operation black tulip certificate
play

Operation Black tulip: Certificate authorities loose authority 24th - PowerPoint PPT Presentation

Mar 29, 2024 •144 likes •461 views

Operation Black tulip: Certificate authorities loose authority 24th Annual FIRST Conference 19 June 2012, Malta Dr. Marnix Dekker, CISA Security expert Information security officer ENISA www.enisa.europa.eu About ENISA o The European

  1. Operation Black tulip: Certificate authorities loose authority 24th Annual FIRST Conference 19 June 2012, Malta Dr. Marnix Dekker, CISA Security expert Information security officer ENISA www.enisa.europa.eu

  2. About ENISA o The European Network and Information Security Agency o gives advice on information security issues o to national authorities, EU institutions, citizens, businesses o acts as a forum for sharing good NIS practices o facilitates information exchange and collaboration o Set up in 2004 – EC proposed a new mandate for 2013. o Around 30 security experts and 20 staff. o ENISA has an advisory role (not operational) and the focus is on prevention and preparedness. 2 www.enisa.europa.eu

  3. About the EU agencies o Set up by EU legislation for very specific technical, scientific or managerial tasks. o For example: o ENISA – European Network and Information Security Agency o CFCA - Community Fisheries Control Agency o EASA - European Aviation Safety Agency o ECDC - European Center for Disease Prevention and Control o EEA - European Environment agency o Et cetera. 3 www.enisa.europa.eu

  4. Black tulips 4 www.enisa.europa.eu

  5. Public key cryptography o Public key crypto is great! o Authenticate and encrypt o user to user (email) o machine to machine (WS) o user to server (login) o server to user (https) o But who uses which key? o To prevent spoofing (MITM) o One solution for this is called PKI o List of <name, key> pairs published by a trusted party (a CA) o Sometimes there is a hierarchy of CAs 5 www.enisa.europa.eu

  6. Wide spread criticism of PKI o PKI is cumbersome for authenticating or authorising users o No anonymous claims of attributes o No distributed trust (I am Bob’s friend) o Alternatives o SPKI (Carl Ellison) o SDSI (Ron Rivest, Butler Lampson) (like SXIP, Identity 2.0) o PGP (Phil Zimmermann) o It is easy to see that PKI does not exploit the great possibilities of public key cryptography o Even worse: the most common use of PKI, HTTPS (SSL + CA’s in the browser + OCSP) is flawed. 6 www.enisa.europa.eu

  7. … and this has been argued in many articles by well known experts. 7 www.enisa.europa.eu

  8. Spy in the middle Matt Blaze http://www.crypto.com/blog/spycerts : “Products o appear sophisticated, mature, and mass- produced… an active vendor community” On CA’s : “a surprisingly large number of root authorities, from o tiny, obscure businesses to various national governments ” Moxie Marlinspike http://blog.thoughtcrime.org/ssl-and-the- o future-of-authenticity : Repeated hacks of CAs, and you don’t even need to hack. 8 www.enisa.europa.eu

  9. And then… 9 www.enisa.europa.eu

  10. MITM on 300.000 Iranians For several weeks in August 2011 10 www.enisa.europa.eu

  11. Dutch eGovernment offline For several weeks in September 2011 11 www.enisa.europa.eu

  12. Impact timeline Security breach at July 2011 Diginotar Privacy breach in Iran August 2011 Outage in the Netherlands September 2011 12 www.enisa.europa.eu

  13. Let’s look at the impact, starting small first… 13 www.enisa.europa.eu

  14. • Bankruptcy for Diginotar • Vasco estimates losses at around 4 million euros Vasco acquired Diginotar for 12 million euros • 14 www.enisa.europa.eu

  15. • eGov outage for millions of users for several weeks • Dutch state claims 9 million euros in damages 15 www.enisa.europa.eu

  16. Mikko Hyppönen : “It is plausible that people died.” 16 www.enisa.europa.eu

  17. Critical information infrastructure: Those interconnected information systems and networks, the disruption or destruction of which would have a serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy. (So the CA’s in your country are critical information infrastructure) 17 www.enisa.europa.eu

  18. 18 www.enisa.europa.eu

  19. EU regulation for eID/eSig services o New EU regulation contains: o Breach notification obligation o Appropriate security measures o Summary reporting of breaches to ENISA o Some issues to keep in mind here o Detecting breaches is hard (see Verizon data breach report) o Most breaches are detected by 3 rd parties (92%) o … and only weeks later (85%) o Security measures are difficult to enforce (the devil is in the details of the implementation) o Diginotar was well reputed, frequently audited and found compliant with security standards o We should go from certification to continuous monitoring 19 www.enisa.europa.eu

  20. Is new regulation enough? 20 www.enisa.europa.eu

  21. 600 single points of failure… (meaning: attacker needs to succeed at compromising 1 of 600 to allow attacks on any website!) 21 www.enisa.europa.eu

  22. Job security 22 www.enisa.europa.eu

  23. Aart Jochem (NCSC.nl) @ FIRSTCON 2012: “The Diginotar crisis is over, but the PKI crisis is still ongoing .” 23 www.enisa.europa.eu

  24. Key issues to address… 24 www.enisa.europa.eu

  25. Weakest link? o 600 CA’s in the trusted list of browsers and operating systems o 600 single points of failure o Large CA’s work with hundreds of resellers o Do you even need to hack? 25 www.enisa.europa.eu

  26. Revocation? o Google: “Soft -fail revocation checks are like a seat-belt that snaps when you crash. “ o Hard-fail revocation checks require highly available OCSP responders at CA’s. o Revocation checks add on average 1 second to page loading. o Revocation checks allow CA’s to monitor who visited which websites. o Google Chrome browser dropped OCSP o Can we revoke trust in a CA? Is there a plan? 26 www.enisa.europa.eu

  27. Usability? o Educate the user? o Extended validation certificates, blue bars, green bars, locks, warnings – do they help? o Warnings when there is no attack (bad) o 1 in 300 users disconnected when a NZ banking website showed the wrong certificate for one hour. o No warnings when there is an attack (worse) o No choice for users about which CA’s they trust o So sites have no incentive to use better CAs o So CA’s have no incentive to get better 27 www.enisa.europa.eu

  28. Who do we trust? o Few trusted parties to establish trust between everyone else. o Some very large businesses depend on very small ones, with a tough business model o “ Diginotar earned around 100.000 euros from its certificate business in the first half of 2011. ” o Can these small trusted parties withstand the attack pressure facing billion dollar companies? o Some CA’s can not, TLD’s can (DNSSEC)? o Can we somehow leverage the large user base of the larger websites for conveying trust? 28 www.enisa.europa.eu

  29. Some conclusions o Prepare now for a CA failure! o E.g. have a spare certificate ready for critical sites o Fix HTTPS o it is the foundation of online security o E.g. DNSSEC, DANE, Convergence, Tack o eCommunications go beyond the last mile o Border gateway protocol, Internet exchange points o Routers, datacenters o CA’s, TLD’s, browsers, etc. o EU Internet security strategy o Extending Article 13a beyond telecom sector o Assess what is widely-used critical infrastructure 29 www.enisa.europa.eu

  30. Contact Dr. Marnix Dekker, CISA CIIP and Resilience, ENISA marnix.dekker@enisa.europa.eu www.enisa.europa.eu http://twitter.com/marnixdekker 30 www.enisa.europa.eu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TRUST IS NOT DEFAULT Tulip Ace Elevation Plan Tulip Violet Elevation Plan Tulip Ace

TRUST IS NOT DEFAULT Tulip Ace Elevation Plan Tulip Violet Elevation Plan Tulip Ace

TRUST IS NOT DEFAULT Tulip Ace Elevation Plan Tulip Violet Elevation Plan Tulip Ace Elevation Plan(Night View) TULIP ACE Located on main Pataudi Road, Sector-89,Gurgaon. Near KMP expressway and upcoming Dwarka expressway.

227 views • 19 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides
Tulip Lab Tulip Lab Private Limited Care beyond boundaries Care Beyond Boundaries Vision &amp;

Tulip Lab Tulip Lab Private Limited Care beyond boundaries Care Beyond Boundaries Vision &amp;

Tulip Lab Tulip Lab Private Limited Care beyond boundaries Care Beyond Boundaries Vision &amp; Core idea Tulip Lab: - Globally recognized health and wellness company -Affordable, High Quality health Solutions. Winning Combo ! Traditional

761 views • 27 slides
Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black Tree Properties Red-black tree properties Every node has a color, red or black. The root is black. The leaves are black. nil nil nil nil nil

392 views • 36 slides
Review of Loan Policy Richard Black September 21, 2017 In order to obtain a CE Certificate

Review of Loan Policy Richard Black September 21, 2017 In order to obtain a CE Certificate

Review of Loan Policy Richard Black September 21, 2017 In order to obtain a CE Certificate or CLE Credit, you must listen to the webinar for a minimum of 55 minutes obtain the password (provided at the end of the presentation)

573 views • 35 slides
Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR Fintech Index is a long-only, USD-based, actively managed total return index. The pace of innovation in financial technology (Fintech) has been

616 views • 26 slides
Tulip.jl : an interior-point solver with abstract linear algebra Miguel Anjos a , b Andrea Lodi a

Tulip.jl : an interior-point solver with abstract linear algebra Miguel Anjos a , b Andrea Lodi a

Foreword IPMs Linear Algebra in IPMs Tulip.jl Conclusion References Tulip.jl : an interior-point solver with abstract linear algebra Miguel Anjos a , b Andrea Lodi a , b , c Mathieu Tanneau a , b , c (a) cole polytechnique de Montral (b)

384 views • 24 slides
TULIP Continuous testing of Linux distributions upgrade Stefane Fermigier Laurent Godard

TULIP Continuous testing of Linux distributions upgrade Stefane Fermigier Laurent Godard

TULIP Continuous testing of Linux distributions upgrade Stefane Fermigier Laurent Godard Agenda Context - EDOS WP3 Tulip Framework Results and future enhancements Stefane Fermigier Laurent Godard - contact@nuxeo.com 2 Context - EDOS

467 views • 31 slides
The Yellow Tulip Project Building a Youth Momentum Spreading Hope Building Community &amp;

The Yellow Tulip Project Building a Youth Momentum Spreading Hope Building Community &amp;

The Yellow Tulip Project Building a Youth Momentum Spreading Hope Building Community &amp; Reducing Stigma Who We Are The Yellow Tulip Project is a youth-led organization that is on the frontlines in the movement to smash the stigma

286 views • 6 slides
NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No. 2426-CPR-105 NEO is an innovative Public Address and Voice Alarm system that allows an easy audio installation with just one piece of equipment.

326 views • 7 slides
Line Producers Global - Indias Leading Line Producers An Arm of Golden Tulip Films, India

Line Producers Global - Indias Leading Line Producers An Arm of Golden Tulip Films, India

Line Producers Global - Indias Leading Line Producers An Arm of Golden Tulip Films, India Contents About Us Services Branding Locations Contact About Us Line Producers Global is managed By Golden Tulip Films,

127 views • 10 slides
1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

4/3/2015 New Plastic Pilot Certificate So, Where Do I Start? What we will cover today Your old paper certificate is no longer valid. What it takes to be PIC again Google Search: Replacement of Airmen Certificate What has

485 views • 35 slides
TULIP The Pursuit of God's Glory

TULIP The Pursuit of God's Glory

TULIP The Pursuit of God's Glory in Salva9on T.U.L.I.P. The Pursuit of Gods Glory in Salva9on March 1-2, 2013 Outline

2k views • 179 slides
Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety certification program National standard supported by the Canadian Federation of Construction Safety Association (CFCSA) Aimed at driving

320 views • 10 slides
Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of Need Process and Related Hospital Issues Research Division Staff, September 14, 2011 What is a COPA? An agreement among two or more hospitals

201 views • 19 slides
Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined COR is a workplace health and safety certification program All Legislative elements require 100% achievement National standard supported by

374 views • 9 slides
Big Data, Disruption and the 800 Pound Gorilla in the Corner Michael Stonebraker The Meaning of

Big Data, Disruption and the 800 Pound Gorilla in the Corner Michael Stonebraker The Meaning of

Big Data, Disruption and the 800 Pound Gorilla in the Corner Michael Stonebraker The Meaning of Big Data - 3 Vs Big Volume Business intelligence simple (SQL) analytics Data Science -- complex (non-SQL) analytics Big

507 views • 37 slides
MULTI-STAGE BUILD VEHICLE APPROVAL SEMINARS 19 and 20 January 2011 SMMT, the S symbol and

MULTI-STAGE BUILD VEHICLE APPROVAL SEMINARS 19 and 20 January 2011 SMMT, the S symbol and

MULTI-STAGE BUILD VEHICLE APPROVAL SEMINARS 19 and 20 January 2011 SMMT, the S symbol and the Driving the motor SOCIETY OF MOTOR MANUFACTURERS AND TRADERS LIMITED industry brandline are trademarks of SMMT Ltd MULTI-STAGE BUILD

1.3k views • 99 slides
RIDE-HA -HAILI LING NG What What Can an Local Local Gov Gover ernment nments Expect

RIDE-HA -HAILI LING NG What What Can an Local Local Gov Gover ernment nments Expect

RIDE-HA -HAILI LING NG What What Can an Local Local Gov Gover ernment nments Expect xpect? 1 PRESENT NTATION ON OV OVERVIEW W Context Whats not changing? Whats changing? Local Government Working Groups Future

346 views • 34 slides
Artificial Intelligence Ethics Sven Koenig, USC Russell and Norvig, 3 rd Edition, Section 26.3

Artificial Intelligence Ethics Sven Koenig, USC Russell and Norvig, 3 rd Edition, Section 26.3

12/18/2019 Artificial Intelligence Ethics Sven Koenig, USC Russell and Norvig, 3 rd Edition, Section 26.3 These slides are new and can contain mistakes and typos. Please report them to Sven (skoenig@usc.edu). 1 Consumer Products 2 1

482 views • 22 slides
Multi-scale Detection 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Properties

Multi-scale Detection 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Properties

Multi-scale Detection 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Properties of the Harris corner detector Rotation invariant? Scale invariant? Properties of the Harris corner detector Rotation invariant? Scale invariant?

765 views • 37 slides
Financial Markets 1 What Financial Markets Do Financial markets perform two important functions.

Financial Markets 1 What Financial Markets Do Financial markets perform two important functions.

ECO 305 Fall 2003 Avinash Dixit Financial Markets 1 What Financial Markets Do Financial markets perform two important functions. One is to enable transactions across time by bringing together borrowers and lenders. We can regard this in

469 views • 18 slides
Matching Biochar Characteristics with Metals- C Contaminated Soil to Effectively Reduce Metal i

Matching Biochar Characteristics with Metals- C Contaminated Soil to Effectively Reduce Metal i

Matching Biochar Characteristics with Metals- C Contaminated Soil to Effectively Reduce Metal i d S il Eff i l R d M l Bioavailability at Mining Sites Mark G. Johnson Research Soil Scientist Research Soil Scientist Clu-In Seminar

600 views • 34 slides
Understanding Gender Differences in Formal and Informal Wage Employment Sectors in Ghana Kwadwo

Understanding Gender Differences in Formal and Informal Wage Employment Sectors in Ghana Kwadwo

Introduction Gender Segregation in Employment in Ghana Data and Econometric Analysis Analysis of empirical Results Conclusions Understanding Gender Differences in Formal and Informal Wage Employment Sectors in Ghana Kwadwo Opoku UNU-WIDER

404 views • 28 slides

More recommend