Friday, May 19, 2017

ICMC17: Thomas Jeffereson ande APple versus the FBI

Daniel J. Bernstein, University of Illinois at Chicago & Technische Universiteit Eindoven

Gutenberg's original printing press was based on a wine press - who knew? If you think beer or wine is dangerous, you may think the best thing to do is prohibit alcohol. In 1919, the Womens Christian Temperance Union requested that the public library to remove books and pamplets on the home production of alcohol for drinks. the librarians would not destroy the books, but did remove them from public access.

Why do censors try to ban instructions? "It might be bad if people follow these instructions" - stop people from acting on information.   We have freedom of speech, though, so we shouldn't accept this. You can try to hide the information, but they will still find it and figure it out. Censorship adds very little benefit, and often causes massive damage.

There are careful exceptions to free speech in the US- you cannot intentionally solicit criminal activity. You also cannot advocate an imminent lawless action if it's likely to produce such an action: "Let's burn down that mosque" - not protected by free speech.  You also can't make false promises (breach of contract), deceive people for profit (fraud), or make false statements that damage reputation with reckless disregard for the truth (defamation).

What about training videos? Is Ocean's Eleven a training video? What about Tom Clancy's Debt of Honor, 1994 that described something very similar to 9-11 attacks. Some people also don't want to see historical documents and books on things like Kamikaze pilots - what if terrorists act on these examples?  It turns out they will come up with it themselves, even without such inspiration.
So, the court has to look at it from the point of view - are you intentionally aiding and abetting criminal activities?

What if a terrorist stays hidden and alive in the woods by reading a book on "how to fish"? It's clearly not intended to help criminals.  That type of book is protected under free speech.

On software - it's usually (always?) something a human could do/calculate by hand, with time, but we're using the computer to help make it faster. If you hear statements from the government that is talking about restricting computers - remove the word "computer" and see if the same rationale for censoring instructions followed by people?

People are using encryption to protect files and conversations, as the FBI calls it "going dark".  So, should we be allowed to publish encryption software?  Imagine if you remove the computer from this situation

Jefferson and James Madison communicated via 'encrypted' messages, encoded. Thomas Jefferson distributed instructions that James Madison used, by hand, to encrypt private letters. No computer involved here, doing it by hand. What if they  published how to do this in a book? And then a criminal used it, and the FBI comes and says you can't publish this. Is that allowed? If the book is intended to help criminals, the government can censor.

Lawyers will claim that free speech needs a software exception. Imagine sw made to destroy navigational systems on airplanes? What if it was a book that described how to do this? The computer is irrelevant to the question. The courts should look at the intent, just like they do when you present them with a book.

According to the FBI, in 1963, the Domestic Intelligence head thought he was a Russian agent. In 1964 he won the Nobel Peace Prize. In 1964 FBI sent King an anonymous letter encouraging him to commit suicide.  In 1967, NSA also started surveillance on King.

As far back as 1977, the NSA (Joseph Meyer) threatened  organizers of a crypto conference with prosecution under export laws.

For Dan himself, he sent a crypto paper and crypto software to NSA asking them for permission to publish. NSA refused, classifying paper and software as "munitions" and subject to export control.  Though in 1995, the NSA told the courts they were trying to protect America - but papers were okay (free speech) and allowed Dan to publish the paper (but not the software).

Unfortunately for the NSA, Judge Marilyn Hall Patel disagreed with them in 1996, and agreed that software was free speech. It's just language. The court of appeals agreed in 1999.

Now back to modern day - Apple vs FBI - but imagine w/out the computer. Imagine the FBI coming to Jefferson and demand that he write a new anti-encryption instructions and falsely sign those instructions as being legitimate.  Jefferson says that the instructions are too dangerous to create. The US Supreme Court notes that freedom of speech includes "both what to say and what not to say".

Ask yourself - what is the software doing in this picture?  What if we were doing this ourselves? The courts know how to handle that and you should, too.

ICMC17:Zero Knowldege Doesn't Mean Zero Ethics

Joshua Marpet, SVP, Compliance and Managed Services CyberGRC

Zero knowledge system: A mathematical proof: zero knowledge proofs and verifiable secret sharing are vital for mutli-party secure sharing. Can be used in health care, blockchain, etc.

Can use blockchain in  healthcare to exchange information across health care networks (for example between a hospital in DC and hospital in California).

How do you know you are working with an ethical party? Is the NSA ethical? What about Geek Squad? If you are building a zero knowledge system, will you be fostering bad ethics?  For example, the blockchain for bitcoin contains child porn.

Think about free speech - you can talk about all things, but not necessarily incite behaviours. For example, you cannot shout fire in a theater.

So, you need a very clear Terms of Servie and Acceptable Use and a provisioning checkbox along the lines of "Will you be hosting illegal content?"  Yes, they can break it - but then you will not have an ethical conundrum when law enforcement asks for that users illegal data.

Now, don't be a bad provider. Don't monitor your customer's content, be inconsistent or non responsive. Respect warrants - but use reason. Something doesn't seem right? Consult your lawyer, EFF, etc.

ICMC17: REvisiting Thread Models for Cryptography

Bart Preneel, imec-COSIC KU Leuven, Belgium

Rule #1 of cryptanalysis: search for plaintext first :-)

With the Snowden documents, we learned that the NSA is foiling much of the deployed encryption - using super computers, turnkeys, backdoors, etc.

If you can't get the plain text - try just asking for the key, then you can do the decryption.  About 300,000 NSA letters for keys have  been issued since 2001.  Most come with gag orders, so it's difficult to get this information.

Yahoo fought the security letter they received. Others, like Silent Circle and Lavabit just shut down.

So, think about PFS - if someone gets one of your keys, can they get your older data as well?  You can replace RSA with DH for perfect forward secrecy.  logjam, though, was able to subvert the system by downgrading the negotiation and then read your data.

If you can't get the private key, try substituting the public key (because you have the private key for your public key!)  The most recent attack in this area was fake SSL certificates or SSL person-in-th-middle attacks.

this brought about "Let's Encrypt" that has been live since 2015.

If you can't get the key, try cryptovirology (book by Young and Yung).

Or, how about a trapdoor in your PRNG (Dual EC DRBG, in Juno's ScreenOS).

What other technology might be similarly subverted?

If you can't undermine the encryption, how about attacking the end systems?

Hardware hacking: intercepted packages are opened carfully and a "load station" implants a beacon. If you don't want your  routers to come with "extra bits", you might want to pick them up from the manufacturer (pictures shown of this  happening to Cisco routers).

There is a chip that can be installed between monitor and keyboard, can be powered up remotely by radar and then the remote attacker can read what's on your screen.

Maybe we need offense over defense?  How many 0-days do our governments have? Are they revealed to vendors? If so, when?  NSA claims that they have released more than 90% of the 0-days to vendors, but didn't say anything about how long they hold onto the attacks before doing the notification.

another good way to fight encryption - complicated standards! Does anyone really fully understand IPsec, for example. Backdoors are another way, but we should be able to see from DUAL_EC_DRBG where the backdoor was backdoored....

There are 18Billion encrypted deployed devices to protect industry - not you. Like DRM to control content.

There are 14B encryption devises to protect users, but there are issues. Look at encryption on phones - it's not end to end, so still issues. Consumers might have "encrypted harddrives", but without key management, the hard drive can just be pulled out and put into another machine and read.

There are issues with many messaging services - they back up your messages in the clear in the cloud.

Secure channels are still a challenge with lack of forward secrecy, denial of service, lack of secure routing, and lack of control over meta data (which is still data!)  TOR hides your IP address, but not your location, so it is limited.

when doing design, avoid a single point of trust that becomes a single point of failure. stop collecting massive amounts of data.

distributed systems work: Root keys of some CAs, Skype (pre-2011) and bitcoin.

We need new ways to detect fraud and abuse.  We need open source solutions, open standards, effective governance and transparency for service providers.  And finally, deploy more advanced crypto.

ICMC17: Encryption and Cybersecurity Policy Under the New Administration

Neema Singh Gulani, Legislative Counsel (Privacy and Technology), ACLU

We still don't know what the policies are going to be, yet, but she's here to give us her understanding of where we are and where she thinks we're going.

Why should you care, if you're not a lawyer? Look at lavabit - a company that offered an encrypted email service. All was well and good until it was discovered that Edward Snowden used their service. The US Government requested their encryption keys (under a gag order, so they could not tell their users). Judge ordered them to give up their keys. Not just the keys that protected Snowden's mail, but to everyone's. The company shut down, because they no longer felt they could protect their users.

Right now we are seeing a very divided government, polar opposites on a lot of issues - but they will work together on preventing NSA surveillance and protecting encryption keys.

Obama administration considered various technical options to get around the "going dark" problem - so law enforcement could access information they had before encryption became more pervasive. Several things like backdoors, remote access, forced updates, etc - and the administration decided to work with the commercial providers of the products, as opposed to building legislation.

We don't know clearly where the Trump administration stands, we know that Trump was critical about Apple not wanting to give a back door to law enforcement to get into an iPhone. Jeff Sessions noted once that he was in favor of encryption, but that criminal investigators need to be able to"overcome" encryption.

There is proposed legislation from Burr/Feinstein that requires manufactures provide data in "intelligible forms" (covers software and device manufacturers.).  The ACLU is not in favor of this bill. It has been called  "technically tone deaf".

We know that under the Obama Administration had an interagency process run out of the White HOuse that didn't have any "hard and fast rules" on vulnerability disclosure.  It was used to balance risk with intelligence needs.   NSA said most vulnerabilities are disclosed.  Is that good enough to protect users of tech?

NSA surveillance: Section 702. This targets 106,000 foreign targets where they collect over 250 million internet transactions annually, about 50% of that information is about a U.S. resident. This is up for review again this year in congress.

Because of Trump's accusations of wire tapping, this may be an opportunity to reform Section 702.

Right now, based on a 6th circuit court decision from 2010, most US companies require a warrant before they will provide content to the FBI or other law enforcement.

An email privacy act was passed by congress 419-0, but the bill got stuck in the senate where too many unrelated thongs were added.

Many users would be surprised at the low bar required to hand over their data to the FBI or local law enforcement, or that they also would not necessarily be notified when it happens.

If you're building products for the government, think about how the product will be used and can you audit that it's being used as intended?

Look to see what lobbyists your employer is backing and see if it lines up with their public press releases - if not, say something.  Consider also direct lobbying - there is a dearth of technical knowledge in Capital Hill - they need your knowledge!

ICMC17: Crypto You're Doing it Wrong

Jon Green, Sr. Director, Security Architecture and Federal CTO, Aruba Networks/HPE

Flaws can be varied and sad - like forgetting to use crypto (like calling a function that was never completed for your DRBG! Jon showed us an example of validated code that was an empty function who's comment contained TODO). Other issues in large multi-module products that may contain code written in C, Java, Python, PhP, JavaScript, Go, Bash... claiming to get FIPS from OpenSSL. Most of languages aren't going to be using OpenSSL, so they won't be using FIPS validated crypto.

Developers often don't know where the crypto is happening. They may forget to complete certain code segments, relay on 3rd party and open source and rely on multiple frameworks. Or even if they do, they may not want to dive in because of the amount of work required to make things work correctly, particularly from a  FIPS perspective..

What about the FIPS code review done by the lab? Almost certainly not, as they are typically looking at the application code - just the low level crypto and RNG functions. Even with the old German scheme for EAL4 deeper code review, still miss issues (like the above TODO code that went through EAL2 and EAL4 review).  Testing misses these nuances as well.

Security audits of your code are very fruitful, but very expensive. He's seen success with bug bounty programs, even if the code is closed.

He's also seen problems with FIPS deployments that are leveraging "FIPS inside" where they leverage another module, like OpenSSL, but forgot to turn on FIPS mode and forgot to update the applications so they would not try to use non-FIPS algorithms.

Another problematic approach - the dev follows all the steps to deploy CenOS in FIPS mode by following the RedHat documentation... except that documentation only applies to RedHat and *not* CentOS. Yes, it's the same source code , but validations are not transitive. A RedHat validation only applies to RedHat deployments.

To get this right, identify services that really need to be FIPS validated and focus your efforts there..

ICMC17: Keynote: From Heartbleed to Juniper and Beyond

Matthew Green, Johns Hopkins University.

Kleptography - the study of stealing cryptographic secrets. Most people did not think the government was really doing this. But, we do know there was a company, Crypto AG, that worked with the NSA on their cipher machines available between 1950s and 1980s.

Snowden's leak contained documents referring to SIGINT - a plan to insert back doors into commercial encryption devises and add vulnerabilities into standards.

How can the government do this?  We can't really change existing protocols, but you can mandate use of specific algorithms. This brings us to the 'Achilles heel' of crypto - (P)RNG. If that's broken, everything is broken.

There are two ways to subvert an RNG - attack the lower level TRNG or the PRNG. The TRNG is probabilistic and hardware specific and too much variance. The PRNG/DRBG is software and everyone has to use a specific one to comply with US Government standards - a more appealing target.

Young and Yung predicted an attack against the DRBG and how it might work in the 1990s - where you could use internal state, a master key and a trap door will let you decrypt the data.  This sounds a lot like Dual EC DRBG. It was almost immediately identified as having this weakness - if the values were not chosen correctly. NSA chose the values - and we trusted them.

Snowden leaks found documents referring to "challenge of finesse" regarding pushing this backdoor through a standards body.  Most of us don't have to worry about the government snooping on us, but ... what if someone else could leverage this back door?

This is what happened when Juniper discovered unauthorized code in their ScreenOS that allowed an attacker to passively decrypt VPN traffic.  Analysis of the code changes discovered that Juniper changed the parameters for DUAL EC DRBG. But, Juniper said they didn't use Dual EC DRBG, according to their security policy, other than as input into 3DES (which should cover anything bad from DRBG).  The problem came up when a global variable was used in a for loop (bad idea), which in effect means the for loop that was supposed to do the 3DES mixing never runs (as the Dual EC DRBG subroutine also uses the same global variable).

More specifically, there are issues with how IKE was implemented.  The impacted version, ScreenOS 6.2 (the version that adds Dual EC DRBG) adds a pre-generation nonce.

Timeline: 1996 Young and Yung propose the attack, 1998 Dual EC DRBG developed at NSA, 2007 became a final NISt standard, 2008 Juniper added Dual EC DRBG and it was exploited in 2012 and not discovered until 2015.

Before Dual EC DRBG, people used ANSI X9.31 - which had a problem if you used a fixed K, someone can recover the state and subvert the systems.

How do we protect ourselves? We should build protocols that are more resilient to bad RNG (though that's not what is happening). But maybe protocols are not the issue - maybe it's how we're doing the validation.  Look at FortiOS, who had a hard coded key in their devices, which was used for testing FIPS requirements, and documented it in their security policy.

Thursday, May 18, 2017

ICMC17: Evolving Pracitce in TLS, VPNs, and Secrets Management

Kenneth White (@KennWhite)

A good quote starts: "There is no difference, from the attacker's point of view, between a gross and tiny errors. Both of them are equally exploitable."..."This lesson is very hard to internalize. In the real world, if you build a bookshelf and forget to tighten one of the screws all the way, it does not burn down your house".

We look for the following in network transport encryption: data exposure, network intercept, credential theft, identity theft, authenticated cipher suites, etc.

We have learned, the hard way, the problem with unauthenticated block modes. If you don't compute the hash correctly or in the wrong order - it's useless.

After POODLE, SSLv3 is dead. It's still out there, but as a practical matter, it's gone.

Getting good data on who is impacted by a security vulnerability is hard - even Gartner got this wrong, by overestimating who was impacted by FREAK just by how many devices still supported SSLv3 (even if they did not actually have the vuln).

Advice going forward: use AEAD!