Who’s talking to your browser? David Evans Professor of Computer Science University of Virginia [email protected] https://www.cs.virginia.edu/evans Cybersecurity Awareness 7 December 2016
Secure Web Connections 6 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado How can we know: (1)We are talking to the intended server (2)No one in the middle can observe or alter the content
Symmetric Encryption 8 Jefferson’s Cipher Wheel (1802) “on the periphery of each, and between the black lines, put all the letters of the alphabet, not in their established order, but jumbled, & without order, so that no two shall be alike.”
Modern Symmetric Encryption 9 AES Round 128 or more key bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors
Modern Symmetric Encryption 10 AES Round 128 or more key bits ~1017 J needed for most efficient possible brute force attack Very inexpensive: instructions built in to most processors
Secure Web Connections 11 Client (Browser) MightBeEvil.org Server Image: https://unsplash.com/@brenomachado How can we know: (1)We are talking to the intended server ü No one in the middle can observe or alter the content
Asymmetric (Public Key) Encryption: Confidentiality 12 Encrypt Decrypt Plaintext Ciphertext Plaintext Bob’s Public Key Bob’s Private Key Alice Bob Insecure Channel Asymmetric Crypto: Alice obtains Bob’s Public Key, and can send private messages to Bob.
14 Encrypt Decrypt Plaintext Ciphertext Plaintext Bob’s Public Key Bob’s Private Key Alice Bob Insecure Channel Signatures: Bob’s signs a message with his Private Key; Alice verifies signature with Bob’s Public Key. Asymmetric (Public Key) Encryption: Confidentiality Signatures
Image from http://www.theregister.co.uk/2015/02/22/lenovo_superfish_removal_tool/ (but I think they stole it from Monsters and Aliens) Becoming More Paranoid
42 • Internet explorer connects to a web server on port 443 using SSL. The data is encrypted. • Komodia’s SSL hijacker intercepts the communication and redirects it to Komodia’s Redirector. The channel between the SSL hijacker and the Redirector is encrypted. • At this stage, Komodia’s Redirector can shape the traffic, block it, or redirect it to another website. • Communication between the Redirector and the website is encrypted using SSL. • All data received from the website can be again modified and/or blocked. When data manipulation is done, it is forwarded again to Internet explorer. • The browser displays the SSL lock, and the session will not display any “Certificate warnings”. http://www.komodia.com/products/komodias-ssl-decoderdigestor (in archive.org)
evansuva
codeforeveryone
asial_corp
cbtlibrary
hide2kano
masashi
robinlee
motherhoodinadhd
koheiyoshikawa
martine
.png){kind=avatar}
residentniigata
junyaokabe
sakunao
hursman
jacobian
pauljervisheath
notwaldorf
sferik
chrisshort
chriscoyier
michaelherold
swwweet
speakerdeck
dougneiner