Dmitry Volkov - Private messengers: without pain??

Transcript

1. Private messengers: without pain?? Dmitriy Volkov [email protected] FB527CDAC1176535A4CF9B4C0E8CB6EC231EDDFE

2. [email protected] 231EDDFE DEFCON Moscow XV vectors Technical, hard, mathy: what

   crypto we need in precise terms, metadata-leak- minimizing routing, etc. Publicism: what’s the problem, what to do both concretely and generally, why are we where we are, what to do for a better future Politics and social sense plan “Building a messenger in three easy steps” The Privacy Problem Abridged Untrusting server What To Do Right Tomorrow Morning What To Do After That | A Vision Of Reasonably Better And Very Specific Proposals +°C Untrusting more Fun holes

3. [email protected] 231EDDFE DEFCON Moscow XV Messenger v0.1 (telnet) TCP/HTTP

4. [email protected] 231EDDFE DEFCON Moscow XV Messenger v0.1 (telnet) ISP СОРМ

   РКН

5. [email protected] 231EDDFE DEFCON Moscow XV Messenger v0.1 (telnet) ISP СОРМ

   РКН • Confidentiality

6. [email protected] 231EDDFE DEFCON Moscow XV Messenger v0.1 (telnet) ISP СОРМ

   РКН • Confidentiality • Integrity

7. [email protected] 231EDDFE DEFCON Moscow XV Messenger v0.1 (telnet) ISP СОРМ

   РКН • Confidentiality • Integrity • Authentication

8. [email protected] 231EDDFE DEFCON Moscow XV Messenger v1.0 ISP СОРМ РКН

   • Confidentiality • Integrity • Authentication TLS

9. [email protected] 231EDDFE DEFCON Moscow XV Messenger v1.0 ISP СОРМ РКН

   • Confidentiality • Integrity • Authentication TLS

10. [email protected] 231EDDFE DEFCON Moscow XV If, technologically, it is possible

    to make an impenetrable device or system where the encryption is so strong that there's no key - there's no door at all - then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? – Barack Obama

11. Privacy w/o asbestos • Privacy Freedom, Private ~ Powerful ⇒

    • Positive right • CVC code, passport #, mother’s maiden name • “Mere collection of information” • Information Abuse (models): gov’t, corp, ind ⇒ • Knowledge of ^ → Self-censorship – → Erosion of std freedoms, i.e. Expression, Assembly, Association – “Social credit” • Fatalism: just say no; and it’s not about you • Concrete examples seem to not help so much https://www.abc.net.au/news/2015-08-24/metadata-what-you-found-will-ockenden/6703626 https://robindoherty.com/2016/01/06/nothing-to-hide.html In the 1920s being Jewish in Germany was perfectly legal. Not long after it was not. In the 1930s being Japanese in the USA was perfectly legal. After 1942 it was not. 1947 - “Hollywood Ten” 2008? - TSC No Fly https://news.ycombinator.com/item?id=4105485 Doctorow, Schneier https://moxie.org/blog/we-should-all-have-something-to-hide/

12. [email protected] 231EDDFE DEFCON Moscow XV Messenger v1.0 ISP СОРМ РКН

    • Confidentiality • Integrity • Authentication TLS

13. [email protected] 231EDDFE DEFCON Moscow XV Messenger v1.0 I have dataz!

    ISP СОРМ РКН • Confidentiality • Integrity • Authentication TLS I reliez on PKI!

14. [email protected] 231EDDFE DEFCON Moscow XV Messenger v1.0 I have dataz!

    ISP СОРМ РКН • Confidentiality • Integrity • Authentication TLS I reliez on PKI! HPKP

15. [email protected] 231EDDFE DEFCON Moscow XV Messenger v2.0 (Signal) I have

    blobs. ISP СОРМ РКН TLS I reliez on PKI! HPKP e2e network data

16. [email protected] 231EDDFE DEFCON Moscow XV Messenger v2.0 (Signal) I have

    blobs. ISP СОРМ РКН TLS I reliez on PKI! HPKP e2e network data • Only specific case • Metadata

17. [email protected] 231EDDFE DEFCON Moscow XV import Crypto.Saltine import Crypto.Saltine.Core.Box (pkA,

    skA) ← newKeyPair (pkB, skB) ← newKeyPair n ← newNonce let ciphertext = box pkA skB n “mow” print (boxOpen pkB skA n ciphertext) NaCl / libsodium

18. [email protected] 231EDDFE DEFCON Moscow XV Only specific case • Search

    • Aggregation • Compression • Anything you could want in a normal client- server application https://eprint.iacr.org/curr/ Homomorphic encryption SGX DO NT WO RK

19. [email protected] 231EDDFE DEFCON Moscow XV Metadata I have blobs. ISP

    СОРМ РКН TLS I reliez on PKI! HPKP e2e network data Me loggin’ dem packezz Me loggn’ app-specific datas! User1→user2 at t! https://secushare.org/2011-FSW-Scalability-Paranoia

20. [email protected] 231EDDFE DEFCON Moscow XV Metadata • “Who, to whom,

    when” • Information exchange graph * t • Social graph * t • Juicy to connect to other info, like phone numbers → cell towers → position • You using a burner phone doesn’t help ‘cause social graph Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content. – NSA General Counsel Stewart Baker We kill people based on metadata. – CIA General Michael Hayden
21. None

22. [email protected] 231EDDFE DEFCON Moscow XV WhatsApp • E2E with “return

    True” device verification • Leaks contacts • Proprietary (i.e. unsecure and only available on blessed platforms) • Facebook

23. [email protected] 231EDDFE DEFCON Moscow XV Telegram • Unsecure by default

    • Secret chats can’t really be used • Phone#s • Stores contacts in plain-text • Weird crypto • https://news.ycombinator.com/item?id=6936539 • https://habr.com/post/206900/ • https://eprint.iacr.org/2015/1177 • Doesn’t guarantee ordering

24. [email protected] 231EDDFE DEFCON Moscow XV Skype • http://habrahabr.ru/post/133555/ • https://twitter.com/navalny/status/2686457792

    19030016 • http://community.skype.com/t5/Security-Privacy -Trust-and/Vulnerability-allows-to-permanently -delete-any-skype-account-by/td-p/4222445 • https://windowsreport.com/recognize-sign-in-de tails-skype-windows-10/ @zhovner

25. [email protected] 231EDDFE DEFCON Moscow XV XMPP • UX very much

    • Lack of coordination at times, OTR / OMEMO • Doesn’t build reliability in • /me hasn’t seen working AV in a few years • “Advanced” features require work to work

26. /

27. [email protected] 231EDDFE DEFCON Moscow XV What to do.

28. [email protected] 231EDDFE DEFCON Moscow XV What to do. Now-ish.

29. [email protected] 231EDDFE DEFCON Moscow XV Mainstream Viber, WhatsApp, Skype, etc.

    Activists XMPP Fringe IRC over Tor?, XMPP, Tox Mainstream Signal/Wire, Matrix Activists Matrix, XMPP Fringe XMPP, Briar WhatsApp Signal Telegram Matrix, Wire XMPP Matrix XMPP XMPP (Conversations.im, Dino.im) IRC/Tor Briar Transient chats Secret chats (journalists) General tech-y General “I don’t have a computer” Unsustainable?

30. [email protected] 231EDDFE DEFCON Moscow XV XMPP Wire Matrix IMO

31. None

32. [email protected] 231EDDFE DEFCON Moscow XV Sociohistoric context • Unregulated. Ish.

    “Mass media”? • External funding, by parent company or investors; exceptions few (Threema) • Lowest common denominator isn’t worth much • Corps want walled gardens • Govts want censorship & surveillance • Enthusiasts have limited time and coordination • Innovators want money and cheap PR, not public good • Tools have narratives and agendas • YA “Tragedy of commons”

33. [email protected] 231EDDFE DEFCON Moscow XV Metadata • “Who, to whom,

    when” • Information exchange graph * t • Social graph * t • Juicy to connect to other info, like phone numbers → cell towers → position • You using a burner phone doesn’t help ‘cause social graph Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content. – NSA General Counsel Stewart Baker We kill people based on metadata. – CIA General Michael Hayden

34. [email protected] 231EDDFE DEFCON Moscow XV Metadata I have blobs. ISP

    СОРМ РКН TLS I reliez on PKI! HPKP e2e network data Me loggin’ dem packezz Me loggn’ app-specific datas! User1→user2 at t! https://secushare.org/2011-FSW-Scalability-Paranoia

35. [email protected] 231EDDFE DEFCON Moscow XV Solving (for) metadata • Strategy:

    encrypt and obfuscate every thing not on a trusted device • In transit and at rest • Open or closed network?

36. [email protected] 231EDDFE DEFCON Moscow XV Solving metadata: transit 1)Cover traffic

    2)Framing 3)Mixnets 4)Unpredictable routing Tor doesn’t solve all problems, but “the solution” seems conceivable (some would argue existing) https://www.schneier.com/blog/archives/2011/03/detecting_words.html

37. [email protected] 231EDDFE DEFCON Moscow XV Solving metadata: rest • Users’

    devices and non-users’ • A “classical” server clearly doesn’t cut it (moreso a VPS from BigUSCo) • More servers–more trouble • One solution: SGX https://signal.org/blog/private-contact-discovery/

38. [email protected] 231EDDFE DEFCON Moscow XV Solving metadata: rest • Users’

    devices and non-users’ • A “classical” server clearly doesn’t cut it (moreso a VPS from BigUSCo) • More servers–more trouble • One solution: SGX • Other solution: P2P* https://signal.org/blog/private-contact-discovery/

39. [email protected] 231EDDFE DEFCON Moscow XV The Vision • Centralization is

    doomed to fail; • Federation* is doomed to centralize; • Only Swarm prevails. *”Classical”, like email or XMPP

40. [email protected] 231EDDFE DEFCON Moscow XV The Vision • Open P2P

    doesn’t work; • Should work; • Gotta get there.

41. [email protected] 231EDDFE DEFCON Moscow XV The Vision • To: make

    F2F work effortlessly, • And plan for P2P, • But remember and use CAP.

42. [email protected] 231EDDFE DEFCON Moscow XV The Vision ∧ Secure ∧

    No centralized auth ∧ Log sync ∧ E2E ∧ AV ∧ Files ∧ FS ∧ Rooms ∧ FLOSS ∧ Simple clients ∧ Servers are, but unnecessary ∧ Self-hosting made great again https://github.co m/ChALkeR/whining s/blob/9b960462bc 2de685f118f0ccb46 095aeeda99e01/Ins tant-messaging.md (abridged) Mobile devices: if no direct connection, then their “guard” through the very same net level as S2S, but tweaked for power (i.e. less cover traffic)

43. [email protected] 231EDDFE DEFCON Moscow XV The Vision • Beyond messaging:

    applications • v0: trusted servers (better than now ‘cause they belong to users) • vN: new crypto and data structures galore

44. [email protected] 231EDDFE DEFCON Moscow XV vN example: Tinder’ • Secure

    dot product: https://grothoff.org/christian/habil.pdf, p7.4 • Symmetric smth ZK with blind arbiter: @chalker
45. None
46. None

47. [email protected] 231EDDFE DEFCON Moscow XV voting consensus identity cadet secretsharing

    set dht core block fs datastore ats nse datacache peerinfo hello transport exit tun dnsstub vpn regex pt dns dnsparser gnsrecord zonemaster namestore gns revocation conversation speaker microphone nat fragmentation topology hostlist scalarproduct secushare social multicast psyc psycstore rps

48. [email protected] 231EDDFE DEFCON Moscow XV WhatsApp Signal Telegram Matrix, Wire

    XMPP Matrix XMPP XMPP (Conversations.im, Dino.im) IRC/Tor Briar Transient chats Secret chats (journalists) General tech-y General “I don’t have a computer” https://docs.google.com/spreadsheets/d/1-UlA4-tslROBDS9IqHalWVztqZo7uxlCeKPQ-8uoFOU/edit https://github.com/ChALkeR/whinings/blob/9b960462bc2de685f118f0ccb46095aeeda99e01/Instant-messaging.md

49. [email protected] 231EDDFE DEFCON Moscow XV Additional time • Ones I

    didn’t mention • More on this “new internets” business and applications • More on $msg_name • Blockchain iNnOvAtIoN • Even more speculative ideas (secushare)