[SSL Observatory] Brainstorming attacks on ssl

Thu Nov 14 06:15:21 PST 2013

On Thu, Nov 14, 2013 at 6:10 AM, maker <lists at tumbolandia.net> wrote:

>
>
> Dear observatory people,
>
> I am writing here in order to brainstorm some useful ideas about attacks on
> ssl, hope this stays in topic.
>
> Roughly speaking, I have been assigned a bachelor thesis consisting in
> testing known attacks to RSA in ssl (bad seed, low exponent, common
> modulus,
> etc.); there are tons of papers about it, and eff with the observatory
> already did a great job (yay, thanks!).
>
> So, given that I must stick with the project definition of studying the
> security of ssl certificates, I was wondering whether there is anything
> I could do/experiment using the observatory. Something you just drafted,
> or didn't have the time to develop. I would be glad to contribute, for
> something like 10h/w, for ~3 months.
>
> I have already subscribed to Crypto-ops, thinking of it as an interesting
> option. But, I don't know if my availability suits your needs.
>
> All the best,
> --
> m.
>

We could do with a rigorous examination of the various trust models. So far
the pattern has been that someone asserts that the CA trust scheme is weak
and then proposes to improve it with a scheme that is either weaker or
completely impractical.

The paradox of Web of trust is that it is stronger than CA trust but only
for parties that are close in the Trust Graph. I don't think anyone has
confidence in keys signed by a friend of a friend of a friend. So the Moore
bound on graph diameter severely limits the applicability.

Sovereign keys is a nonsense proposal that 'solves' the PKI problem by
pretending that hard problems like revocation don't need to be solved. One
of the constraints on replacing an existing infrastructure is that any new
scheme has to meet all the necessary requirements served by the old.
Pretending that system admins won't ever make mistakes signing certs is
nonsense.

What we need is a metric for trust networks similar to the metrics that we
use to evaluate algorithms. The difference being that instead of the work
factor being based on computational effort, the work factor is based on the
amount of social engineering required. Each act of social engineering
carries a cost in terms of effort and risk of disclosure (the latter is a
factor the NSA did not consider pre-Snowden but will consider very closely
now).

Instead of considering CA trust and key signing to be different things, I
consider them to be both a form of endorsement, albeit with very different
properties. A CA issued signature is far more likely to be genuine than any
other, including signatures you make yourself. I have more confidence in
the cryptographic devices used by CAs than I have in any currently
available machine I could use to make a signature. Although hopefully this
will change when we can use a R-pi with a known O/S image for key
management.

For purposes of evaluating a trust graph we can consider a CA endorsement
to have absolutely reliable knowldege of the issuer with limited knowledge
of the subject receiving the endorsement. A peer endorsement might have
good knowledge of the subject but the identity of the issuer is not known
reliably.

Fixing endorsements in time helps considerably. The social work factor
before an endorsement is notarized might be $1000, but attacking after the
notarization requires an attack on the notary which we can easily put
beyond all reasonable doubt.

The following explains the use of the metric in greater detail. I am pretty
sure that a masters thesis could be written applying the principles
described to existing approaches. Should be more than enough for a
bachelors.

https://datatracker.ietf.org/doc/draft-hallambaker-prismproof-trust/

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/observatory/attachments/20131114/7c8c327f/attachment.html>