This document discusses the importance of using more encryption on the Internet to increase privacy and security. It makes the following key points:
1) The Internet has become too easy to monitor as we have built it without sufficient security protections by default. More encryption needs to be implemented across Internet services and protocols to make eavesdropping more difficult.
2) Developers should enable encryption by default for all new Internet protocols. Opportunistic encryption techniques can provide some protections even without full authentication.
3) Individuals can help push for more encryption by requiring encrypted connections when using services and enabling tools like HTTPS Everywhere on their browsers. Transitioning to encrypted connections wherever possible raises the bar for surveillance.
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
Pretty Good Privacy,PGP Confidentiality and Authentication,Secure/Multipurpose Internet Mail Extension (S/MIME),Secure/Multipurpose Internet Mail Extension (S/MIME),Enhanced Security Services,E-mail Threats
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
The infrastructure that deploys and manages digital certificates, known as a Public Key Infrastructure (PKI), is often the center for cryptography in an organization. It is also in service for 10+ years, which means that one must carefully consider design options before implementation. In this presentation, Frank will cover modern standards for cryptography, how they apply to a Microsoft PKI infrastructure, and share recommendations based on he has seen in the field.
Kamailio is the leading Open Source SIP Server - a SIP proxy, registrar, location server, presence server, IMS server and much more. Find out more by viewing this quick presentation! (Updated June 2014)
Pretty Good Privacy,PGP Confidentiality and Authentication,Secure/Multipurpose Internet Mail Extension (S/MIME),Secure/Multipurpose Internet Mail Extension (S/MIME),Enhanced Security Services,E-mail Threats
Pretty Good Privacy (PGP) is strong encryption software that enables you to protect your email and files by scrambling them so others cannot read them. It also allows you to digitally "sign" your messages in a way that allows others to verify that a message was actually sent by you. PGP is available in freeware and commercial versions all over the world.
PGP was first released in 1991 as a DOS program that earned a reputation for being difficult. In June 1997, PGP Inc. released PGP 5.x for Win95/NT. PGP 5.x included plugins for several popular email programs.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Implementing a Secure and Effective PKI on Windows Server 2012 R2Frank Lesniak
The infrastructure that deploys and manages digital certificates, known as a Public Key Infrastructure (PKI), is often the center for cryptography in an organization. It is also in service for 10+ years, which means that one must carefully consider design options before implementation. In this presentation, Frank will cover modern standards for cryptography, how they apply to a Microsoft PKI infrastructure, and share recommendations based on he has seen in the field.
Kamailio is the leading Open Source SIP Server - a SIP proxy, registrar, location server, presence server, IMS server and much more. Find out more by viewing this quick presentation! (Updated June 2014)
My 2nd Grader's App Idea - Who wants in ? The road puzzle gameShashi Bellamkonda
My son is trying to pitch this idea to my friends. I think he has a good idea. send me an email if youa re interested and I will make the connection with this in-house entrepreneur shashib@gmail.com
Presentation I originally put together in 2007 to introduce agile (scrum) to my team and suggest ways for us to adapt to this increasingly used methodology.
The Black List - Vol. 1 - Social Media MastersMichael Street
A list of top African-American voices in the social media space. So in order to drive awareness of the vast array of diversity in tech and social media space we have created 'The Black List.' Use this as a directory of who's who in the tech, startup, and social media business.
I was on a panel with Mike Whaling and Jun Loyaza at the Optimization summit. We had a very interesting discussion and a lot of fun with audience questions including a dating app discussion. The Luncheon took a look at the most powerful changes and opportunities driving and shaping the direction and growth of this dynamic realm—in both the near and long-term future. You’ll get a first-hand and far-reaching look at the New Media landscape; hear about the hottest changes happening now and how to capitalize on them; get clued in to important opportunities that are about to emerge; and walk away with insider knowledge that will help you position your company years ahead of the competition.
We need to protect our Internet communication - from basic web surfing to IP telephony, E-mail and Internet of things. This presentation gives some background and introduces one of the core security protocols - TLS, Transport Layer Security. This presentation is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
Update: See http://www.slideshare.net/oej/morecrypto-with-tis-version-20
The tools at our disposal today for deploying HTTPS are tremendously powerful, and easy to use. Initiatives like Let's Encrypt offer certificates, and new security policies like HSTS and HPKP allow you to protect against extremely powerful attacks. HTTPS, Here and Now!
This was an invited talk at the ICT Security Happening, organized by the VDAB Competence Center in Leuven.
Morecrypto in the world of SIP - the Session Initiation ProtocolOlle E Johansson
The Internet is under attack and we need more encryption everywhere. This applies to the world of realtime communication too. This talk briefly goes through what can be done today and what needs to be done in the future. Originally delivered at Kamailio World 2014 in Berlin.
SSL Certificate is a very common term that we definitely heard but there is only limited number of people who know it is meaning or what is it? Actually SSL stands for Secure Socket Layer Protocol which helps to secure more safety in the internet world. it was developed by Netscape and issued by the Certificate Authorities.
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
PKI(Public Key Infrastructure) is used for security mechanism on internet.SSL(Secure Socket Layer).The SSL protocol is an internet protocol for secure exchange of information between a web browser and web server.
Some thoughts on a small step to make the Internet harder to monitor, to raise the cost of listening in to how we use services and how we communicate with each other on the net.
International Refereed Journal of Engineering and Science (IRJES)irjes
International Refereed Journal of Engineering and Science (IRJES) is a leading international journal for publication of new ideas, the state of the art research results and fundamental advances in all aspects of Engineering and Science. IRJES is a open access, peer reviewed international journal with a primary objective to provide the academic community and industry for the submission of half of original research and applications
Certificate pinning in android applicationsArash Ramez
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
Inspired by my work on understanding the effects of the EU cyber resilience act, I made this presentation on vulnerability handling - SBOM, Vex, CVE, CVSS, CWE and more.
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
A short introduction to the proposed EU Cyber Resilience Act. It's a large document to parse, so please don't take my words as a truth, just indications of what will come. The CRA will impact everyone that distributes software and connected devices on the EU market, so it's important to stay up to date with this regulation.
Januscon 2019: Slides from my short talk about the need for a federation solution to connect all isolated WebRTC and SIP islands out there. Sorry for the lack of text, hopefully it will be available in a streamed version soon.
Photos (C) Olle E. Johansson
A talk about me discovering new architectures, new ways of building scalable realtime platforms #SIP #WebRTC #Kamailio #MQTT #NODERED
Watch it live at https://www.youtube.com/watch?v=BbfUXUWtxIg
A presentation for Kamailio World 2017 in Berlin: How Open Standards and Open Source affect national public radio broadcast. My personal view and opinions. Also, some information about Project IrisBroadcast.
Introduction to WebRTC used in the Stockholm WebRTC Meetup February 16th 2017. Talks about the underlying architecture - RTP, Turn, STUN, Ice and the world of changing IP networks
Realtime communication over a dual stack networkOlle E Johansson
Fosdem 2017: A short talk about dual stack (IPv4 and IPv6) issues when using SIP, WebRTC, XMPP and other realtime platforms in a dual stack world - where both client and server is connecting to the new and the old Internet.
Side note: Uploads to slide share doesn't work on IPv6-only networks.
My talk at Voip2day 2016 in Madrid (organised by Avanzada 7 in Malaga).
This talks cover recent trends in realtime communication, from VoIP to WebRTC and Internet of Things
A presentation covering work that needs to happen. We jokingly came up with a non-existing organisation that maintains a reference profile for SIP. While the organisation is just a joke, the work is quite serious.
A presentation about new functionality in SIP that is really needed for Hosted PBX services, SIP on mobile phones and more situations. #SIP #Kamailio #Asterisk #TLS #MoreCrypto
A video with this presentation is available on YouTube at
https://www.youtube.com/watch?v=uqFNlqB_Ssw
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
What's the state of SIP and IPv6?
- An update I gave at the Netnod spring Meeting 2015.
Nothing much is happening, despite the fact that we have proven real issues with dual stacks in SIP.
A quick introduction to Kamailio - the leading Open Source SIP server (based on OpenSER and SER). Kamailio is quite different than Asterisk, FreeSwitch and many other VoIP platforms - why is that and how do you start getting your head around Kamailio?
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
#Morecrypto (with tis) - version 2.2
1. #MoreCrypto
A small step to make it harder
to listen to IP based activity.
V2.2 TLS - oej@edvina.net - slideshare.net/oej - Twitter @oej
Ⓒ Olle E. Johansson, Stockholm, Sweden 2014-2015
This work is licensed under
2015-01-02
2. The problem
We have built an information network
that is too easy to monitor. We simply
trusted everyone too much in a naive way.
Sadly, we can’t do
that any more.
3. #MoreCrypto
The Internet mirrors society
When the Internet was small, there was a select group
of people using it. They felt is was a safe place.
5. #MoreCrypto
The developers sets new
directions
All new Internet protocols should
have crypto turned on by default.
IAB November 2014
Internet is under attack. We need to
respond.
IETF 2013
7. #MoreCrypto
Changing the Internet
is too hard.
We are not using the
security tools we have in the
way they are meant to be
used today. In some cases, like e-mail and
IP telephony, most of us do not
use any security tools at all.
8. #MoreCrypto
How do we change?
The users must require change. Otherwise,
very few things happen. It is up to you and me.
9. #MoreCrypto
What needs to be done?
A lot of changes needs to be done in how we build
services, operate them and use them.
More crypto Easy to use authentication
Enhanced privacy Stronger confidentiality
…and much more
12. #MoreCrypto
Some encryption
most of the time
“Protocol designs based on
Opportunistic Security use encryption
even when authentication is not
available, and use authentication when possible,
thereby removing barriers to
the widespread use of encryption
on the Internet"
IETF RFC 7435
Viktor Dukhovni
13. #MoreCrypto
All or nothing?
“Historically, Internet security protocols have emphasized
comprehensive "all or nothing" cryptographic protection against both
passive and active attacks. With each peer, such a protocol achieves
either full protection or else total failure to communicate (hard
fail). As a result, operators often disable these security protocols
when users have difficulty connecting, thereby degrading all
communications to cleartext transmission.”
Full
protection
Failure????
Is there an alternative
between full protection and
failure?
RFC 7435 Viktor Dukhovni
15. #MoreCrypto
TLS is an important tool
TLS
Transport
Layer
Security
TLS provides confidentiality, identity
and integrity to Internet communication.
TLS is used in HTTPS:// web pages, but can also be
used from applications on a computer as well as a cell
phone.
TLS is based on SSL, that was a provider-specific
technology. TLS is maintained by the IETF and is still
being improved.
The second part
covers this!
18. #MoreCrypto
Why?
More crypto on the Internet
raise the cost of listening in to
our information flows, our
conversations. It does not solve all the issues,
we have a lot of work
ahead of us.
Using more TLS is not very
complicated and can be used in
most applications today.
19. #MoreCrypto
Starting points.
Enable HTTPS for Facebook,
Google and other services
when you can.
Use EFF HTTPS ANYWHERE
in your web browser.
If you are a sysadmin, enable
TLS and follow new advice on
choice of algorithms.
20. #MoreCrypto
What does TLS give you?
Browser ServerConfidential path
Other people in the same network (or IT management)
can see where you go (server address), but not what you do.
Example:
Hotel staff can’t see what you write
or read on Facebook.
21. #MoreCrypto
What about VPN tunnelling?
Computer Confidential path
Example: Other people in the same
network (or IT management)
can see that you are using a VPN,
but not what you do.
Web
Server
Mail
Server
VPN = Virtual private network
On the other side of the VPN
server your connections
become visible again -
unless you are using TLS.
VPN
server
Example:
Hotel staff can’t see which web
sites you are connecting to.
22. #MoreCrypto
The work ahead of us
Mobile
apps
Web
IP
Telephony
E-mail
Cloud
Services
Internet of
things
The Digital
home
Chat
Video
Services
Require
#MoreCrypto!
25. #MoreCrypto
TLS is an important tool
TLS
Transport
Layer
Security
TLS provides confidentiality, identity
and integrity to Internet communication.
TLS is used in HTTPS:// web pages, but can also be
used from applications on a computer as well as a cell
phone.
TLS is based on SSL, that was a provider-specific
technology. TLS is maintained by the IETF and is still
being improved.
26. #MoreCrypto
Encryption
Using the same key for
encryption and decryption
Using two different keys for
encryption and decryption
SYMMETRIC ASYMMETRIC
Simple for the CPU,
supports streaming data
More computations,
easier for data blocks
27. Using a private
and a public key
• TLS use a keypair to set up a secure connection
• The server sends the public key at connection
setup
• The client challenges the server to verify that it
has the private key
• The server responds to the challenge using the
server private key
• Now the client knows that the server has the
private key that matches the public key
private
Step 1.
28. TLS Usage
• TLS is used for
• authentication of servers and
clients
• initiating encryption of a session
• digital signatures on messages to
ensure integrity and provide
authentication
Authentication"
Who are you? Prove it!
Encryption"
Providing confidentiality
Integrity"
Making sure that the receiver get
what the sender sent
29. #MoreCrypto
Crypto
TLS is a framework for
crypto
TLS & DTLS
TCP or UDP
IP, Internet Protocol - v4 & v6
KEY EXCHANGE ALGORITHM CHECKSUMS
30. #MoreCrypto
TLS & DTLS
Who’s there, really?
TCP or UDP
IP, Internet Protocol - v4 & v6
Digital
ID
Digital
ID
Real"
ID
Real"
ID
Person
Phone
Server
Person
Phone
Server
PKI, Certificate infrastructure
Bare keys, certs in DNSsec
Orga-
nization
Orga-
nization
31. Adding a certificate
to the mix
• A certificate is nothing more complicated than a
passport or an ID card
• It contains the public key and some administrative
data
• And is signed (electronically) by someone you
might trust ... or not.
• This is part of the complex structure called PKI,
which you might want or just disregard
• A PKI is not needed to get encryption for the
signalling path!
• You can however use a PKI to only set up
connections that you trust
Digital
ID
Real"
ID
32. The PKIX certificate
• An PKIX certificate is the standardised way to
bind a public key to an identity
• The certificate is issued and signed by a
Certification Authority (CA)
• A PKIX (also called X.509v3) certificate is an
electronic document with a specific layout
• Standard: documented in IETF PKIX RFC:s
Version
Serial number
Issuer identity
Validity period
User identity
Public key
Extension fields
33. X509.v3
contents
• Version number
• Certificate serial number
Used for validation
• Identity of the issuer
• Validity period
• Identity of the public key owner
• Public key
• Extension fields
• A digital signature, created by the issuer
Internet
Explorer
Certificate
Manager
34. Example: SIP certificates
• SubjectAltName contains a list of
identities that are valid for this
certificate - SIP domains
• RFC 5922 outlines a SIP event package
to distribute and manage certificates
• The domain cert is used to sign the
NOTIFY payload
TLS is more than the
world wide web!
35. x.509 cert for SIP
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:08:00:79:00:15:00:43
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=SipitTest Certificate Authority
Validity
Not Before: Sep 16 17:17:00 2009 GMT
Not After : Sep 15 17:17:00 2012 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a7:96:65:6e:b6:ba:3a:48:a1:bd:a3:ae:21:dc:
a8:92:97:3c:43:ea:24:e6:9f:93:2f:61:7e:d3:2d:
30:1e:21:42:b9:d6:59:87:f1:b1:f8:c8:39:8e:43:
64:9a:31:2c:18:3d:cd:d8:03:64:bb:14:38:44:05:
20:30:d8:e1:db:a7:4d:c3:47:a2:49:73:d1:10:ed:
2f:cf:74:26:57:91:64:af:b0:f2:5d:3f:88:9f:df:
65:6c:ba:65:3f:66:99:52:6b:20:d2:0e:e3:65:18:
b1:8e:3d:ca:f2:4a:45:c5:4d:85:ef:82:54:f8:54:
54:db:96:90:9b:c5:1b:2a:1e:60:3c:43:71:55:60:
30:93:8f:fd:d8:d9:3d:a1:32:e3:56:4b:e2:73:b6:
cc:18:93:8a:d8:8b:68:81:c7:fd:cd:d5:dc:4c:a2:
86:61:9f:ad:d0:b1:d3:3c:4c:6c:07:54:b2:43:b4:
a7:0a:0a:f2:e3:6d:12:43:16:70:63:c9:e9:1a:78:
66:9d:ee:30:94:7b:ab:f2:e9:67:4a:66:6d:8c:ed:
a8:a4:98:51:77:0b:a7:60:55:73:85:87:4a:57:6b:
24:fe:27:00:02:79:70:da:5a:45:ad:aa:3d:d5:40:
5b:5c:85:63:93:56:af:c7:e8:e3:b6:1a:25:b6:a2:
2d:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
27:F7:A9:96:F5:B2:8F:0B:5E:A9:C7:F5:0F:AC:3D:AB:3D:8D:F0:30
Signature Algorithm: sha1WithRSAEncryption
1a:fe:1f:af:86:99:82:e5:14:97:8d:64:9a:d1:5c:ea:6c:96:
f5:c6:0c:7d:20:5f:4e:70:05:24:3a:de:b5:b9:cf:66:8d:4c:
74:d5:6a:a9:52:74:17:bc:b4:79:a0:58:32:78:a9:70:7c:6a:
15:ac:07:29:77:13:06:55:53:3f:0b:4c:3d:da:55:6e:ad:74:
56:01:55:c8:4c:19:8d:06:0b:f3:4c:04:d5:9a:6f:44:ad:7a:
fd:3b:aa:e8:4b:84:6e:f1:c4:34:f4:a0:6a:f6:81:ae:74:b4:
46:6e:b9:2f:a6:59:f1:02:e9:58:7c:a1:8d:08:31:2b:39:ee:
eb:7e
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=tls6.test.sipit.net
X509v3 Subject Alternative Name:
DNS:test.sipit.net, DNS:tls6.test.sipit.net, URI:sip:tls6.test.sipit.net
Notice the URI in the certificate!
36. Process for a server
Generate
Keys
Pack public key
in CSR
Send CSR
to CA
CA validation
process
CA issues
Certificate
Install cert
in server with
private key
The private key
should never leave your hands.
38. Checking the cert
Get cert Ask CA if cert is valid
If revoked, close
connection
continue
Way too slow…
(In SIP we measure milliseconds at
call setup).
39. OCSP stapling
Get cert
Get certificate validity
statement, signed by CA continue
The signed validity statement needs to
be refreshed by server.
40. Protocol specifics
• Given a protocol request - how do we match the
request address to a certificate
• SIP Uri, E-mail address, HTTPS
• Make sure this validation happens when a
secure connection is requested.
sip:oej@namn.se https://edvina.se
mailto:info@iis.se Your protocol
41. #MoreCrypto
TLS and SSL
SSL v1.0 - 2.0
Created by Netscape
Communications
Deemed insecure.
SSL v3.0
Last version. No support for
extensions and not for modern
crypto algorithms. Deemed
insecure.
TLS 1.x
Open standard defined by the
IETF. Keeps being updated.
It’s time to try to stop
using SSL.
42. Issues
Certificate can validate correctly
with the CA store, but still be the
wrong certificate.
Certificate private key can be
copied and certificate
revocated.
DNS was spoofed, so we
reached the wrong service
Something new and even more
scary than Heartbleed and
Poodle…
43. Man in the middle
• How do we prevent and discover TLS proxys?
• Quite commonly used
Client ServerMITM
44. #MoreCrypto
Certificate Fingerpinning
Certificates have a fingerprint, a
checksum of the cert and key.
Embed last, current and next
certificate fingerprint in the code
Verify that you are talking with
the expected server.
TLS verification may work with a
bad server cert too.
Client ServerMITM
Client Server
45. #MoreCrypto
Trust on first use
Save certificate fingerprint on
first connection
If another certificate shows up,
warn the user
Don’t block, the first connection
could be bad
Certificates gets updates
so save expiry time and
accept new.
Client ServerMITM
Client Server
46. #MoreCrypto
DANE - using DNSsec
Save cert in DNS, signed by
DNSsec
If another certificate shows up,
do not continue. Disconnect.
Certificates that expired or was
revoked has no NS records
Client ServerMITM
Client Server
Client DNS
DNS query
TLS connection
47. DANE step by step
I want to speak with edvina.net using
http
Query DNS for a public key, fingerprint
or certificate
If response is validated using DNSsec,
trust it for verification
Connect and get cert from server
CA: Make sure cert is from the CA in
DNS, verify as before
Key/fingerprint: Make sure the cert or
key given by the server matches.
1.
2.
3.
4.
5. 5.
48. ?
User specifics
• Which CAs do we trust?
• How do we check validity of certificate, even if
we trust the CA?
• Do we have time for validation?
49. Toward new solutions
• Anchoring the certificate in DNS
• Validating the certificate in DNS
• No certificate - bare keys
• Opportunistic Security with TLS
DNSsec
50. Heartbleed
• Programming error in OpenSSL
• OpenSSL is used in too many
places
• Opened up for private key
distribution and a lot of other
in-memory data.
51. Security is a process
• There will be other issues with
TLS libraries, protocols and
implementations
• Surviving these is better than
having no security, integrity,
privacy or confidentiality
56. Advice:
• Use encrypted communication with TLS and
DTLS by default
• Authenticated sessions are more secure than
non-authenticated
• If you really need confidentiality, check ciphers
and checksum algorithms
#MoreCrypto
57. #MoreCrypto
The new solution
Opportunistic security
Separate identity and confidentiality
Some network sessions are better
without identity (OTR)
Make it harder to listen in
Always try crypto - regardless if
certificate validates
Never show a lock to the user
for opportunistic crypto 🔒
58. #MoreCrypto
To-do list
New projects:
Always build secure platforms. Encrypt all communication.1.
Users:
Use EFF HTTPS Everywhere, Require TLS sessions. Ask web site owners.2.
When buying new services/products:
Require use of TLS/DTLS. You will help us developers.3.
61. Join us!
• IETF peerpass mailing list, UTA working group
and more.
• Hashtag #MoreCrypto
• http://internetsociety.org
62. Feedback?
• Feedback and suggestions for improvements to this presentation is
more than welcome! Send to oej@edvina.net!
• Feel free to use this presentation yourself - Notice the Creative
commons license on this presentation!
• Please tell me if you use it! It’s always fun to know.
#MoreCrypto
Author: oej@edvina.net - slideshare.net/oej
Ⓒ Olle E. Johansson, Stockholm, Sweden 2014-2015.
This work is licensed under
Olle E. Johansson