Security Protocols XXII

The current state of DNS security is characterized by two opposing developments. DNSSEC introduces a PKI to support message authentication in the DNS protocol; DANE proposes to use this PKI also for provisioning TLS certificates. At the same time, PKIs are perceived as a major point of weakness; mechanisms like certificate pinning attempt to reduce the trust one needs to place in a PKI. We note that DNS provides rendezvous, identification, and introduction services and argue that this differentiation can reduce the impact of compromised trusted third parties.

As Bruce so kindly said, I was volunteered to give the first talk after he had successfully extracted more than two lines of a position paper from me. I will talk about what I see currently happening in and around the domain name system. I will start with a story, some of you might have heard about it, although I don’t know how far it reached beyond Germany.

It is considered whether anomaly detection techniques might be used to determine potentially malicious behavior by service providers. Data mining techniques can be used to derive patterns of repeating behavior from logs of past interactions between service consumers and providers. Consumers may use these patterns to detect anomalous provider behavior, while providers may seek to adapt their behavior in ways that cannot be detected by the consumer. A challenge is deriving a behavioral model that is a sufficiently precise representation of the consumer-provider interactions.

Behavioral norms

, which model these patterns of behavior, are used to explore these issues in a on-line photograph sharing style service.

I’d like start with an analogy of the problem that we’ve been thinking about recently. Consider a bank ATM. The provider is the bank who provides this service. Within the bank they use various security controls; the simplest control is your ATM card and your PIN, and maybe there’s a chip there as well. The bank also has terms and conditions about how you’re allowed to use the ATM to withdraw cash.

This manuscript presents

Remark!

, an electronic exam protocol which achieves several authentication, (conditional) anonymity, privacy, and verifiability properties without trusted third parties.

Remark!

is primarily designed for invigilated Internet-based exams but it also fits computer-based exams with candidates taking their exam in classrooms.

We categorize the security requirements for e-exam in authentication, anonymity and privacy requirements. For instance, we want that only the test answers submitted by registered candidates to be accepted. Similarly, we want that only registered examiners can evaluate the answers submitted by candidates. As an example of an anonymity property, we define anonymous marking, which means that no one can learn the link between a candidate and the answer she submitted. For instance, it is interesting to find out how to guarantee anonymity and authentication properties.

Advanced persistent threats (APTs) are not only a very prominent buzzword, but often come with a costly impact. A popular approach how to deal with APTs is the kill chain concept. We propose an extension to the kill chain, where the attacker is allowed to continue his attack even after being discovered by defenders. Meanwhile, observing defenders collect valuable intelligence which is to be used to counter future attacks. Benefits and negatives of postponed remediation are presented and related issues are discussed.

Good afternoon, my name is Vit Bukac, and I came here from Masaryk University and from the company Honeywell. I not will be presenting you a full research, instead I will be presenting an idea. I would like your cooperation in making this idea real and changing it into some working theory. I will be talking about so called advanced persistent threats.

Security protocols are often found to be flawed after their deployment. We present an approach that aims at the neutralization or mitigation of the attacks to flawed protocols: it avoids the complete dismissal of the interested protocol and allows honest agents to continue to use it until a corrected version is released. Our approach is based on the knowledge of the network topology, which we model as a graph, and on the consequent possibility of creating an interference to an ongoing attack of a Dolev-Yao attacker, by means of non-collaboration actuated by ad-hoc benign attackers that play the role of network guardians. Such guardians, positioned in strategical points of the network, have the task of monitoring the messages in transit and discovering at runtime, through particular types of inference, whether an attack is ongoing, interrupting the run of the protocol in the positive case. We study not only how but also where we can attempt to defend flawed security protocols: we investigate the different network topologies that make security protocol defense feasible and illustrate our approach by means of concrete examples.

Welcome back from the coffee break. Let me start by saying that this is joint work with two PhD students of mine at the University of Verona: Michele Peroli, who is in the audience, and Matteo Zavatteri. In the meantime, I have left Verona and am now at King’s College London, but we are still working together of course. I will also mention some of the previous work that we did with Maria-Camilla Fiazza, who is working at the University of Verona. In fact, she is working in robotics. I don’t know if I will have time to mention the collaboration that we did in detail at the end of the talk, but I would be most happy to tell you about how we can use at least some of the results that are common to robotics also for security and, in particular, how we can start reasoning about a new paradigm.

The long-standing requirement that system and network designs must include accurate and complete adversary definitions from inception remains unmet on commodity platforms; e.g., on commodity operating systems, network protocols, and applications. A way to provide such definitions is to (1) partition commodity software into “wimps” (i.e., small software components with rather limited function and high-assurance security properties) and “giants” (i.e., large commodity software systems, with low/no assurance of security); and (2) limit the obligation of definining the adversary to wimps while realistically assuming that the giants are adversary controlled. We provide a structure for accurate and complete adversary definitions that yields basic security properties and metrics for wimps. Then we argue that wimps must collaborate (“dance”) with giants, namely compose with adversary code across protection interfaces, and illustrate some of the salient features of the wimp-giant composition. We extend the wimp-giant metaphor to security protocols in networks of humans and computers where compelling services, possibly under the control of an adversary, are offered to unsuspecting users. Although these protocols have safe states whereby a participant can establish temporary beliefs in the adversary’s trustworthiness, reasoning about such states requires techniques from other fields, such as behavioral economics, rather than traditional security and cryptography.

The work reported here is based on some research that I have done with my students Min Suk Kang, Miao Yu, Jun Zhao, and Zongwei Zhou.

We explore the extent to which we can address three issues with passwords today: the weakness of user-chosen passwords, reuse of passwords across security domains, and the revocation of credentials. We do so while restricting ourselves to changing the password verification function on the server, introducing the use of existing key-servers, and providing users with a password management tool. Our aim is to improve the security and revocation of authentication actions with devices and end-points, while minimising changes which reduce ease of use and ease of deployment. We achieve this using one time tokens derived using public-key cryptography and propose two protocols for use with and without an online rendezvous point.

The problem is that passwords are a rubbish way of authenticating, and there has been a lot of work trying to deal with this. One of the problems is that if you have a shared secret scheme then you need a different secret for every pair of things. For every user they need a different secret per thing they are authenticating to. If they have several of devices then they need one set of these per device as well, so that if one of them is compromised then you don’t lose everything. However revocation and key management are then difficult. The problem with passwords is that you still have to use them because lots of things require a password input, and it’s hard to change that.

Software Defined Networking (SDN) deconstructs the current routing infrastructure into a small number of controllers, which are general purpose computers, and a large number of switches which are programmable forwarding engines. It is already deployed in data centres, where it offers considerable advantages of both cost and flexibility over a switching fabric of traditional routers. Such applications have a single controlling organisation and issues of trust between subdomains do not really arise. However for SDN to fulfil its potential, it is necessary to design and develop mechanisms for smart networks with mutually mistrustful principals.

In an earlier paper, we used as an example an airport where we might have 100,000 staff working for 3,000 different firms which include not just competitors but also organisations in a state of conflict (for example, El Al and Iran Air). That paper discussed using hierarchical control structures to delegate trust with mechanisms focussed on preventing denial-of-service attacks, with the assumption that confidentiality and integrity would be provided by the principals at higher layers. But this turns out to be a quagmire. Can you run your app and your enemy’s app on the same controllers of the same fabric, and get a passable separation of behaviour on private networks that run over the same switches? And can all this be done without a trusted root anywhere?

This paper reports a project to build a test environment that adapts Quagga so that a software defined network can be automatically configured using information learned from BGP. Our Quagga for SDN Module, “QuaSM”, is designed to support the use of SDN in three further use cases: in a network exchange point, in an organisation seeking to join up two or more SDN islands using an existing BGP fabric; and in security research on virtual networking.

This talk is about collaborating with the enemy. Last year at the Protocols Workshop we talked about software defined networks, and this is an exciting new technology which is being deployed in data centres. The idea is that you can take a router which costs a million dollars and you can split it up into a commodity PC running some control software, and a number of switching cards that are also commodities. And you can potentially make a whole lot of stuff software that up to now was custom Cisco stuff or Juniper stuff, and not very accessible. This has got traction because if you are someone like Google you could save an enormous amount of money on all the routers in your data centres. The question is whether you can do something more interesting and exciting with it, and use it in more difficult environments. Last year we talked about whether you could use software defined networks in a complex multi-tenanted environment, like Heathrow, where you have got over a hundred thousand badged staff working for three thousand different companies. How do you manage all the cross-domain trust issues involved, if you have got both El Al and Iran Air among your tenants at your airport?

In previous work we presented Pico, an authentication system designed to be both more usable and more secure than passwords. One unsolved problem was that Pico, in its quest to explore the whole solution space without being bound by compatibility shackles, requires changes at both the prover and the verifier, which makes it hard to convince anyone to adopt it: users won’t buy an authentication gadget that doesn’t let them log into anything and service providers won’t support a system that no users are equipped to log in with. In this paper we present three measures to break this vicious circle, starting with the “Pico Lens” browser add-on that rewrites websites on the fly so that they appear Pico-enabled. Our add-on offers the user most (though not all) of the usability and security benefits of Pico, thus fostering adoption from users even before service providers are on board. This will enable Pico to build up a user base. We also developed a server-side Wordpress plugin which can serve both as a reference example and as a useful enabler in its own right (as Wordpress is one of the leading content management platforms on the web). Finally, we developed a software version of the Pico client running on a smartphone, the Pico App, so that people can try out Pico (at the price of slightly reduced security) without having to acquire and carry another gadget. Having broken the vicious circle we’ll be in a stronger position to persuade providers to offer support for Pico in parallel with passwords.

I spoke about Pico in 2011 at this workshop. This is not about how to build it, but how to

bootstrap adoption

of the Pico password replacement system. All the researchers in the Pico team who have contributed to this work, whose names are on this opening slide, are here today. In 2011 Pico was just a dream and I’m very glad now to have been able to recruit people that made this into something real that we want people to actually use.

One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password-based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architectural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.

My name is Max and I’ve been working on the Pico project with Frank and the rest of the team since last summer. We’ve just been hearing about some of the deployability advances we’ve been making with Pico, but I’m going to be talking about some security properties of Pico and similar schemes. Specifically I’m going to be talking about a type of relay attack one could carry out on such schemes, were they in common use, and how we’ve changed the way that Pico works to address this threat.

This position paper presents the following thought experiment: can we build communication protocols that (1) are sufficiently useful that they achieve widespread adoption as general-purpose communication mechanisms and (2) thwart censorship as a consequence of their design? We posit that a useful communication platform that is inherently resistant to traffic analysis, if widely adopted and

used primarily for purposes not related to censorship circumvention

, may be too politically and economically costly for a government to block.

This is a thought experiment, which is a euphemism for a half-baked idea, that my wonderful grad student, Henry Tan, and myself have come up with over the last few months. To provide some context, the talk is really about censorship and unblockability, so I’ll start by describing what I mean by that. Suppose we have some user, Alice or Bob, and unfortunately he or she is located in some network that is controlled by a censor.

We consider mass surveillance from a computer-science perspective. After presenting some objections to the behavior of the US National Security Agency and its counterparts in allied nations (emphasizing technical problems associated with such behavior, rather than political, legal, and social problems), we propose a grass-roots, technological response: decentralized cloud services, facilitated by open-source, decentralized configuration-management tools.

When I read that the theme of this year’s workshop started with “now that all our paranoid dreams of the last 20 years have come true,” I assumed that that meant that this workshop was about the surveillance morass. That’s because I am obsessed with the surveillance morass. Now that I’m here, I realize that, regardless of the official theme, this workshop is about whatever the participants are obsessed with. So I guess Jérémie’s and my paper is in scope.

There are many examples of parties that are seemingly in opposition working together. In this position paper, we explore this in the context of security protocols with an emphasis on how these examples might produce long-term benefits for the “good guys” and how a formal model might be used to help prescribe approaches to collaboration with the “bad guys.”

This paper contains the presentation and discussion associated with Jaggard and Wright’s paper in this volume “Strange Bedfellows: How and When to Work with Your Enemy”.

After the Snowden leaks, it has become evident that a discussion is needed on how to reorganize the huge intelligence agencies so that they fit a Western thinking and to avoid that they are evolving into a clone of what the KGB and the Stasi used to be. Well before the Snowden leaks, the author had been thinking along this line.

On the 26th of October 2012, at the closed workshop on “Online Security & Civil Rights: a Fine Ethical Balance,” Hertfordshire, UK, the author put forward the idea that modern intelligence agencies should be split. The part which is involved today in mass surveillance, should work for the people and no longer for the government. That means that the intelligence agencies should spy on these working in the government and these working for lobbyists. The recipient of this information should be the public at large. The foundation of this idea comes from the Magna Carta and the US Bill of Rights that regard “We the People” as the trustworthy party and the government as potentially corrupt.

In this paper we present the above ideas put forward by the author at the aforementioned 2012 Hertfordshire workshop. We also reflect on these 2012 ideas in the context of the Snowden leaks.

So I’m going to talk about the key role intelligence agencies can play to restore our democratic institutions. So this talk has a very interesting history. I was invited to a conference, a workshop actually organized by philosophers called the Online Security & Civil Rights: a Fine Ethical Balance in 2012, October 26th to the 27th, here in the UK. It was a workshop on invitation only, and so this means the talk was pre Snowden. Unfortunately the philosophers did not like the talk, and so the talk wasn’t actually one of the invited ones for publication. And I would like to thank basically Bruce for encouraging me to submit the position paper here.

In distributed environments, such as wireless networks, a common adversary is considered to take control over a fraction of the nodes and hence to affect the system behaviour. We have examined several key management schemes for wireless sensor networks where the adversary compromises all the secret keys stored on captured nodes. We propose a number of realistic movement strategies that an actual attacker could pursue to capture nodes and examine the fallout of these attack approaches.

Hello everyone, and thank you all for coming, even though the dinner is already passed. Today I’m going to be talking about a little bit narrower a topic than the previous talks were. As my latest work focuses on automated evaluation of key management schemes for wireless sensor networks, and this is just a part of that. We have built a framework on top of an existing simulator, and one of the main metrics, or parts, that you want to characterise, to evaluate in a key management scheme is the network resiliency of such a scheme. And usually it’s always considered one kind of attacker, the random attacker strategy of capturing nodes. We thought that, well if I were the attacker I would want to go the most efficient way, and is there some way like that. First, I will give a brief introduction to several things, and then we’ll see the results of the evaluations.

Malware attacks are increasingly popular attack vectors in online crime. As trends and anecdotal evidence show, preventing these attacks, regardless of their opportunistic or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organisations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and that are essential for the successful progression of the attack. In particular, a number of approaches and techniques have been proposed to identify the Command & Control (C2) channel that a compromised system establishes to communicate with its controller. The success of C2 detection approaches depends on collecting relevant network traffic. As traffic volumes increase this is proving increasingly difficult. In this paper, we analyse current approaches of ISP-scale network measurement from the perspective of C2 detection. We discuss a number of weaknesses that affect current techniques and provide suggestions for their improvement.

Morning everybody. I’m going to talk about work along with my PhD student, Joe Gardiner, who’s sitting here. A while back we surveyed the literature on targeted attacks and defenses, for the CPNI (Centre for the Protection of National Infrastructure,

http://www.cpni.gov.uk/advice/cyber/idata/

.), and we found a number of unsolved challenges in the area. One of them is the challenges of measurement in large scale networks, which this talk is about.

Risk as studied conventionally and risk as manifested in actuality differ widely both in semantics and content. In this paper we explore the possibility of managing risk without resorting to transitive and compulsive relationships termed as “trust”. We draw an exploitable analogy with the assumptions under which cooperation is observed in repeated strategic games and posit that voluntary cooperation between players with mutually incompatible commitments is indeed possible provided that such cooperation can be promiscuous.

The motion before us in this workshop is that attackers now control so much of the infrastructure that it’s impossible to do anything without their active cooperation.

We present, Fawkescoin, a simple cryptocurrency using no public-key cryptography. Our proposal utilizes the distributed consensus mechanism of Bitcoin but for transactions replaces Bitcoin’s ECDSA signatures with hash-based Guy Fawkes signatures. While this introduces a number of complexities, it demonstrates that a distributed cryptocurrency is in fact possible with only symmetric cryptographic operations with no dramatic loss of efficiency overall and several efficiency gains.

This is joint work with Andrew Miller from Maryland. This started as kind of a thought experiment: could we do Bitcoin, or a Bitcoin-like crypto currency, without using any public key crypto?