model and this is kind of broken in many ways but it's very hard to change it because it's just so popular and assume that say all the measure internet servers would say we're now going to only accept browse through the certain security levels then people will not be able to get there right with our old browsers so the problem is you can't break the internet anymore because people get very very unhappy if they can't access their funds so they can't book their travel or they can't read their email so this is the problem with security systems and they're not successful with secure nobody cares they were successful you always keep finding small security problems but you can't fix them anymore so only if there is major problems they will do something or do it at least the industry will act as if they do something they will have this security theater but it's very hard to change reality because it's just too important that's my summary of the key ISO unfortunately at no time for the empty base encryption but I'm very happy to actually explain to you over lunch why it doesn't work okay hope you have a nice lunch thank you very much [Applause] you

Info

Channel: secappdev.org

Views: 57,804

Rating: undefined out of 5

Keywords: Public Key infrastructure, Bart Preneel, Computer science, Cryptology, software, software security, Computer Security (Industry), cryptography, kuleuven, secappdev, secure application development, PKI, asymmetric cryptography, asymmetric key pair, asymmetric key encryption, asymmetric encryption, digital signature, public key, private key, certificate authority, key architectures, digitally signed certificate, certificate revocation list, CRL, online certificate status protocol, OCSP

Id: GQVSpHDfW4s

Channel Id: undefined

Length: 91min 52sec (5512 seconds)

Published: Thu Jul 11 2013