coniks
play

CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara - PowerPoint PPT Presentation

Dec 16, 2022 •246 likes •516 views

CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara Aaron Blankstein, Joseph Bonneau*, Edward W. Felten, Michael J. Freedman Princeton University, *Stanford University/EFF E2E Encrypted Communication Today Users growing demand

  1. CONIKS BRINGING KEY TRANSPARENCY TO END USERS Marcela Melara Aaron Blankstein, Joseph Bonneau*, Edward W. Felten, Michael J. Freedman Princeton University, *Stanford University/EFF

  2. E2E Encrypted Communication Today • Users’ growing demand for E2E secure communication • Known problem: Key management is difficult for users

  3. Unsolved: How do users establish trust? • Trust establishment = Learn & verify the other party’s key • Goal: Establish secure communication channel

  4. Out-of-Band Trust Est. = Unintuitive Bob, is DEF123 your public key? Alice, what’s a public key? Alice ¡ Bob ¡ Requires users to reason about encryption/keys à unintuitive, error-prone!

  5. Trust Est. by the Provider – Better? • Clients query provider for others’ keys • Users don’t worry about or see keys • Caveat: Users must trust provider unconditionally

  6. Malicious Provider can Equivocate Secure ¡ Messaging ¡ Provider ¡ This isn’t alice’s alice’s Register 1 ¡ 2 ¡ real key! key: PK’ A (alice à PK A ) Client ¡ Client ¡ A ¡ B ¡ Alice ¡ Bob ¡ Equivocation = Presenting diverging views to different clients.

  7. Pros/Cons of Existing Trust Establishment Users verify keys Providers establish trust out of band for users ✔ ✖ Security ✖ ✔ Usability Challenge: How can we get the best of both worlds?

  8. Ideal Trust Establishment Properties 1. Security against equivocation attacks 2. Automation: Users don’t worry about trust establishment

  9. Existing Approach: Verifying Correctness • Correctness = Expected real-world person controls online name- to-public key binding • Problem: Requires out-of-band communication

  10. Our Approach: Verifying Consistency • Consistency = Alice’s key today = Alice’s key yesterday 1. Alice’s key seen by Alice = Alice’s key seen by everyone else 2. • Benefit: Can be enforced via crypto à Providers manage consistent keys à Automation

  11. Solution: CONIKS • Automated trust establishment with untrusted providers • Clients verify consistency of bindings • Goal: Make provider equivocation easily detectable

  12. CONIKS – Registering a Key Iden:ty ¡Provider ¡ ¡ Register (alice à PK A ) Client ¡ Client ¡ A ¡ B ¡ Alice ¡ Bob ¡

  13. CONIKS – Learning a User’s Key Iden:ty ¡Provider ¡ Public key for 2 ¡ alice: PK A 1 ¡ Verify consistency of PK A Client ¡ Client ¡ A ¡ B ¡ 3 ¡ Alice ¡ Bob ¡ Encrypt msg using PK A

  14. Strawman Consistency Checks: Verify All Bindings Iden:ty ¡Provider ¡ Unexpected ¡Changes ¡Checks ¡ O(N) ¡storage ¡per ¡client ¡ Client ¡ ¡ Client ¡ ¡ Client ¡ ¡ Client ¡ N ¡= ¡4 ¡ A ¡ C ¡ B ¡ D ¡ Consistent ¡View ¡Checks ¡ ¡ O(N 2 ) ¡downloads ¡per ¡client ¡

  15. CONIKS: Efficient Checks thru “Summaries” root t ¡ • Providers generate directory “summaries” H(child 0 ) ¡ H(child 1 ) ¡ à Clients don’t verify all bindings H(child 0 ) ¡ H(child 1 ) ¡ H(child 0 ) ¡ H(child 1 ) ¡ • Bindings stored in Merkle prefix trees à Tree root = Summary of all bindings emily’s john’s bob’s alice’s ¡ à Tamper-evident directory binding ¡ binding ¡ binding binding ¡ • Non-repudiation: Signed tree root (STR) à Undeniable statement about tree contents

  16. CONIKS – Main Security Properties No Unexpected Key Changes: Expected Bindings 1. included in Signed tree root Non-equivocation = All clients see the same STR 2.

  17. 1. Expected Bindings incl. in STR – Auth Paths • Why? Evidence for fake keys root t ¡ H(child 0 ) ¡ H(child 1 ) ¡ • How? Authentication path = proof of inclusion à Pruned Merkle tree from binding to root H(child 0 ) ¡ H(child 1 ) ¡ • Verification: recomputed root = STR à O(log n) for tree with n bindings alice’s ¡ binding ¡

  18. 1. Checking Inclusion – Verify Auth Path Iden:ty ¡Provider ¡ ¡ PK A + Auth Signed + 2 ¡ Important: Clients also regularly Path Tree Root monitor their own user’s binding. Lookup PK 1 ¡ for alice Client ¡ Client ¡ A ¡ B ¡ 3 ¡ Compare PKA to previous version, Bob ¡ verify auth path, Alice ¡ Verify STR signature

  19. 2. Non-Equivocation – STR History S 0 ¡ S t-­‑1 ¡ S t ¡ Sig(S 0 ) ¡ Sig(S t-­‑1 ) ¡ Sig(S t ) ¡ … ¡ H(seed) ¡ root 0 ¡ H(S t-­‑2 ) ¡ root t-­‑1 ¡ H(S t-­‑1 ) ¡ root t ¡ root t ¡ • Why? Detect provider attempt to MITM H(child 0 ) ¡ H(child 1 ) ¡ • How? Building verifiable STR history H(child 0 ) ¡ H(child 1 ) ¡ H(child 0 ) ¡ H(child 1 ) ¡ • Hash chain à commitment to all STRs i john : ¡john’s ¡ i bob : ¡bob’s ¡ i emily : ¡emily’s ¡ ¡ i alice : ¡alice’s ¡ binding ¡ binding ¡ binding ¡ binding ¡ • Verification: previous STR is incl. in next STR

  20. 2. Non-Equivocation – Clients see same STRs • Checking hash chain not enough: S t-­‑1 ¡ S t ¡ Sig(S t-­‑1 ) ¡ Sig(S t ) ¡ Client ¡ A ¡ H(S t-­‑2 ) ¡ root t-­‑1 ¡ H(S t-­‑1 ) ¡ root t ¡ S 0 ¡ Sig(S 0 ) ¡ … ¡ S’ t-­‑1 ¡ S’ t ¡ H(seed) ¡ root 0 ¡ Sig(S’ t-­‑1 ) ¡ Sig(S’ t ) ¡ Client ¡ B ¡ H(S t-­‑2 ) ¡ root’ t-­‑1 ¡ H(S’ t-­‑1 ) ¡ root’ t ¡

  21. 2. Checking Non-Equivocation – Cross-Verification 1 ¡ Verify hash chain Verify hash chain 1 ¡ S t ¡ S t ¡ Sig(S t ) ¡ Sig(S t ) ¡ H(S t-­‑1 ) ¡ root t ¡ H(S t-­‑1 ) ¡ root t ¡ Iden:ty ¡Provider ¡ ¡ Iden:ty ¡Provider ¡ ¡ Iden:ty ¡Provider ¡ ¡ S t ¡ S t ¡ Sig(S t ) ¡ 3 ¡ S t ¡ H(S t-­‑1 ) ¡ root t ¡ Sig(S t ) ¡ 2 ¡ Sig(S t ) ¡ H(S t-­‑1 ) ¡ root t ¡ 2 ¡ H(S t-­‑1 ) ¡ root t ¡ Client ¡ Client ¡ A ¡ B ¡ 3 ¡ Verify hash chain Alice ¡ Bob ¡ Compare different views 4 ¡

  22. Privacy Challenges in CONIKS Don’t want to publish list of usernames 1. Don’t want to publish PKs associated with names 2. Don’t want to expose total # of users 3. à Addressed through practical crypto tricks!

  23. Main Performance Questions • Does our server design scale to the size of a typical user base (thousands – billions)? • Are CONIKS consistency checks efficient enough to run on today’s mobile devices? • Does CONIKS integrate well with existing E2E services?

  24. CONIKS’ Performance is Practical! • Server scales to tens of millions of users on single machine Inserting 1K new bindings into 10M-user tree: 2.6ms • • Client consistency checks need little bandwidth/storage Max. bandwidth requirements < 20kB per day • Proof of concept: Integration with Pidgin OTR plug-in •

  25. Conclusion • Main idea: Users should not have to manage keys, but service providers should not be trusted either. • CONIKS: Security through consistency à more practical • Yahoo & Google adopting CONIKS in their E2E systems

  26. Q&A More Info: Website: www.coniks.org Ref. Implementation: github.com/coniks-sys We thank: Yan Zhu (Yahoo) Gary Belvin (Google) Trevor Perrin (TextSecure) David Gil (formerly Yahoo)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara The problem of the PKI (Public key

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara The problem of the PKI (Public key

[USENIX Security 15, Marcela S. Melara, Aaron Blankstein, Joseph Bonneau, Edward W. Felten, Michael J. Freedman] CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara The problem of the PKI (Public key infrastructure) A long

918 views • 59 slides
CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara Any scriber for today? Sign up

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara Any scriber for today? Sign up

CONIKS (KEY TRANSPARENCY) Slides adapted from Marcela Melara Any scriber for today? Sign up for presentations or scribers The problem of the PKI (Public key infrastructure) A long standing problem has been to distribute public keys

1.5k views • 77 slides
Schematizing Trust in Named Data Networking Yingdi Yu 1 , Alex Afanasyev 1 , David Clark 2 , kc

Schematizing Trust in Named Data Networking Yingdi Yu 1 , Alex Afanasyev 1 , David Clark 2 , kc

Schematizing Trust in Named Data Networking Yingdi Yu 1 , Alex Afanasyev 1 , David Clark 2 , kc claffy 3 , Van Jacobson 1 , Lixia Zhang 1 1. UCLA 2. MIT 3. CAIDA 1 Motivation Usability is critical to security solutions

259 views • 22 slides
TRUST @ANDY_PAVLO Thirty Years Ago 2 I NTERACTIVE T RANSACTIONS S MALL # OF CPU C ORES S MALL

TRUST @ANDY_PAVLO Thirty Years Ago 2 I NTERACTIVE T RANSACTIONS S MALL # OF CPU C ORES S MALL

MY DATABASE SYSTEM IS THE ONLY THING I CAN TRUST @ANDY_PAVLO Thirty Years Ago 2 I NTERACTIVE T RANSACTIONS S MALL # OF CPU C ORES S MALL M EMORY S IZES TPC-C BENCHMARK APPLICATION NewOrder Transaction 4 TPC-C BENCHMARK 20,000 MySQL

1.12k views • 63 slides
Web Spam, Propaganda and Trust P. Takis Metaxas Computer Science Department Wellesley College

Web Spam, Propaganda and Trust P. Takis Metaxas Computer Science Department Wellesley College

Web Spam, Propaganda and Trust P. Takis Metaxas Computer Science Department Wellesley College Joint work with Joe DeStefano Outline of the Talk The Web and its Spam A Short History of the Search Engines

460 views • 27 slides
Building an Evidence Based Practices Culture 5 TH ANNUAL APPALACHIAN HIGHER EDUCATION NETWORK

Building an Evidence Based Practices Culture 5 TH ANNUAL APPALACHIAN HIGHER EDUCATION NETWORK

Building an Evidence Based Practices Culture 5 TH ANNUAL APPALACHIAN HIGHER EDUCATION NETWORK CONFERENCE DR. SHAWN M. BERGMAN JENNIFER WILSONKEARSE Who are these people? Evidencebased decisionmaking Barends, E., Rousseau, D.M.,

535 views • 41 slides
CORPORATE OFFICE PROPERTIES TRUST Results for 2Q 2020 July 30, 2020 The Preferred Provider of

CORPORATE OFFICE PROPERTIES TRUST Results for 2Q 2020 July 30, 2020 The Preferred Provider of

CORPORATE OFFICE PROPERTIES TRUST Results for 2Q 2020 July 30, 2020 The Preferred Provider of Mission Critical Real Estate Solutions Table of Contents Results for 2Q 2020............................Page 3 Safe Harbor I. Unless otherwise

512 views • 40 slides
Who Do You Trust? Linda Rising linda@lindarising.org www.lindarising.org @RisingLinda Museum

Who Do You Trust? Linda Rising linda@lindarising.org www.lindarising.org @RisingLinda Museum

Who Do You Trust? Linda Rising linda@lindarising.org www.lindarising.org @RisingLinda Museum of Tolerance Robbers Cave Experiment Muzafer Sherif et al, U of OK, 1954 22 12-year-old boys in two balanced groups Similar backgrounds: same

481 views • 30 slides
1 Building Trust with Employers Grantee Team Meeting #1 Instructions for Team Meetings Tips from

1 Building Trust with Employers Grantee Team Meeting #1 Instructions for Team Meetings Tips from

Introductory Question Roundtable Ground Rules Punctuality Be on time for ALL sessions! Complete this sentence: My role in an HPOG program Fully Engage No smartphone/email checking during sessions! sometimes feels like.. You

327 views • 5 slides
HTCondor S r Securi rity: Philosophy a and Administra ration C Changes FEARLESS SCIENCE

HTCondor S r Securi rity: Philosophy a and Administra ration C Changes FEARLESS SCIENCE

HTCondor S r Securi rity: Philosophy a and Administra ration C Changes FEARLESS SCIENCE Forg rget w what y you k know about H HTCondor s r securi rity. We c changed i it FEARLESS SCIENCE Establishing a secure pool

519 views • 28 slides
TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules

TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules

TPM Meets DRE: Reducing the Trust Base for Electronic Voting Using Trusted Platform Modules Russell A. Fink, Alan T. Sherman, and Richard Carback Direct Recording Electronic (DRE) Higher usability compared to paper ballot Multi-language

299 views • 15 slides
Genomic Health Evaluation of Genomic Health Evaluation of Corona Charged Aerosol Detection

Genomic Health Evaluation of Genomic Health Evaluation of Corona Charged Aerosol Detection

Genomic Health Evaluation of Genomic Health Evaluation of Corona Charged Aerosol Detection Corona Charged Aerosol Detection Comparing Tryptic Digest with UV and CAD Chris Crafts Chris Crafts 06/22/11 Sample Preparation and Overview A

102 views • 9 slides
The Foundations of Personalized Medicine Jeremy M. Berg Pittsburgh Foundation Professor and

The Foundations of Personalized Medicine Jeremy M. Berg Pittsburgh Foundation Professor and

The Foundations of Personalized Medicine Jeremy M. Berg Pittsburgh Foundation Professor and Director, Institute for Personalized Medicine University of Pittsburgh Personalized Medicine Physicians have treated patients based on their

624 views • 39 slides
High-throughput molecular dynamics simulation and Markov modeling Frank No (FU Berlin)

High-throughput molecular dynamics simulation and Markov modeling Frank No (FU Berlin)

High-throughput molecular dynamics simulation and Markov modeling Frank No (FU Berlin) frank.noe@fu-berlin.de Molecular dynamics Molecular dynamics are stochastic Single trajectories are usually not representative

398 views • 29 slides
Limi$ng the Number of Poten$al Binding Modes by Introducing

Limi$ng the Number of Poten$al Binding Modes by Introducing

Limi$ng the Number of Poten$al Binding Modes by Introducing Symmetry into Ligands: Structure-Based Design of Inhibitors for Trypsin-Like Serine Proteases

838 views • 20 slides
Genome 559 Intro to Statistical and Computational Genomics Lecture 15b: Classes and Objects,

Genome 559 Intro to Statistical and Computational Genomics Lecture 15b: Classes and Objects,

Genome 559 Intro to Statistical and Computational Genomics Lecture 15b: Classes and Objects, Part 1I Larry Ruzzo Today More fun with classes Summary Motivation Changing objects vs New objects Printing More Practice Objects and Classes A

311 views • 17 slides
CSE182-L11 Protein sequencing and Mass Spectrometry CSE182 Course Summary Gene finding

CSE182-L11 Protein sequencing and Mass Spectrometry CSE182 Course Summary Gene finding

CSE182-L11 Protein sequencing and Mass Spectrometry CSE182 Course Summary Gene finding Sequence Comparison (BLAST &amp; other tools) Protein Motifs: Profiles/Regular Expression/ HMMs Discovering protein coding genes

911 views • 31 slides
Proteomics Informatics Databases, data repositories and standardization (Week 8) Protein

Proteomics Informatics Databases, data repositories and standardization (Week 8) Protein

Proteomics Informatics Databases, data repositories and standardization (Week 8) Protein Sequence Databases RefSeq Distinguishing Features of the RefSeq collection include: non-redundancy explicitly linked nucleotide and protein

835 views • 56 slides
Development of Multiscale Models for Complex Chemical Systems From H+H 2 to Biomolecules Do not

Development of Multiscale Models for Complex Chemical Systems From H+H 2 to Biomolecules Do not

Development of Multiscale Models for Complex Chemical Systems From H+H 2 to Biomolecules Do not go where the pathway leads, go instead where there is no path and leave a trail. Ralph Waldo Emerson 1 Quantum Mechanics of Many-Electron Systems

451 views • 28 slides
KBDOCK A Case-Based Reasoning Approach for Protein Docking Dave Ritchie Team Orpailleur

KBDOCK A Case-Based Reasoning Approach for Protein Docking Dave Ritchie Team Orpailleur

KBDOCK A Case-Based Reasoning Approach for Protein Docking Dave Ritchie Team Orpailleur Inria Nancy Grand Est Outline Basic Difficulties of Modeling PPIs by Docking The Need to Classify Existing Interactions The KBDOCK Case-Based

544 views • 41 slides
Accelerating Tandem MS Protein Database Searches Using OpenCL Programming devices the

Accelerating Tandem MS Protein Database Searches Using OpenCL Programming devices the

Rick Weber, David D. Jenkins, Nicholas Lineback, Robert Hettich, Gregory D. Peterson Accelerating Tandem MS Protein Database Searches Using OpenCL Programming devices the intractable way Programming devices with OpenCL T andem MS/MS

721 views • 17 slides
Mass Spectrometry MALDI-TOF ESI/MS/MS Mass spectrometer Basic components Ionization

Mass Spectrometry MALDI-TOF ESI/MS/MS Mass spectrometer Basic components Ionization

11/29/2012 Mass Spectrometry MALDI-TOF ESI/MS/MS Mass spectrometer Basic components Ionization source Mass analyzer Detector 1 11/29/2012 Principles of Mass Spectrometry Proteins are separated by mass to charge ratio

421 views • 19 slides
SDEs in large dimension and numerical methods Part 2: Sampling metastable dynamics T. Lelivre

SDEs in large dimension and numerical methods Part 2: Sampling metastable dynamics T. Lelivre

Introduction Accelerated dynamics Adaptive Multilevel Splitting algorithm SDEs in large dimension and numerical methods Part 2: Sampling metastable dynamics T. Lelivre CERMICS - Ecole des Ponts ParisTech &amp; Matherials project-team - INRIA

1.6k views • 80 slides
COMPUTATIONAL PROTEOMICS AND METABOLOMICS Oliver Kohlbacher, Sven

COMPUTATIONAL PROTEOMICS AND METABOLOMICS Oliver Kohlbacher, Sven

COMPUTATIONAL PROTEOMICS AND METABOLOMICS Oliver Kohlbacher, Sven Nahnsen, Knut Reinert 0. Introduc,on and Overview This work is licensed under a Creative Commons Attribution 4.0

438 views • 41 slides

More recommend