Crypto defenses & real-world system threats - Duo Security

Transcript

1. Crypto Defenses
   and
   Real-World System Threats
   Kenneth White
   @KennWhite
   Duo Security, April 13, 2017
   

   View Slide

2. Focus
   Legends, myths, and the oral tradition
   Threats, threat modeling, and snake oil
   Emerging work
   Parting thoughts
   

   View Slide

3. Cognitive Science/Computational Neuroscience
   ML & signal processing
   Safety-critical system development
   Mission system ops & network defense
   Offense
   Applied crypto engineering
   Open Crypto Audit Project (opencryptoaudit.org)
   My weird path
   

   View Slide

4. Legends, myths, and the oral
   tradition
   

   View Slide

5. We are a misunderstood people
   

   View Slide

6. View Slide

7. View Slide

8. We are a misunderstood people
   

   View Slide

9. View Slide

10. View Slide

11. Humans are the hard part
    

    View Slide

12. View Slide

13. View Slide

14. Not all threats
    are properly modeled
    

    View Slide

15. View Slide

16. View Slide

17. Sometimes the product people
    aren’t helping
    

    View Slide

18. View Slide

19. View Slide

20. View Slide

21. Good UI is crucial
    

    View Slide

22. View Slide

23. “Periodic reminder: Insecure software is
    almost always a management decision.”
    — @halvar6lake
    

    View Slide

24. View Slide

25. Sometimes we have a failure to
    communicate
    

    View Slide

26. View Slide

27. View Slide

28. Things you might not know
    

    View Slide

29. View Slide

30. View Slide

31. View Slide

32. View Slide

33. What is this “Threat Model” of
    which you speak?
    

    View Slide

34. Step 1: Know your adversary
    

    View Slide

35. View Slide

36. Step 1: Know your adversary
    

    View Slide

37. View Slide

38. Step 1: Know your adversary
    

    View Slide

39. View Slide

40. Modeling user behavior is key
    

    View Slide

41. View Slide

42. Consider the limits of mitigation
    

    View Slide

43. View Slide

44. View Slide

45. Sometimes the payoff is totally worth the risk
    

    View Slide

46. Sometimes the payoff is totally worth the risk
    

    View Slide

47. Know your adversary
    

    View Slide

48. View Slide

49. Your threat is probably
    not my threat.
    

    View Slide

50. View Slide

51. Your threat is probably
    not my threat.
    

    View Slide

52. Credit: Geoffrey Moore, Frankie Leon
    

    View Slide

53. Snake Oil:
    Beware the naked man
    offering the shirt
    off his back
    

    View Slide

54. View Slide

55. Snake Oil:
    Beware the naked man
    offering the shirt
    off his back
    

    View Slide

56. “Battle-tested, military-grade encryption”
    

    View Slide

57. View Slide

58. View Slide

59. Humans will always
    game the system
    

    View Slide

60. Humans will always
    game the system
    

    View Slide

61. View Slide

62. View Slide

63. View Slide

64. View Slide

65. View Slide

66. Re-learning History
    

    View Slide

67. View Slide

68. View Slide

69. View Slide

70. View Slide

71. “All versions of Windows”
    

    View Slide

72. Re-learning History
    

    View Slide

73. Re-learning History
    Deserialization Exploits
    

    View Slide

74. Java Deserializa,on RCEs are Everywhere
    https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
    

    View Slide

75. Java Deserializa,on RCEs are Everywhere
    https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-
    Deserialization-Vulnerabilities.pdf Matthias Kaiser
    

    View Slide

76. Re-learning History:
    Deserialization Exploits
    Java Deserializa,on RCEs are
    Everywhere
    

    View Slide

77. View Slide

78. Praetorian
    Root Cause of Compromise Analysis
    Vectors commonly used by a>ackers to
    compromise internal networks aAer achieving
    ini,al access
    Data set includes 100 separate [email protected] test
    engagements spanning 75 unique [email protected]
    https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve
    %20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf
    

    View Slide

79. View Slide

80. I was told there would be crypto.
    

    View Slide

81. — Maciej Ceglowski, on the Matasano CryptoPals Challenges
    The crypto problem
    

    View Slide

82. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules
    

    View Slide

83. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules
    

    View Slide

84. Network Transport Encryption
    SSL, TLS, IPsec, ssh
    Data exposure (confidentiality)
    Network intercept (passive & active)
    Credential theft (authentication)
    Identity theft (authorization)
    Authenticated cipher suites (integrity)
    Past session decrypt (long-lived key capture)
    Data-in-Motion compliance
    

    View Slide

85. View Slide

86. View Slide

87. View Slide

88. View Slide

89. View Slide

90. Network Transport Encryption
    SSL, TLS, IPsec, ssh
    Data Exposure (confidentiality)
    Network intercept (passive & active)
    Credential theft (authentication)
    Identity theft (authorization)
    Authenticated cipher suites (integrity)
    Past session decrypt (long-lived key capture)
    Data-in-Motion Compliance
    

    View Slide

91. The Problem with
    Unauthenticated Block Modes
    

    View Slide

92. The Problem with
    Unauthenticated Block Modes
    “Our new blinky box is awesome!
    It has AES 256!”
    

    View Slide

93. The Problem with
    Unauthenticated Block Modes
    “My new vehicle is awesome!
    It has a V6!”
    

    View Slide

94. The Problem with
    Unauthenticated Block Modes
    

    View Slide

95. The Problem with
    Unauthenticated Block Modes
    

    View Slide

96. Real-world Endpoint SSL/TLS
    

    View Slide

97. Real-world Endpoint SSL/TLS
    §  Apache
    §  Nginx
    §  HAProxy
    §  Go
    §  AWS ELB & CloudFront
    §  CloudFlare
    §  CDNs
    

    View Slide

98. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    

    View Slide

99. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    

    View Slide

100. Real-world Endpoint SSL/TLS
     PROTOCOL
     SSL v1
     SSL v2
     SSL v3
     TLS 1.0
     TLS 1.1
     TLS 1.2
     TLS 1.3
     CIPHER
     NULL
     DES
     3DES
     RC4
     Twofish
     Blowfish
     AES
     ChaCha20
     KEYEX
     RSA
     DH
     DHE
     ECDH/E
     MAC
     MD5
     SHA-1
     SHA-256
     SHA-384
     Poly1305
     MODE
     ECB
     CBC
     GCM
     OCB
     CERT
     ECDSA
     RSA
     

     View Slide

101. Real-world Endpoint SSL/TLS
     PROTOCOL
     SSL v1
     SSL v2
     SSL v3
     TLS 1.0
     TLS 1.1
     TLS 1.2
     TLS 1.3
     CIPHER
     NULL
     DES
     3DES
     RC4
     Twofish
     Blowfish
     AES
     ChaCha20
     KEYEX
     RSA
     DH
     DHE
     ECDH/E
     MAC
     MD5
     SHA-1
     SHA-256
     SHA-384
     Poly1305
     MODE
     ECB
     CBC
     GCM
     OCB
     CERT
     ECDSA
     RSA
     Also:
     HSTS (strict transport security), HPKP (pinning),
     CT (cert transparency), SNI (virtual hosts)
     

     View Slide

102. CBC is a problem
     

     View Slide

103. CBC is a problem
     

     View Slide

104. CBC is a problem
     

     View Slide

105. CBC is a problem
     

     View Slide

106. CBC is a problem
     

     View Slide

107. CBC is a problem
     Though maybe not your
     (biggest) problem
     

     View Slide

108. CBC is a problem
     Though maybe not your
     (biggest) problem
     “We show that a network attacker who can
     monitor a long-lived Triple-DES HTTPS
     connection between a web browser and a
     website can recover secure HTTP cookies by
     capturing around 785 GB of traffic”
     — SWEET32 team
     

     View Slide

109. CBC is a problem
     Though maybe not your
     (biggest) problem
     “We show that a network attacker who can
     monitor a long-lived Triple-DES HTTPS
     connection between a web browser and a
     website can recover secure HTTP cookies by
     capturing around 785 GB of traffic”
     — SWEET32 team
     

     View Slide

110. Getting good data can be hard
     

     View Slide

111. Getting good data can be hard
     The report’s most glaring flaw is
     the assertion that the TLS FREAK
     vulnerability is among the top 10
     most exploited on the Internet.
     No experienced security
     practitioner believes that FREAK
     is widely exploited.”
     — Dan Guido
     

     View Slide

112. Real-world Endpoint SSL/TLS
     PROTOCOL
     SSL v1
     SSL v2
     SSL v3
     TLS 1.0
     TLS 1.1
     TLS 1.2
     TLS 1.3
     CIPHER
     NULL
     DES
     3DES
     RC4
     Twofish
     Blowfish
     AES
     ChaCha20
     KEYEX
     RSA
     DH
     DHE
     ECDH/E
     MAC
     MD5
     SHA-1
     SHA-256
     SHA-384
     Poly1305
     MODE
     ECB
     CBC
     GCM
     OCB
     CERT
     ECDSA
     RSA
     Also:
     HSTS (strict transport security), HPKP (pinning),
     CT (cert transparency), SNI (virtual hosts)
     

     View Slide

113. Real-world Endpoint SSL/TLS
     PROTOCOL
     SSL v1
     SSL v2
     SSL v3
     TLS 1.0
     TLS 1.1
     TLS 1.2
     TLS 1.3
     CIPHER
     NULL
     DES
     3DES
     RC4
     Twofish
     Blowfish
     AES
     ChaCha20
     KEYEX
     RSA
     DH
     DHE
     ECDH/E
     MAC
     MD5
     SHA-1
     SHA-256
     SHA-384
     Poly1305
     MODE
     ECB
     CBC
     GCM
     OCB
     CERT
     ECDSA
     RSA
     Also:
     HSTS (strict transport security), HPKP (pinning),
     CT (cert transparency), SNI (virtual hosts)
     

     View Slide

114. Real-world Endpoint SSL/TLS
     PROTOCOL
     SSL v1
     SSL v2
     SSL v3
     TLS 1.0
     TLS 1.1
     TLS 1.2
     TLS 1.3
     CIPHER
     NULL
     DES
     3DES
     RC4
     Twofish
     Blowfish
     AES
     ChaCha20
     KEYEX
     RSA
     DH
     DHE
     ECDH/E
     MAC
     MD5
     SHA-1
     SHA-256
     SHA-384
     Poly1305
     MODE
     ECB
     CBC
     GCM
     OCB
     CERT
     ECDSA
     RSA
     Also:
     HSTS (strict transport security), HPKP (pinning),
     CT (cert transparency), SNI (virtual hosts)
     

     View Slide

115. Real-world Endpoint SSL/TLS
     PROTOCOL
     SSL v1
     SSL v2
     SSL v3
     TLS 1.0
     TLS 1.1
     TLS 1.2
     TLS 1.3
     CIPHER
     NULL
     DES
     3DES
     RC4
     Twofish
     Blowfish
     AES
     ChaCha20
     KEYEX
     RSA
     DH
     DHE
     ECDH/E
     MAC
     MD5
     SHA-1
     SHA-256
     SHA-384
     Poly1305
     MODE
     ECB
     CBC
     GCM
     OCB
     CERT
     ECDSA
     RSA
     Also:
     HSTS (strict transport security), HPKP (pinning),
     CT (cert transparency), SNI (virtual hosts)
     

     View Slide

116. TLS 1.3 RFC Draft (v. 19, March 2017)
     

     View Slide

117. TLS 1.3 RFC Draft (v. 19, March 2017)
     MUST implement cipher suite:
     TLS_AES_128_GCM_SHA256
     SHOULD implement cipher suites:
     TLS_AES_256_GCM_SHA384
     TLS_CHACHA20_POLY1305_SHA256
     MUST support [email protected]ficate digital signatures:
     rsa_pkcs1_sha256
     rsa_pss_sha256
     ecdsa_secp256r1_sha256
     MUST support key exchange with curve:
     secp256r1 (NIST P-256)
     SHOULD support key exchange with curve:
     X25519
     

     View Slide

118. TLS 1.3 RFC Draft (v. 19, March 2017)
     MUST implement cipher suite:
     TLS_AES_128_GCM_SHA256
     SHOULD implement cipher suites:
     TLS_AES_256_GCM_SHA384
     TLS_CHACHA20_POLY1305_SHA256
     MUST support [email protected]ficate digital signatures:
     rsa_pkcs1_sha256
     rsa_pss_sha256
     ecdsa_secp256r1_sha256
     MUST support key exchange with curve:
     secp256r1 (NIST P-256)
     SHOULD support key exchange with curve:
     X25519
     

     View Slide

119. My (point-in-time) Advice
     •  Prefer forward secret authen,cated encryp,on with associated data
     (AEAD) mode of opera,on ciphers
     •  If possible, explicitly declare server cipher suites (vs. wildcards):
     –  Key exchange
     –  Cer,ficate type
     –  Symmetric cipher
     –  Mode of opera,on (if block cipher)
     –  Message authen,cator construc,on
     

     View Slide

120. My (point-in-time) Advice
     •  Prefer forward secret authen,cated encryp,on with associated data
     (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…)
     •  If possible, explicitly declare server cipher suites (vs. wildcards):
     –  Key exchange (e.g. Ephemeral [email protected] Curve Diffie Hellman)
     –  Cer,ficate type (e.g., ECDSA or RSA)
     –  Symmetric cipher (e.g., ChaCha20, AES 128)
     –  Mode of opera,on (if block cipher, e.g. GCM)
     –  Message authen,cator construc,on or PRF (e.g., SHA256)
     

     View Slide

121. My (point-in-time) Advice
     •  Prefer forward secret authen,cated encryp,on with associated data
     (AEAD) mode of opera,on ciphers
     •  If possible, explicitly declare server cipher suites (vs. wildcards):
     –  Key exchange
     –  Cer,ficate type
     –  Symmetric cipher
     –  Mode of opera,on (if block cipher)
     –  Message authen,cator construc,on or PRF
     Example:
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     

     View Slide

122. My (point-in-time) Advice
     •  Prefer forward secret authen,cated encryp,on with associated data
     (AEAD) mode of opera,on ciphers
     •  If possible, explicitly declare server cipher suites (vs. wildcards):
     –  Key exchange
     –  Cer,ficate type
     –  Symmetric cipher
     –  Mode of opera,on (if block cipher)
     –  Message authen,cator construc,on or PRF
     Example:
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     

     View Slide

123. My (point-in-time) Advice
     These five cipher suites provide broad support for browsers, Android
     and iOS mobile clients, Windows Server 2008 & 2012, and most web
     service endpoints:
     If ECDSA [email protected]ficates
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (0xcca9)
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
     If RSA [email protected]ficates
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (0xcc14)
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
     

     View Slide

124. TL;DR:
     h_ps://mozilla.github.io/server-side-tls/ssl-config-generator/
     

     View Slide

125. And now, a brief rant
     about VPN services.
     

     View Slide

126. VPNs provide:
     •  A shiAed trust endpoint
     – from tonys-sketchy-hotspot to, say, us-east-1c
     – from TOTES-LEGIT-FREE-WIFI to, say, duosec-mi-
     vpn
     

     View Slide

127. VPNs may provide:
     •  Data confiden,ality, via encryp,on
     – public networks/hotspots
     – cap,ve portals
     – untrusted/hos,le networks (airports, cafes,
     hotels)
     

     View Slide

128. VPNs do not guarantee:
     •  Anonymity
     •  Privacy
     (Certainly while using most browsers on the
     modern public web)
     

     View Slide

129. VPNs do not guarantee:
     •  Anonymity
     •  Privacy
     (Certainly while using most browsers on the
     modern public web)
     

     View Slide

130. (Some) Crypto Defenses
     Network Transport Encryption
     Disk/Volume Encryption
     File Encryption
     Memory Encryption
     Data-in-Use Encryption
     Hardware Security Modules
     

     View Slide

131. Disk/Volume Encryption
     (dmcrypt, BitLocker, FileVault)
     Media: Logical loss of control
     –  3rd party action, gov/civil capture, e-Discovery
     –  Co-tenant sandbox break (/dev/vg/*)
     –  Multi-tenant media reuse (new VMs on volume)
     Media: Physical loss of control
     –  Disk repurpose
     –  Disk/Server theft
     –  Server repurpose/retirement
     Content Repudiation
     Data-at-Rest Compliance
     Confidentiality from service provider
     –  Adversarial admin, incompetence, live VM motion
     

     View Slide

132. (Some) Crypto Defenses
     Network Transport Encryption
     Disk/Volume Encryption
     File Encryption
     Memory Encryption
     Data-in-Use Encryption
     Hardware Security Modules
     

     View Slide

133. Memory Encryption
     Co-tenant sandbox break (hypervisor host)
     Cold boot attacks
     Multi-tenant reuse (/dev/[k]mem/*)
     Live migration snapshots
     

     View Slide

134. (Some) Crypto Defenses
     Network Transport Encryption
     Disk/Volume Encryption
     File Encryption
     Memory Encryption
     Data-in-Use Encryption
     Hardware Security Modules
     

     View Slide

135. Data-in-Use Encryption
     (TDE, FPE, PPE)
     Local filesystem attack
     Blackbox custodian
     Rogue (weak) admin
     

     View Slide

136. (Some) Crypto Defenses
     Network Transport Encryption
     Disk/Volume Encryption
     File Encryption
     Memory Encryption
     Data-in-Use Encryption
     Hardware Security Modules
     

     View Slide

137. Hardware Security Modules
     Key theft
     Signature manipulation
     Token generation
     Key tampering
     

     View Slide

138. (Some) Crypto Defenses
     Network Transport Encryption
     Disk/Volume Encryption
     File Encryption
     Memory Encryption
     Data-in-Use Encryption
     Hardware Security Modules
     

     View Slide

139. Putting it all together
     

     View Slide

140. View Slide

141. View Slide

142. View Slide

143. Then things got weird
     

     View Slide

144. View Slide

145. View Slide

146. Emerging Work
     

     View Slide

147. Verification & formal methods
     

     View Slide

148. View Slide

149. Verification & formal methods
     

     View Slide

150. Verification & formal methods
     - DARPA drone project
     

     View Slide

151. Verification & formal methods
     - DARPA drone project
     - Signal
     

     View Slide

152. Verification & formal methods
     - DARPA drone project
     - Signal
     - Core network stacks
     - BoringSSL
     - s2n
     - CoreCrypto
     - SChannel
     

     View Slide

153. CyberUL Project
     - Peiter (Mudge) & Sarah Zatko
     

     View Slide

154. More goodness
     (lec as an exercise to the reader)
     iOS TLS Inspector tlsinspector.com
     Crypto Challenges cryptopals.com
     Nonce Disrespec,ng Adversaries eprint.iacr.org/2016/475.pdf
     Sco> Helme’s Security Headers securityheaders.io
     Mozilla TLS Observatory tls-observatory.services.mozilla.com
     Lucas Garron (Chrome Team) BadSSL.com
     Thomas Pornin’s BearSSL www.bearssl.org/BearSSL-BSidesEdinburgh2017.pdf
     George Tankersley’s Go CryptoPasta github.com/gtank/cryptopasta
     Bad AV www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf
     Vault www.vaultproject.io
     

     View Slide

155. Some Parting Thoughts
     

     View Slide

156. Revisiting First Principles
     

     View Slide

157. Revisiting First Principles
     Security hygiene
     Trusted supply chain
     Root of trust
     Trust Signals
     

     View Slide

158. Revisiting First Principles
     Security hygiene
     Trusted supply chain
     Root of trust
     Trust Signals
     

     View Slide

159. View Slide

160. View Slide

161. View Slide

162. Humans will always
     game the system
     

     View Slide

163. View Slide

164. This stuff is hard
     

     View Slide

165. View Slide

166. View Slide

167. View Slide

168. I don’t care what anything
     was designed to do.
     I care about what it
     can do.
     

     View Slide

169. I don’t care what anything
     was designed to do.
     I care about what it
     can do.
     

     View Slide

170. View Slide

171. fin
     

     View Slide

172. Ques,ons?
     Twi>er: @kennwhite
     OCAP: opencryptoaudit.org/people
     

     View Slide

173. Refs
     TLS Maturity Model
     https://blog.qualys.com/ssllabs/2015/06/08/introducing-tls-maturity-model
     Malver,sing on track for record year
     http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/
     A>acks on SSL: A Comprehensive study of BEAST, CRIME, TIME,
     BREACH, LUCKY 13 & RC4 Biases
     https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf
     DARPA Drone Project
     https://www.wired.com/2016/09/computer-scientists-close-perfect-hack-proof-code/
     A Formal Analysis of the Signal Messaging Protocol
     https://eprint.iacr.org/2016/1013.pdf
     

     View Slide

174. Refs
     The Million Dollar Dissident: NSO Group’s iPhone Zero-Days
     (deserializa,on)
     https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-
     group-uae/
     iPhone 6 kernel exploit analysis (deserializa,on)
     http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-
     explained.html
     Matasano Crypto Challenges
     https://cryptopals.com/
     https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/
     Keys Under Doormats (problems with large-scale escrow)
     https://dspace.mit.edu/handle/1721.1/97690
     

     View Slide

175. Refs
     Weak Diffie-Hellman and the Logjam A>ack
     https://weakdh.org/
     Qualys SSL Labs
     https://www.ssllabs.com/ssltest/
     Bulletproof SSL & TLS
     https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
     Mirage TLS Interac,ve Server (pre>y rad)
     https://tls.openmirage.org/
     Adam Langley: Matching primi,ve strengths
     https://www.imperialviolet.org/2014/05/25/strengthmatching.html
     

     View Slide

176. Refs
     House Oversight final report on OPM breach
     https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-
     How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-
     Generation.pdf
     NIST 2016 draA guidance on authen,ca,on (depreca,ng
     arbitrary 90 day password rota,on)
     https://pages.nist.gov/800-63-3/sp800-63b.html
     GCHQ (UK Intel) guidance on passwords (depreca,ng arbitrary
     90 day password rota,on)
     https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/
     458857/Password_guidance_-_simplifying_your_approach.pdf
     Peiter (Mudge) & Sarah Zatko’s Cyber UL
     https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-
     programs-and-may-revolutionize-software-in-the-process/
     

     View Slide