the dns security mess d j bernstein university of
play

The DNS security mess D. J. Bernstein University of Illinois at - PowerPoint PPT Presentation

Jul 30, 2023 •249 likes •2.05k views

The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC: This sounds simple but it has deep reaching consequences in both the protocol and the

  1. Standard security goals: HTTPSEC: “HTTP Security” To verify your computer Confidentiality (privacy etc.) HTTPSEC modifies HTTP retrieve the despite espionage. to “bolster online security”. from the Integrity (authenticity etc.) HTTPSEC provides a way despite corruption. for the nu.nl server admin Availability despite sabotage. to attach PGP signatures provides none of this. to the nu.nl HTTP responses. atching the network, These signatures allow er easily acquires data: “verification of the origin, HTTP request, the web page. authenticity, and integrity of er easily changes data. data” obtained through HTTP. er easily destroys data.

  2. y goals: HTTPSEC: “HTTP Security” To verify these signatures, your computer needs (privacy etc.) HTTPSEC modifies HTTP retrieve the PGP public espionage. to “bolster online security”. from the nu.nl admin. (authenticity etc.) HTTPSEC provides a way rruption. for the nu.nl server admin despite sabotage. to attach PGP signatures none of this. to the nu.nl HTTP responses. network, These signatures allow acquires data: “verification of the origin, request, the web page. authenticity, and integrity of changes data. data” obtained through HTTP. destroys data.

  3. HTTPSEC: “HTTP Security” To verify these signatures, your computer needs to etc.) HTTPSEC modifies HTTP retrieve the PGP public key to “bolster online security”. from the nu.nl admin. etc.) HTTPSEC provides a way for the nu.nl server admin otage. to attach PGP signatures this. to the nu.nl HTTP responses. These signatures allow data: “verification of the origin, eb page. authenticity, and integrity of data. data” obtained through HTTP. data.

  4. HTTPSEC: “HTTP Security” To verify these signatures, your computer needs to HTTPSEC modifies HTTP retrieve the PGP public key to “bolster online security”. from the nu.nl admin. HTTPSEC provides a way for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP.

  5. HTTPSEC: “HTTP Security” To verify these signatures, your computer needs to HTTPSEC modifies HTTP retrieve the PGP public key to “bolster online security”. from the nu.nl admin. HTTPSEC provides a way What if the key is forged? for the nu.nl server admin to attach PGP signatures to the nu.nl HTTP responses. These signatures allow “verification of the origin, authenticity, and integrity of data” obtained through HTTP.

  6. HTTPSEC: “HTTP Security” To verify these signatures, your computer needs to HTTPSEC modifies HTTP retrieve the PGP public key to “bolster online security”. from the nu.nl admin. HTTPSEC provides a way What if the key is forged? for the nu.nl server admin to attach PGP signatures Answer: HTTPSEC provides a to the nu.nl HTTP responses. way for a trusted Netherlands government representative to These signatures allow PGP-sign the nu.nl public key. “verification of the origin, authenticity, and integrity of data” obtained through HTTP.

  7. HTTPSEC: “HTTP Security” To verify these signatures, your computer needs to HTTPSEC modifies HTTP retrieve the PGP public key to “bolster online security”. from the nu.nl admin. HTTPSEC provides a way What if the key is forged? for the nu.nl server admin to attach PGP signatures Answer: HTTPSEC provides a to the nu.nl HTTP responses. way for a trusted Netherlands government representative to These signatures allow PGP-sign the nu.nl public key. “verification of the origin, authenticity, and integrity of What if that key is forged? data” obtained through HTTP. Answer: Internet Central Headquarters signed the Netherlands public key.

  8. HTTPSEC: “HTTP Security” To verify these signatures, Internet your computer needs to was generated HTTPSEC modifies HTTP retrieve the PGP public key Hardware olster online security”. from the nu.nl admin. owned by HTTPSEC provides a way a well-kno What if the key is forged? nu.nl server admin Hardware attach PGP signatures Answer: HTTPSEC provides a signs data nu.nl HTTP responses. way for a trusted Netherlands by 3 out government representative to signatures allow held by V PGP-sign the nu.nl public key. verification of the origin, 3 VeriSign authenticity, and integrity of What if that key is forged? meet every obtained through HTTP. Answer: Internet Central they have Headquarters signed the Netherlands public key.

  9. HTTP Security” To verify these signatures, Internet Central HQ your computer needs to was generated by an difies HTTP retrieve the PGP public key Hardware Security online security”. from the nu.nl admin. owned by VeriSign, rovides a way a well-known American What if the key is forged? server admin Hardware Security Answer: HTTPSEC provides a signatures signs data if autho HTTP responses. way for a trusted Netherlands by 3 out of 16 sma government representative to signatures allow held by VeriSign T PGP-sign the nu.nl public key. the origin, 3 VeriSign Trust Managers integrity of What if that key is forged? meet every week in through HTTP. Answer: Internet Central they have to sign new Headquarters signed the Netherlands public key.

  10. Security” To verify these signatures, Internet Central HQ key your computer needs to was generated by an expensive retrieve the PGP public key Hardware Security Module ”. from the nu.nl admin. owned by VeriSign, a well-known American company What if the key is forged? admin Hardware Security Module Answer: HTTPSEC provides a signatures signs data if authorized onses. way for a trusted Netherlands by 3 out of 16 smart cards government representative to held by VeriSign Trust Managers. PGP-sign the nu.nl public key. 3 VeriSign Trust Managers of What if that key is forged? meet every week in case HTTP. Answer: Internet Central they have to sign new data. Headquarters signed the Netherlands public key.

  11. To verify these signatures, Internet Central HQ key your computer needs to was generated by an expensive retrieve the PGP public key Hardware Security Module from the nu.nl admin. owned by VeriSign, a well-known American company. What if the key is forged? Hardware Security Module Answer: HTTPSEC provides a signs data if authorized way for a trusted Netherlands by 3 out of 16 smart cards government representative to held by VeriSign Trust Managers. PGP-sign the nu.nl public key. 3 VeriSign Trust Managers What if that key is forged? meet every week in case Answer: Internet Central they have to sign new data. Headquarters signed the Netherlands public key.

  12. verify these signatures, Internet Central HQ key If your computer computer needs to was generated by an expensive software retrieve the PGP public key Hardware Security Module Internet the nu.nl admin. owned by VeriSign, Your computer a well-known American company. if the key is forged? the Netherlands Hardware Security Module and the er: HTTPSEC provides a signs data if authorized signature r a trusted Netherlands by 3 out of 16 smart cards PGP-verifies government representative to held by VeriSign Trust Managers. PGP-sign the nu.nl public key. Next ste 3 VeriSign Trust Managers the nu.nl if that key is forged? meet every week in case and the er: Internet Central they have to sign new data. Headquarters signed the Finally PGP-verify Netherlands public key. HTTPSEC-signed

  13. signatures, Internet Central HQ key If your computer has needs to was generated by an expensive software then it already public key Hardware Security Module Internet Central HQ admin. owned by VeriSign, Your computer retrieves a well-known American company. is forged? the Netherlands public Hardware Security Module and the Internet Central HTTPSEC provides a signs data if authorized signature of that public ed Netherlands by 3 out of 16 smart cards PGP-verifies this signature. resentative to held by VeriSign Trust Managers. nu.nl public key. Next step: retrieve 3 VeriSign Trust Managers the nu.nl admin’s is forged? meet every week in case and the Netherlands Internet Central they have to sign new data. igned the Finally PGP-verify public key. HTTPSEC-signed

  14. Internet Central HQ key If your computer has HTTPSEC was generated by an expensive software then it already knows ey Hardware Security Module Internet Central HQ public k owned by VeriSign, Your computer retrieves a well-known American company. the Netherlands public key Hardware Security Module and the Internet Central HQ rovides a signs data if authorized signature of that public key; Netherlands by 3 out of 16 smart cards PGP-verifies this signature. to held by VeriSign Trust Managers. public key. Next step: retrieve and verify 3 VeriSign Trust Managers the nu.nl admin’s public key rged? meet every week in case and the Netherlands signature. they have to sign new data. Finally PGP-verify nu.nl ’s HTTPSEC-signed responses.

  15. Internet Central HQ key If your computer has HTTPSEC was generated by an expensive software then it already knows the Hardware Security Module Internet Central HQ public key. owned by VeriSign, Your computer retrieves a well-known American company. the Netherlands public key Hardware Security Module and the Internet Central HQ signs data if authorized signature of that public key; by 3 out of 16 smart cards PGP-verifies this signature. held by VeriSign Trust Managers. Next step: retrieve and verify 3 VeriSign Trust Managers the nu.nl admin’s public key meet every week in case and the Netherlands signature. they have to sign new data. Finally PGP-verify nu.nl ’s HTTPSEC-signed responses.

  16. Internet Central HQ key If your computer has HTTPSEC HTTPSEC generated by an expensive software then it already knows the Many Internet are Security Module Internet Central HQ public key. are extremely by VeriSign, Your computer retrieves Can they ell-known American company. the Netherlands public key The critical are Security Module and the Internet Central HQ in HTTPSEC: data if authorized signature of that public key; PGP signatures out of 16 smart cards PGP-verifies this signature. “Per-query y VeriSign Trust Managers. Next step: retrieve and verify Signature eriSign Trust Managers the nu.nl admin’s public key saved; sent very week in case and the Netherlands signature. Hopefully have to sign new data. Finally PGP-verify nu.nl ’s sign each HTTPSEC-signed responses.

  17. HQ key If your computer has HTTPSEC HTTPSEC performance y an expensive software then it already knows the Many Internet servers Security Module Internet Central HQ public key. are extremely busy eriSign, Your computer retrieves Can they afford crypto? American company. the Netherlands public key The critical design Security Module and the Internet Central HQ in HTTPSEC: precompute authorized signature of that public key; PGP signatures of smart cards PGP-verifies this signature. “Per-query crypto Trust Managers. Next step: retrieve and verify Signature is computed Managers the nu.nl admin’s public key saved; sent to many in case and the Netherlands signature. Hopefully the admin sign new data. Finally PGP-verify nu.nl ’s sign each HTTP resp HTTPSEC-signed responses.

  18. If your computer has HTTPSEC HTTPSEC performance ensive software then it already knows the Many Internet servers Internet Central HQ public key. are extremely busy. Your computer retrieves Can they afford crypto? company. the Netherlands public key The critical design decision and the Internet Central HQ in HTTPSEC: precompute signature of that public key; PGP signatures of all data. PGP-verifies this signature. “Per-query crypto is bad.” Managers. Next step: retrieve and verify Signature is computed once; Managers the nu.nl admin’s public key saved; sent to many clients. and the Netherlands signature. Hopefully the admin can affo data. Finally PGP-verify nu.nl ’s sign each HTTP response once. HTTPSEC-signed responses.

  19. If your computer has HTTPSEC HTTPSEC performance software then it already knows the Many Internet servers Internet Central HQ public key. are extremely busy. Your computer retrieves Can they afford crypto? the Netherlands public key The critical design decision and the Internet Central HQ in HTTPSEC: precompute signature of that public key; PGP signatures of all data. PGP-verifies this signature. “Per-query crypto is bad.” Next step: retrieve and verify Signature is computed once; the nu.nl admin’s public key saved; sent to many clients. and the Netherlands signature. Hopefully the admin can afford to Finally PGP-verify nu.nl ’s sign each HTTP response once. HTTPSEC-signed responses.

  20. computer has HTTPSEC HTTPSEC performance Clients don’t re then it already knows the of verifying Many Internet servers Internet Central HQ public key. are extremely busy. HTTPSEC computer retrieves Can they afford crypto? client-side Netherlands public key precomputation The critical design decision the Internet Central HQ choice of in HTTPSEC: precompute signature of that public key; PGP signatures of all data. Many HTTPSEC PGP-verifies this signature. “Per-query crypto is bad.” 640-bit RSA, step: retrieve and verify 768-bit RSA, Signature is computed once; nu.nl admin’s public key 1024-bit saved; sent to many clients. the Netherlands signature. signatures Hopefully the admin can afford to DSA, “10 PGP-verify nu.nl ’s sign each HTTP response once. verification HTTPSEC-signed responses.

  21. computer has HTTPSEC HTTPSEC performance Clients don’t share already knows the of verifying a signature. Many Internet servers HQ public key. are extremely busy. HTTPSEC tries to retrieves Can they afford crypto? client-side costs (and public key precomputation costs) The critical design decision Central HQ choice of crypto primitive. in HTTPSEC: precompute t public key; PGP signatures of all data. Many HTTPSEC crypto this signature. “Per-query crypto is bad.” 640-bit RSA, original ve and verify 768-bit RSA, many Signature is computed once; admin’s public key 1024-bit RSA, current saved; sent to many clients. Netherlands signature. signatures from VeriSign Hopefully the admin can afford to DSA, “10 to 40 times PGP-verify nu.nl ’s sign each HTTP response once. verification” but fast HTTPSEC-signed responses.

  22. HTTPSEC HTTPSEC performance Clients don’t share the work knows the of verifying a signature. Many Internet servers public key. are extremely busy. HTTPSEC tries to reduce Can they afford crypto? client-side costs (and precomputation costs) through The critical design decision HQ choice of crypto primitive. in HTTPSEC: precompute ey; PGP signatures of all data. Many HTTPSEC crypto options: signature. “Per-query crypto is bad.” 640-bit RSA, original specs; verify 768-bit RSA, many docs; Signature is computed once; key 1024-bit RSA, current saved; sent to many clients. signature. signatures from VeriSign etc.; Hopefully the admin can afford to DSA, “10 to 40 times as slow ’s sign each HTTP response once. verification” but faster for signing. onses.

  23. HTTPSEC performance Clients don’t share the work of verifying a signature. Many Internet servers are extremely busy. HTTPSEC tries to reduce Can they afford crypto? client-side costs (and precomputation costs) through The critical design decision choice of crypto primitive. in HTTPSEC: precompute PGP signatures of all data. Many HTTPSEC crypto options: “Per-query crypto is bad.” 640-bit RSA, original specs; 768-bit RSA, many docs; Signature is computed once; 1024-bit RSA, current saved; sent to many clients. signatures from VeriSign etc.; Hopefully the admin can afford to DSA, “10 to 40 times as slow for sign each HTTP response once. verification” but faster for signing.

  24. HTTPSEC performance Clients don’t share the work HTTPSEC of verifying a signature. choices s Internet servers for no reason extremely busy. HTTPSEC tries to reduce fear of overload. they afford crypto? client-side costs (and precomputation costs) through HTTPSEC critical design decision choice of crypto primitive. to survive HTTPSEC: precompute and even signatures of all data. Many HTTPSEC crypto options: for reason er-query crypto is bad.” 640-bit RSA, original specs; More complexit ✮ 768-bit RSA, many docs; Signature is computed once; including 1024-bit RSA, current sent to many clients. signatures from VeriSign etc.; Author of efully the admin can afford to DSA, “10 to 40 times as slow for HTTP server: each HTTP response once. verification” but faster for signing. implementing is just staggering.”

  25. rmance Clients don’t share the work HTTPSEC made b of verifying a signature. choices such as 640-bit servers for no reason other busy. HTTPSEC tries to reduce fear of overload. crypto? client-side costs (and precomputation costs) through HTTPSEC needed design decision choice of crypto primitive. to survive the inevitable recompute and even more complexit of all data. Many HTTPSEC crypto options: for reasons I’ll explain. crypto is bad.” 640-bit RSA, original specs; More complexity ✮ 768-bit RSA, many docs; computed once; including security holes. 1024-bit RSA, current many clients. signatures from VeriSign etc.; Author of one very admin can afford to DSA, “10 to 40 times as slow for HTTP server: “The response once. verification” but faster for signing. implementing every is just staggering.”

  26. Clients don’t share the work HTTPSEC made breakable of verifying a signature. choices such as 640-bit RSA for no reason other than HTTPSEC tries to reduce fear of overload. client-side costs (and precomputation costs) through HTTPSEC needed more options decision choice of crypto primitive. to survive the inevitable breaks; and even more complexity data. Many HTTPSEC crypto options: for reasons I’ll explain. 640-bit RSA, original specs; More complexity ✮ more bugs, 768-bit RSA, many docs; once; including security holes. 1024-bit RSA, current clients. signatures from VeriSign etc.; Author of one very popular afford to DSA, “10 to 40 times as slow for HTTP server: “The effort of once. verification” but faster for signing. implementing everything correctly is just staggering.”

  27. Clients don’t share the work HTTPSEC made breakable of verifying a signature. choices such as 640-bit RSA for no reason other than HTTPSEC tries to reduce fear of overload. client-side costs (and precomputation costs) through HTTPSEC needed more options choice of crypto primitive. to survive the inevitable breaks; and even more complexity Many HTTPSEC crypto options: for reasons I’ll explain. 640-bit RSA, original specs; More complexity ✮ more bugs, 768-bit RSA, many docs; including security holes. 1024-bit RSA, current signatures from VeriSign etc.; Author of one very popular DSA, “10 to 40 times as slow for HTTP server: “The effort of verification” but faster for signing. implementing everything correctly is just staggering.”

  28. Clients don’t share the work HTTPSEC made breakable HTTPSEC verifying a signature. choices such as 640-bit RSA How do for no reason other than HTTPSEC tries to reduce requests fear of overload. client-side costs (and without recomputation costs) through HTTPSEC needed more options of crypto primitive. to survive the inevitable breaks; and even more complexity HTTPSEC crypto options: for reasons I’ll explain. 640-bit RSA, original specs; More complexity ✮ more bugs, 768-bit RSA, many docs; including security holes. 1024-bit RSA, current signatures from VeriSign etc.; Author of one very popular “10 to 40 times as slow for HTTP server: “The effort of verification” but faster for signing. implementing everything correctly is just staggering.”

  29. re the work HTTPSEC made breakable HTTPSEC confidentialit signature. choices such as 640-bit RSA How do you encrypt for no reason other than to reduce requests and responses fear of overload. (and without per-client costs) through HTTPSEC needed more options primitive. to survive the inevitable breaks; and even more complexity crypto options: for reasons I’ll explain. riginal specs; More complexity ✮ more bugs, many docs; including security holes. current VeriSign etc.; Author of one very popular times as slow for HTTP server: “The effort of faster for signing. implementing everything correctly is just staggering.”

  30. rk HTTPSEC made breakable HTTPSEC confidentiality choices such as 640-bit RSA How do you encrypt for no reason other than requests and responses fear of overload. without per-client crypto? through HTTPSEC needed more options to survive the inevitable breaks; and even more complexity options: for reasons I’ll explain. ecs; More complexity ✮ more bugs, including security holes. etc.; Author of one very popular slow for HTTP server: “The effort of signing. implementing everything correctly is just staggering.”

  31. HTTPSEC made breakable HTTPSEC confidentiality choices such as 640-bit RSA How do you encrypt for no reason other than requests and responses fear of overload. without per-client crypto? HTTPSEC needed more options to survive the inevitable breaks; and even more complexity for reasons I’ll explain. More complexity ✮ more bugs, including security holes. Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.”

  32. HTTPSEC made breakable HTTPSEC confidentiality choices such as 640-bit RSA How do you encrypt for no reason other than requests and responses fear of overload. without per-client crypto? HTTPSEC needed more options Answer: You can’t, to survive the inevitable breaks; and HTTPSEC doesn’t even try. and even more complexity The HTTPSEC RFC says for reasons I’ll explain. “Due to a deliberate design More complexity ✮ more bugs, choice, HTTPSEC does not including security holes. provide confidentiality.” Author of one very popular HTTP server: “The effort of implementing everything correctly is just staggering.”

  33. HTTPSEC made breakable HTTPSEC confidentiality choices such as 640-bit RSA How do you encrypt for no reason other than requests and responses fear of overload. without per-client crypto? HTTPSEC needed more options Answer: You can’t, to survive the inevitable breaks; and HTTPSEC doesn’t even try. and even more complexity The HTTPSEC RFC says for reasons I’ll explain. “Due to a deliberate design More complexity ✮ more bugs, choice, HTTPSEC does not including security holes. provide confidentiality.” Author of one very popular This is very strange, but HTTP server: “The effort of not the worst part of HTTPSEC. implementing everything correctly is just staggering.”

  34. HTTPSEC made breakable HTTPSEC confidentiality The HTTPSEC choices such as 640-bit RSA How do you encrypt When nu.nl reason other than requests and responses receives overload. without per-client crypto? http://nu.nl/economie/ HTTPSEC needed more options it looks fo Answer: You can’t, survive the inevitable breaks; /var/www/economie/index.html and HTTPSEC doesn’t even try. even more complexity on its local The HTTPSEC RFC says sons I’ll explain. An HTTPSEC “Due to a deliberate design complexity ✮ more bugs, http://nu.nl/economie/ choice, HTTPSEC does not including security holes. index.html.httpsec-pgp provide confidentiality.” r of one very popular Server admin This is very strange, but server: “The effort of index.html.httpsec-pgp not the worst part of HTTPSEC. implementing everything correctly with a signature staggering.”

  35. made breakable HTTPSEC confidentiality The HTTPSEC da 640-bit RSA How do you encrypt When nu.nl HTTP other than requests and responses receives a request without per-client crypto? http://nu.nl/economie/ needed more options it looks for a file Answer: You can’t, inevitable breaks; /var/www/economie/index.html and HTTPSEC doesn’t even try. complexity on its local disk. The HTTPSEC RFC says explain. An HTTPSEC client “Due to a deliberate design ✮ more bugs, http://nu.nl/economie/ choice, HTTPSEC does not y holes. index.html.httpsec-pgp provide confidentiality.” very popular Server admin has created This is very strange, but “The effort of index.html.httpsec-pgp not the worst part of HTTPSEC. everything correctly with a signature of staggering.”

  36. able HTTPSEC confidentiality The HTTPSEC data model RSA How do you encrypt When nu.nl HTTP server requests and responses receives a request for without per-client crypto? http://nu.nl/economie/ , options it looks for a file Answer: You can’t, reaks; /var/www/economie/index.html and HTTPSEC doesn’t even try. on its local disk. The HTTPSEC RFC says An HTTPSEC client also asks “Due to a deliberate design bugs, ✮ http://nu.nl/economie/ choice, HTTPSEC does not index.html.httpsec-pgp . provide confidentiality.” r Server admin has created This is very strange, but of index.html.httpsec-pgp not the worst part of HTTPSEC. correctly with a signature of index.html

  37. HTTPSEC confidentiality The HTTPSEC data model How do you encrypt When nu.nl HTTP server requests and responses receives a request for without per-client crypto? http://nu.nl/economie/ , it looks for a file Answer: You can’t, /var/www/economie/index.html and HTTPSEC doesn’t even try. on its local disk. The HTTPSEC RFC says An HTTPSEC client also asks for “Due to a deliberate design http://nu.nl/economie/ choice, HTTPSEC does not index.html.httpsec-pgp . provide confidentiality.” Server admin has created This is very strange, but index.html.httpsec-pgp not the worst part of HTTPSEC. with a signature of index.html .

  38. HTTPSEC confidentiality The HTTPSEC data model There ar of softwa do you encrypt When nu.nl HTTP server admins manage requests and responses receives a request for e.g., wiki-creation without per-client crypto? http://nu.nl/economie/ , it looks for a file er: You can’t, /var/www/economie/index.html HTTPSEC doesn’t even try. on its local disk. HTTPSEC RFC says An HTTPSEC client also asks for to a deliberate design http://nu.nl/economie/ choice, HTTPSEC does not index.html.httpsec-pgp . rovide confidentiality.” Server admin has created very strange, but index.html.httpsec-pgp the worst part of HTTPSEC. with a signature of index.html .

  39. confidentiality The HTTPSEC data model There are hundreds of software tools to When nu.nl HTTP server encrypt admins manage web responses receives a request for e.g., wiki-creation er-client crypto? http://nu.nl/economie/ , it looks for a file can’t, /var/www/economie/index.html doesn’t even try. on its local disk. RFC says An HTTPSEC client also asks for erate design http://nu.nl/economie/ HTTPSEC does not index.html.httpsec-pgp . confidentiality.” Server admin has created strange, but index.html.httpsec-pgp rt of HTTPSEC. with a signature of index.html .

  40. The HTTPSEC data model There are hundreds (thousands?) of software tools to help When nu.nl HTTP server admins manage web sites: receives a request for e.g., wiki-creation tools. http://nu.nl/economie/ , it looks for a file /var/www/economie/index.html even try. on its local disk. An HTTPSEC client also asks for design http://nu.nl/economie/ not index.html.httpsec-pgp . Server admin has created index.html.httpsec-pgp HTTPSEC. with a signature of index.html .

  41. The HTTPSEC data model There are hundreds (thousands?) of software tools to help When nu.nl HTTP server admins manage web sites: receives a request for e.g., wiki-creation tools. http://nu.nl/economie/ , it looks for a file /var/www/economie/index.html on its local disk. An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp . Server admin has created index.html.httpsec-pgp with a signature of index.html .

  42. The HTTPSEC data model There are hundreds (thousands?) of software tools to help When nu.nl HTTP server admins manage web sites: receives a request for e.g., wiki-creation tools. http://nu.nl/economie/ , it looks for a file When these tools create index.html , /var/www/economie/index.html on its local disk. do they also create index.html.httpsec-pgp ? An HTTPSEC client also asks for http://nu.nl/economie/ index.html.httpsec-pgp . Server admin has created index.html.httpsec-pgp with a signature of index.html .

  43. The HTTPSEC data model There are hundreds (thousands?) of software tools to help When nu.nl HTTP server admins manage web sites: receives a request for e.g., wiki-creation tools. http://nu.nl/economie/ , it looks for a file When these tools create index.html , /var/www/economie/index.html on its local disk. do they also create index.html.httpsec-pgp ? An HTTPSEC client also asks for What about dynamic data? http://nu.nl/economie/ index.html.httpsec-pgp . Server admin has created index.html.httpsec-pgp with a signature of index.html .

  44. The HTTPSEC data model There are hundreds (thousands?) of software tools to help When nu.nl HTTP server admins manage web sites: receives a request for e.g., wiki-creation tools. http://nu.nl/economie/ , it looks for a file When these tools create index.html , /var/www/economie/index.html on its local disk. do they also create index.html.httpsec-pgp ? An HTTPSEC client also asks for What about dynamic data? http://nu.nl/economie/ index.html.httpsec-pgp . HTTPSEC purists say “Answers Server admin has created should always be static”. index.html.httpsec-pgp with a signature of index.html .

  45. HTTPSEC data model There are hundreds (thousands?) What ab of software tools to help Are the signatures nu.nl HTTP server admins manage web sites: receives a request for Can an attack e.g., wiki-creation tools. http://nu.nl/economie/ , obsolete oks for a file When these tools create If clocks index.html , /var/www/economie/index.html then signatures local disk. do they also create include expiration index.html.httpsec-pgp ? HTTPSEC client also asks for But frequent What about dynamic data? is an administra http://nu.nl/economie/ index.html.httpsec-pgp . HTTPSEC purists say “Answers HTTPSEC admin has created should always be static”. admin screws index.html.httpsec-pgp expire; every signature of index.html . refuses to

  46. data model There are hundreds (thousands?) What about old data? of software tools to help Are the signatures HTTP server admins manage web sites: request for Can an attacker repla e.g., wiki-creation tools. http://nu.nl/economie/ , obsolete signed data? When these tools create If clocks are synchronized index.html , /var/www/economie/index.html then signatures can do they also create include expiration index.html.httpsec-pgp ? client also asks for But frequent re-signing What about dynamic data? is an administrativ http://nu.nl/economie/ index.html.httpsec-pgp . HTTPSEC purists say “Answers HTTPSEC suicide: has created should always be static”. admin screws up; signatures index.html.httpsec-pgp expire; every HTTPSEC of index.html . refuses to load the

  47. del There are hundreds (thousands?) What about old data? of software tools to help Are the signatures still valid? server admins manage web sites: Can an attacker replay e.g., wiki-creation tools. , obsolete signed data? When these tools create If clocks are synchronized index.html , /var/www/economie/index.html then signatures can do they also create include expiration times. index.html.httpsec-pgp ? asks for But frequent re-signing What about dynamic data? is an administrative disaster. . HTTPSEC purists say “Answers HTTPSEC suicide: should always be static”. admin screws up; signatures expire; every HTTPSEC client index.html . refuses to load the page.

  48. There are hundreds (thousands?) What about old data? of software tools to help Are the signatures still valid? admins manage web sites: Can an attacker replay e.g., wiki-creation tools. obsolete signed data? When these tools create If clocks are synchronized index.html , then signatures can do they also create include expiration times. index.html.httpsec-pgp ? But frequent re-signing What about dynamic data? is an administrative disaster. HTTPSEC purists say “Answers HTTPSEC suicide: should always be static”. admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  49. are hundreds (thousands?) What about old data? HTTPSEC ware tools to help Are the signatures still valid? 2010.09.02: admins manage web sites: Can an attacker replay 2010.10.07: wiki-creation tools. obsolete signed data? these tools create If clocks are synchronized index.html , then signatures can they also create include expiration times. index.html.httpsec-pgp ? But frequent re-signing about dynamic data? is an administrative disaster. HTTPSEC purists say “Answers HTTPSEC suicide: always be static”. admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  50. hundreds (thousands?) What about old data? HTTPSEC suicide to help Are the signatures still valid? 2010.09.02: US government. web sites: Can an attacker replay 2010.10.07: Belgian wiki-creation tools. obsolete signed data? ols create If clocks are synchronized then signatures can create include expiration times. index.html.httpsec-pgp ? But frequent re-signing dynamic data? is an administrative disaster. purists say “Answers HTTPSEC suicide: static”. admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  51. (thousands?) What about old data? HTTPSEC suicide examples: Are the signatures still valid? 2010.09.02: US government. Can an attacker replay 2010.10.07: Belgian government. obsolete signed data? If clocks are synchronized then signatures can include expiration times. ? But frequent re-signing data? is an administrative disaster. Answers HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  52. What about old data? HTTPSEC suicide examples: Are the signatures still valid? 2010.09.02: US government. Can an attacker replay 2010.10.07: Belgian government. obsolete signed data? If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  53. What about old data? HTTPSEC suicide examples: Are the signatures still valid? 2010.09.02: US government. Can an attacker replay 2010.10.07: Belgian government. obsolete signed data? 2012.02.23: httpsec-ref.org . If clocks are synchronized then signatures can include expiration times. But frequent re-signing is an administrative disaster. HTTPSEC suicide: admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  54. What about old data? HTTPSEC suicide examples: Are the signatures still valid? 2010.09.02: US government. Can an attacker replay 2010.10.07: Belgian government. obsolete signed data? 2012.02.23: httpsec-ref.org . If clocks are synchronized 2012.02.28: “ Last night I then signatures can was unable to check the include expiration times. weather forecast, because But frequent re-signing the fine folks at NOAA.gov is an administrative disaster. / weather.gov broke their HTTPSEC suicide: HTTPSEC. ” admin screws up; signatures expire; every HTTPSEC client refuses to load the page.

  55. What about old data? HTTPSEC suicide examples: Are the signatures still valid? 2010.09.02: US government. Can an attacker replay 2010.10.07: Belgian government. obsolete signed data? 2012.02.23: httpsec-ref.org . If clocks are synchronized 2012.02.28: “ Last night I then signatures can was unable to check the include expiration times. weather forecast, because But frequent re-signing the fine folks at NOAA.gov is an administrative disaster. / weather.gov broke their HTTPSEC suicide: HTTPSEC. ” admin screws up; signatures 2012.02.28, HTTPSEC-REF expire; every HTTPSEC client tech-support rep: “ httpsec- refuses to load the page. accept-expired yes ”

  56. about old data? HTTPSEC suicide examples: What ab the signatures still valid? 2010.09.02: US government. an attacker replay 2010.10.07: Belgian government. obsolete signed data? 2012.02.23: httpsec-ref.org . cks are synchronized 2012.02.28: “ Last night I signatures can was unable to check the include expiration times. weather forecast, because frequent re-signing the fine folks at NOAA.gov administrative disaster. / weather.gov broke their HTTPSEC suicide: HTTPSEC. ” screws up; signatures 2012.02.28, HTTPSEC-REF expire; every HTTPSEC client tech-support rep: “ httpsec- refuses to load the page. accept-expired yes ”

  57. data? HTTPSEC suicide examples: What about nonexistent signatures still valid? 2010.09.02: US government. replay 2010.10.07: Belgian government. data? 2012.02.23: httpsec-ref.org . synchronized 2012.02.28: “ Last night I can was unable to check the expiration times. weather forecast, because -signing the fine folks at NOAA.gov tive disaster. / weather.gov broke their suicide: HTTPSEC. ” up; signatures 2012.02.28, HTTPSEC-REF HTTPSEC client tech-support rep: “ httpsec- the page. accept-expired yes ”

  58. HTTPSEC suicide examples: What about nonexistent files? valid? 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org . 2012.02.28: “ Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov disaster. / weather.gov broke their HTTPSEC. ” signatures 2012.02.28, HTTPSEC-REF client tech-support rep: “ httpsec- accept-expired yes ”

  59. HTTPSEC suicide examples: What about nonexistent files? 2010.09.02: US government. 2010.10.07: Belgian government. 2012.02.23: httpsec-ref.org . 2012.02.28: “ Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC. ” 2012.02.28, HTTPSEC-REF tech-support rep: “ httpsec- accept-expired yes ”

  60. HTTPSEC suicide examples: What about nonexistent files? 2010.09.02: US government. Does the server admin precompute PGP signatures on 2010.10.07: Belgian government. “ aaaaa does not exist”, 2012.02.23: httpsec-ref.org . “ aaaab does not exist”, etc.? 2012.02.28: “ Last night I was unable to check the weather forecast, because the fine folks at NOAA.gov / weather.gov broke their HTTPSEC. ” 2012.02.28, HTTPSEC-REF tech-support rep: “ httpsec- accept-expired yes ”

  61. HTTPSEC suicide examples: What about nonexistent files? 2010.09.02: US government. Does the server admin precompute PGP signatures on 2010.10.07: Belgian government. “ aaaaa does not exist”, 2012.02.23: httpsec-ref.org . “ aaaab does not exist”, etc.? 2012.02.28: “ Last night I Crazy! Obvious approach: was unable to check the “We sign each page that exists, weather forecast, because and don’t sign anything else.” the fine folks at NOAA.gov / weather.gov broke their HTTPSEC. ” 2012.02.28, HTTPSEC-REF tech-support rep: “ httpsec- accept-expired yes ”

  62. HTTPSEC suicide examples: What about nonexistent files? 2010.09.02: US government. Does the server admin precompute PGP signatures on 2010.10.07: Belgian government. “ aaaaa does not exist”, 2012.02.23: httpsec-ref.org . “ aaaab does not exist”, etc.? 2012.02.28: “ Last night I Crazy! Obvious approach: was unable to check the “We sign each page that exists, weather forecast, because and don’t sign anything else.” the fine folks at NOAA.gov User asks for nonexistent page. / weather.gov broke their Receives unsigned answer HTTPSEC. ” saying the page doesn’t exist. 2012.02.28, HTTPSEC-REF Has no choice but to trust it. tech-support rep: “ httpsec- accept-expired yes ”

  63. HTTPSEC suicide examples: What about nonexistent files? User asks Receives 2010.09.02: US government. Does the server admin a response precompute PGP signatures on 2010.10.07: Belgian government. saying the “ aaaaa does not exist”, Has no choice 2012.02.23: httpsec-ref.org . “ aaaab does not exist”, etc.? Clearly a 2012.02.28: “ Last night I Crazy! Obvious approach: Sometimes unable to check the “We sign each page that exists, This is not weather forecast, because and don’t sign anything else.” fine folks at NOAA.gov User asks for nonexistent page. weather.gov broke their Receives unsigned answer HTTPSEC. ” saying the page doesn’t exist. 2012.02.28, HTTPSEC-REF Has no choice but to trust it. tech-support rep: “ httpsec- accept-expired yes ”

  64. suicide examples: What about nonexistent files? User asks for nu.nl/economie Receives unsigned government. Does the server admin a response forged b precompute PGP signatures on Belgian government. saying the page do “ aaaaa does not exist”, Has no choice but httpsec-ref.org . “ aaaab does not exist”, etc.? Clearly a violation Last night I Crazy! Obvious approach: Sometimes a violation check the “We sign each page that exists, This is not a good forecast, because and don’t sign anything else.” at NOAA.gov User asks for nonexistent page. broke their Receives unsigned answer saying the page doesn’t exist. HTTPSEC-REF Has no choice but to trust it. rep: “ httpsec- yes ”

  65. examples: What about nonexistent files? User asks for nu.nl/economie Receives unsigned answer, government. Does the server admin a response forged by attacker, precompute PGP signatures on government. saying the page doesn’t exist. “ aaaaa does not exist”, Has no choice but to trust it. httpsec-ref.org . “ aaaab does not exist”, etc.? Clearly a violation of availabilit I Crazy! Obvious approach: Sometimes a violation of integrit “We sign each page that exists, This is not a good approach. because and don’t sign anything else.” NOAA.gov User asks for nonexistent page. their Receives unsigned answer saying the page doesn’t exist. HTTPSEC-REF Has no choice but to trust it. httpsec-

  66. What about nonexistent files? User asks for nu.nl/economie . Receives unsigned answer, Does the server admin a response forged by attacker, precompute PGP signatures on saying the page doesn’t exist. “ aaaaa does not exist”, Has no choice but to trust it. “ aaaab does not exist”, etc.? Clearly a violation of availability. Crazy! Obvious approach: Sometimes a violation of integrity. “We sign each page that exists, This is not a good approach. and don’t sign anything else.” User asks for nonexistent page. Receives unsigned answer saying the page doesn’t exist. Has no choice but to trust it.

  67. What about nonexistent files? User asks for nu.nl/economie . Receives unsigned answer, Does the server admin a response forged by attacker, precompute PGP signatures on saying the page doesn’t exist. “ aaaaa does not exist”, Has no choice but to trust it. “ aaaab does not exist”, etc.? Clearly a violation of availability. Crazy! Obvious approach: Sometimes a violation of integrity. “We sign each page that exists, This is not a good approach. and don’t sign anything else.” Alternative: “NHTTPSEC”. e.g. User asks for nonexistent page. clegg.com/nonex query returns Receives unsigned answer “ There are no pages between saying the page doesn’t exist. clegg.com/nick and Has no choice but to trust it. clegg.com/start ” + signature.

  68. about nonexistent files? User asks for nu.nl/economie . Try clegg.com/foo Receives unsigned answer, After several the server admin a response forged by attacker, all clegg.com recompute PGP signatures on saying the page doesn’t exist. alan , alvis does not exist”, Has no choice but to trust it. calendar does not exist”, etc.? jennifer Clearly a violation of availability. Obvious approach: wiki . Sometimes a violation of integrity. sign each page that exists, This is not a good approach. don’t sign anything else.” Alternative: “NHTTPSEC”. e.g. asks for nonexistent page. clegg.com/nonex query returns Receives unsigned answer “ There are no pages between the page doesn’t exist. clegg.com/nick and choice but to trust it. clegg.com/start ” + signature.

  69. nonexistent files? User asks for nu.nl/economie . Try clegg.com/foo Receives unsigned answer, After several queries admin a response forged by attacker, all clegg.com names: signatures on saying the page doesn’t exist. alan , alvis , andrew not exist”, Has no choice but to trust it. calendar , home , imogene not exist”, etc.? jennifer , mail , nick Clearly a violation of availability. approach: wiki . Sometimes a violation of integrity. page that exists, This is not a good approach. anything else.” Alternative: “NHTTPSEC”. e.g. nonexistent page. clegg.com/nonex query returns unsigned answer “ There are no pages between doesn’t exist. clegg.com/nick and but to trust it. clegg.com/start ” + signature.

  70. files? User asks for nu.nl/economie . Try clegg.com/foo etc. Receives unsigned answer, After several queries have a response forged by attacker, all clegg.com names: signatures on saying the page doesn’t exist. alan , alvis , andrew , brian Has no choice but to trust it. calendar , home , imogene , etc.? jennifer , mail , nick , start Clearly a violation of availability. wiki . Sometimes a violation of integrity. exists, This is not a good approach. else.” Alternative: “NHTTPSEC”. e.g. page. clegg.com/nonex query returns “ There are no pages between exist. clegg.com/nick and it. clegg.com/start ” + signature.

  71. User asks for nu.nl/economie . Try clegg.com/foo etc. Receives unsigned answer, After several queries have a response forged by attacker, all clegg.com names: saying the page doesn’t exist. alan , alvis , andrew , brian , Has no choice but to trust it. calendar , home , imogene , jennifer , mail , nick , start , Clearly a violation of availability. wiki . Sometimes a violation of integrity. This is not a good approach. Alternative: “NHTTPSEC”. e.g. clegg.com/nonex query returns “ There are no pages between clegg.com/nick and clegg.com/start ” + signature.

  72. User asks for nu.nl/economie . Try clegg.com/foo etc. Receives unsigned answer, After several queries have a response forged by attacker, all clegg.com names: saying the page doesn’t exist. alan , alvis , andrew , brian , Has no choice but to trust it. calendar , home , imogene , jennifer , mail , nick , start , Clearly a violation of availability. wiki . Sometimes a violation of integrity. This is not a good approach. The clegg.com administrator disabled HTTP directory indexing Alternative: “NHTTPSEC”. e.g. — but then leaked the same data clegg.com/nonex query returns by installing HTTPSEC “ There are no pages between with the default NHTTPSEC. clegg.com/nick and clegg.com/start ” + signature.

  73. asks for nu.nl/economie . Try clegg.com/foo etc. Summary: Receives unsigned answer, After several queries have all ♥ names onse forged by attacker, all clegg.com names: on an NHTTPS the page doesn’t exist. alan , alvis , andrew , brian , (with signatures choice but to trust it. calendar , home , imogene , that there jennifer , mail , nick , start , using ♥ HTTPSEC a violation of availability. wiki . Sometimes a violation of integrity. not a good approach. The clegg.com administrator disabled HTTP directory indexing Alternative: “NHTTPSEC”. e.g. — but then leaked the same data clegg.com/nonex query returns by installing HTTPSEC are no pages between with the default NHTTPSEC. clegg.com/nick and clegg.com/start ” + signature.

  74. nu.nl/economie . Try clegg.com/foo etc. Summary: Attacker unsigned answer, After several queries have all ♥ names of pages rged by attacker, all clegg.com names: on an NHTTPSEC doesn’t exist. alan , alvis , andrew , brian , (with signatures gua but to trust it. calendar , home , imogene , that there are no mo jennifer , mail , nick , start , using ♥ HTTPSEC violation of availability. wiki . violation of integrity. od approach. The clegg.com administrator disabled HTTP directory indexing “NHTTPSEC”. e.g. — but then leaked the same data clegg.com/nonex query returns by installing HTTPSEC pages between with the default NHTTPSEC. and clegg.com/start ” + signature.

  75. nu.nl/economie . Try clegg.com/foo etc. Summary: Attacker learns After several queries have all ♥ names of pages attacker, all clegg.com names: on an NHTTPSEC server exist. alan , alvis , andrew , brian , (with signatures guaranteeing it. calendar , home , imogene , that there are no more) jennifer , mail , nick , start , using ♥ HTTPSEC queries. availability. wiki . integrity. roach. The clegg.com administrator disabled HTTP directory indexing “NHTTPSEC”. e.g. — but then leaked the same data returns by installing HTTPSEC between with the default NHTTPSEC. signature.

  76. Try clegg.com/foo etc. Summary: Attacker learns After several queries have all ♥ names of pages all clegg.com names: on an NHTTPSEC server alan , alvis , andrew , brian , (with signatures guaranteeing calendar , home , imogene , that there are no more) jennifer , mail , nick , start , using ♥ HTTPSEC queries. wiki . The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC.

  77. Try clegg.com/foo etc. Summary: Attacker learns After several queries have all ♥ names of pages all clegg.com names: on an NHTTPSEC server alan , alvis , andrew , brian , (with signatures guaranteeing calendar , home , imogene , that there are no more) jennifer , mail , nick , start , using ♥ HTTPSEC queries. wiki . This is not a good approach. The clegg.com administrator disabled HTTP directory indexing — but then leaked the same data by installing HTTPSEC with the default NHTTPSEC.

  78. Try clegg.com/foo etc. Summary: Attacker learns After several queries have all ♥ names of pages all clegg.com names: on an NHTTPSEC server alan , alvis , andrew , brian , (with signatures guaranteeing calendar , home , imogene , that there are no more) jennifer , mail , nick , start , using ♥ HTTPSEC queries. wiki . This is not a good approach. The clegg.com administrator HTTPSEC purists disagree: disabled HTTP directory indexing “It is part of the design — but then leaked the same data philosophy of the Web by installing HTTPSEC that the data in it is public.” with the default NHTTPSEC. But this notion is so extreme that it became an HTTPSEC public-relations problem.

  79. clegg.com/foo etc. Summary: Attacker learns New HTTPSEC several queries have all ♥ names of pages 1. “NHTTPSEC3” clegg.com names: on an NHTTPSEC server Use a “one-w alvis , andrew , brian , (with signatures guaranteeing such as (iterated calendar , home , imogene , that there are no more) Reveal hashes jennifer , mail , nick , start , using ♥ HTTPSEC queries. instead of This is not a good approach. “ There clegg.com administrator hashes ✿ ✿ ✿ ✿ ✿ ✿ HTTPSEC purists disagree: disabled HTTP directory indexing “It is part of the design then leaked the same data philosophy of the Web talling HTTPSEC that the data in it is public.” the default NHTTPSEC. But this notion is so extreme that it became an HTTPSEC public-relations problem.

  80. clegg.com/foo etc. Summary: Attacker learns New HTTPSEC app queries have all ♥ names of pages 1. “NHTTPSEC3” names: on an NHTTPSEC server Use a “one-way hash andrew , brian , (with signatures guaranteeing such as (iterated salted) , imogene , that there are no more) Reveal hashes of names , nick , start , using ♥ HTTPSEC queries. instead of revealing This is not a good approach. “ There are no names administrator hashes between ✿ ✿ ✿ ✿ ✿ ✿ HTTPSEC purists disagree: directory indexing “It is part of the design ed the same data philosophy of the Web HTTPSEC that the data in it is public.” NHTTPSEC. But this notion is so extreme that it became an HTTPSEC public-relations problem.

  81. Summary: Attacker learns New HTTPSEC approach: all ♥ names of pages 1. “NHTTPSEC3” technology: on an NHTTPSEC server Use a “one-way hash function” brian , (with signatures guaranteeing such as (iterated salted) SHA-1. , that there are no more) Reveal hashes of names start , using ♥ HTTPSEC queries. instead of revealing names. This is not a good approach. “ There are no names with administrator hashes between ✿ ✿ ✿ and ✿ ✿ ✿ HTTPSEC purists disagree: indexing “It is part of the design same data philosophy of the Web that the data in it is public.” NHTTPSEC. But this notion is so extreme that it became an HTTPSEC public-relations problem.

  82. Summary: Attacker learns New HTTPSEC approach: all ♥ names of pages 1. “NHTTPSEC3” technology: on an NHTTPSEC server Use a “one-way hash function” (with signatures guaranteeing such as (iterated salted) SHA-1. that there are no more) Reveal hashes of names using ♥ HTTPSEC queries. instead of revealing names. This is not a good approach. “ There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ” HTTPSEC purists disagree: “It is part of the design philosophy of the Web that the data in it is public.” But this notion is so extreme that it became an HTTPSEC public-relations problem.

  83. Summary: Attacker learns New HTTPSEC approach: all ♥ names of pages 1. “NHTTPSEC3” technology: on an NHTTPSEC server Use a “one-way hash function” (with signatures guaranteeing such as (iterated salted) SHA-1. that there are no more) Reveal hashes of names using ♥ HTTPSEC queries. instead of revealing names. This is not a good approach. “ There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ” HTTPSEC purists disagree: “It is part of the design 2. Marketing: philosophy of the Web Pretend that NHTTPSEC3 is that the data in it is public.” less damaging than NSEC. But this notion is so extreme “NHTTPSEC3 does not allow that it became an HTTPSEC enumeration of the site.” public-relations problem.

  84. Summary: Attacker learns New HTTPSEC approach: Reality: ♥ names of pages by abusing 1. “NHTTPSEC3” technology: NHTTPSEC server computes Use a “one-way hash function” signatures guaranteeing for many such as (iterated salted) SHA-1. there are no more) quickly discovers Reveal hashes of names ♥ HTTPSEC queries. (and kno instead of revealing names. not a good approach. “ There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ” HTTPSEC purists disagree: part of the design 2. Marketing: philosophy of the Web Pretend that NHTTPSEC3 is the data in it is public.” less damaging than NSEC. this notion is so extreme “NHTTPSEC3 does not allow became an HTTPSEC enumeration of the site.” public-relations problem.

  85. ttacker learns New HTTPSEC approach: Reality: Attacker grabs pages by abusing NHTTPSEC3; ♥ 1. “NHTTPSEC3” technology: EC server computes the same Use a “one-way hash function” guaranteeing for many different such as (iterated salted) SHA-1. no more) quickly discovers almost Reveal hashes of names ♥ HTTPSEC queries. (and knows # missing instead of revealing names. od approach. “ There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ” purists disagree: design 2. Marketing: e Web Pretend that NHTTPSEC3 is it is public.” less damaging than NSEC. is so extreme “NHTTPSEC3 does not allow an HTTPSEC enumeration of the site.” problem.

  86. New HTTPSEC approach: Reality: Attacker grabs the hashes by abusing NHTTPSEC3; ♥ 1. “NHTTPSEC3” technology: computes the same hash function Use a “one-way hash function” ranteeing for many different name guess such as (iterated salted) SHA-1. quickly discovers almost all names Reveal hashes of names queries. (and knows # missing name ♥ instead of revealing names. roach. “ There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ” e: 2. Marketing: Pretend that NHTTPSEC3 is public.” less damaging than NSEC. xtreme “NHTTPSEC3 does not allow HTTPSEC enumeration of the site.”

  87. New HTTPSEC approach: Reality: Attacker grabs the hashes by abusing NHTTPSEC3; 1. “NHTTPSEC3” technology: computes the same hash function Use a “one-way hash function” for many different name guesses; such as (iterated salted) SHA-1. quickly discovers almost all names Reveal hashes of names (and knows # missing names). instead of revealing names. “ There are no names with hashes between ✿ ✿ ✿ and ✿ ✿ ✿ ” 2. Marketing: Pretend that NHTTPSEC3 is less damaging than NSEC. “NHTTPSEC3 does not allow enumeration of the site.”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
Internet integration: the DNS security mess D. J. Bernstein University of Illinois at Chicago

Internet integration: the DNS security mess D. J. Bernstein University of Illinois at Chicago

1 Internet integration: the DNS security mess D. J. Bernstein University of Illinois at Chicago 2 The Domain Name System uic.edu wants to see http://www.matcom.uh.cu . Browser at uic.edu The web server

1.45k views • 124 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago, Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago, Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven The Domain Name System nsc.gov.tw wants to see http://www.nchu.edu.tw . Browser at nsc.gov.tw

1.63k views • 130 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System tue.nl wants to see http://www.ru.nl . Browser at tue.nl The web

1.39k views • 124 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago The Domain Name

The DNS security mess D. J. Bernstein University of Illinois at Chicago The Domain Name

The DNS security mess D. J. Bernstein University of Illinois at Chicago The Domain Name System tue.nl wants to see http://www.utwente.nl . Browser at tue.nl The web server www.utwente.nl has IP address

1.46k views • 120 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago The Domain Name

The DNS security mess D. J. Bernstein University of Illinois at Chicago The Domain Name

The DNS security mess D. J. Bernstein University of Illinois at Chicago The Domain Name System fsf.org wants to see http://www.redhat.com . Browser at fsf.org The web server www.redhat.com has IP

611 views • 59 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System solaris.hr wants to see http://www.ru.nl . Browser at solaris.hr

1.4k views • 123 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago

The DNS security mess D. J. Bernstein University of Illinois at Chicago

The DNS security mess D. J. Bernstein University of Illinois at Chicago A public-key signature system m Message Signers Signed secret message n m; r ; s key Verify Signers r = SHA-256 public sB

478 views • 33 slides
Screenshot CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess CC BY-NC

Screenshot CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess CC BY-NC

Screenshot CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess Akka & Spray RabbitMQ C++ & CUDA Cassandra CC BY-NC 3.0 Before: the mess scene topic (Map[String, String],

614 views • 30 slides
Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at Chicago The bug-of-the-month club Every few months CERT announces Yet Another Security Hole In Sendmailsomething that lets local or even

592 views • 31 slides
Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of Illinois at Chicago Main goals of cryptography Alice and Bob are communicating. Eve is eavesdropping. Alice and Bob have several standard security

310 views • 29 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at Chicago Thanks to: NSF CCR9983950 NSF DMS0140542 NSF ITR0716498 Alfred P. Sloan Foundation Warning: Springer mangled the

589 views • 19 slides
On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering,

On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering,

On the Security of RC4 in TLS Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt Royal Holloway, University of London University of Illinois at Chicago http://www.isg.rhul.ac.uk/tls/ Agenda Brief overview of

856 views • 54 slides
The impact of security proofs: two troublesome case studies D. J. Bernstein University of

The impact of security proofs: two troublesome case studies D. J. Bernstein University of

The impact of security proofs: two troublesome case studies D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2004: GCM is published with security proof. 2004: XCBv1 is published. The impact of

566 views • 22 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
P y t h o n 3 a n d Q t 5 w i t h Q M L T h o m a s P e r l , J o

P y t h o n 3 a n d Q t 5 w i t h Q M L T h o m a s P e r l , J o

P y t h o n 3 a n d Q t 5 w i t h Q M L T h o m a s P e r l , J o l l a L t d . Q t D e v e l o p e r D a y s 2 0 1 3 , B e r l i n , 2 0 1 3 - 1 0 - 0 9 C o m p a n

284 views • 14 slides
NativeScript UI TJ VanToll @tjvantoll Agenda Introduce {N} UI Demo

NativeScript UI TJ VanToll @tjvantoll Agenda Introduce {N} UI Demo

NativeScript UI TJ VanToll @tjvantoll Agenda Introduce {N} UI Demo Raucous applause What is {N} UI? A NativeScript plugin 7 UI components Supports Angular and non-Angular usage. Used to

678 views • 22 slides
A Cubic Kernel for Feedback Vertex Set Hans L. Bodlaender Department of Information and Computing

A Cubic Kernel for Feedback Vertex Set Hans L. Bodlaender Department of Information and Computing

A Cubic Kernel for Feedback Vertex Set Hans L. Bodlaender Department of Information and Computing Sciences Utrecht University The Netherlands 1 Overview Kernels and FPT Kernels and FPT Feedback Vertex Set Feedback Vertex Problem

748 views • 27 slides
Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect fulup@iot.bzh Who Are We ? Securing AGL V2C with OpenIDconnect May-2017 2 V2C Multiple Requirements Car to Cloud Telematics Car

605 views • 16 slides
Good Solutions to Support Highly Tolerant Services... Programmatic Requirements provide

Good Solutions to Support Highly Tolerant Services... Programmatic Requirements provide

H YDRA N ET-FT: Network Support for Dependable Services Gurudatt Shenoy Suresh K. Satapati Riccardo Bettati Department of Computer Science Texas A&M University Failure Scenarios Failures aint what they used to be. disaster type

216 views • 10 slides
1 What does this code do? Additional Readings FileInputStream fIn = new

1 What does this code do? Additional Readings FileInputStream fIn = new

Administrativa Principles of Software Construction: Objects, Design, and Concurrency Midterm 1: Thursday here (Part 2: Designing (Sub-)Systems) Practice midterm on Piazza Review session tomorrow, 7pm HBH 100 Design for Robustness

197 views • 8 slides
Characters, Strings and Symbols Damien Cassou, Stphane Ducasse and Luc Fabresse W6S07

Characters, Strings and Symbols Damien Cassou, Stphane Ducasse and Luc Fabresse W6S07

Characters, Strings and Symbols Damien Cassou, Stphane Ducasse and Luc Fabresse W6S07 http://www.pharo.org What You Will Learn Characters Strings: a collection of characters Symbols: unique strings W6S07 2 / 15 Characters

587 views • 15 slides
Introduction to Logic in Computer Science: Autumn 2007 Ulle Endriss Institute for Logic,

Introduction to Logic in Computer Science: Autumn 2007 Ulle Endriss Institute for Logic,

Preference Modelling in Combinatorial Domains ILCS 2007 Introduction to Logic in Computer Science: Autumn 2007 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Preference Modelling in

730 views • 31 slides

More recommend