Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto defenses & real-world system threats - Duo Security

Crypto defenses & real-world system threats - Duo Security

Kenn White

April 13, 2017
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Crypto Defenses
    and
    Real-World System Threats
    Kenneth White
    @KennWhite
    Duo Security, April 13, 2017

    View Slide

  2. Focus
    Legends, myths, and the oral tradition
    Threats, threat modeling, and snake oil
    Emerging work
    Parting thoughts

    View Slide

  3. Cognitive Science/Computational Neuroscience
    ML & signal processing
    Safety-critical system development
    Mission system ops & network defense
    Offense
    Applied crypto engineering
    Open Crypto Audit Project (opencryptoaudit.org)
    My weird path

    View Slide

  4. Legends, myths, and the oral
    tradition

    View Slide

  5. We are a misunderstood people

    View Slide

  6. View Slide

  7. View Slide

  8. We are a misunderstood people

    View Slide

  9. View Slide

  10. View Slide

  11. Humans are the hard part

    View Slide

  12. View Slide

  13. View Slide

  14. Not all threats
    are properly modeled

    View Slide

  15. View Slide

  16. View Slide

  17. Sometimes the product people
    aren’t helping

    View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. Good UI is crucial

    View Slide

  22. View Slide

  23. “Periodic reminder: Insecure software is
    almost always a management decision.”
    — @halvar6lake

    View Slide

  24. View Slide

  25. Sometimes we have a failure to
    communicate

    View Slide

  26. View Slide

  27. View Slide

  28. Things you might not know

    View Slide

  29. View Slide

  30. View Slide

  31. View Slide

  32. View Slide

  33. What is this “Threat Model” of
    which you speak?

    View Slide

  34. Step 1: Know your adversary

    View Slide

  35. View Slide

  36. Step 1: Know your adversary

    View Slide

  37. View Slide

  38. Step 1: Know your adversary

    View Slide

  39. View Slide

  40. Modeling user behavior is key

    View Slide

  41. View Slide

  42. Consider the limits of mitigation

    View Slide

  43. View Slide

  44. View Slide

  45. Sometimes the payoff is totally worth the risk

    View Slide

  46. Sometimes the payoff is totally worth the risk

    View Slide

  47. Know your adversary

    View Slide

  48. View Slide

  49. Your threat is probably
    not my threat.

    View Slide

  50. View Slide

  51. Your threat is probably
    not my threat.

    View Slide

  52. Credit: Geoffrey Moore, Frankie Leon

    View Slide

  53. Snake Oil:
    Beware the naked man
    offering the shirt
    off his back

    View Slide

  54. View Slide

  55. Snake Oil:
    Beware the naked man
    offering the shirt
    off his back

    View Slide

  56. “Battle-tested, military-grade encryption”

    View Slide

  57. View Slide

  58. View Slide

  59. Humans will always
    game the system

    View Slide

  60. Humans will always
    game the system

    View Slide

  61. View Slide

  62. View Slide

  63. View Slide

  64. View Slide

  65. View Slide

  66. Re-learning History

    View Slide

  67. View Slide

  68. View Slide

  69. View Slide

  70. View Slide

  71. “All versions of Windows”

    View Slide

  72. Re-learning History

    View Slide

  73. Re-learning History
    Deserialization Exploits

    View Slide

  74. Java Deserializa,on RCEs are Everywhere
    https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

    View Slide

  75. Java Deserializa,on RCEs are Everywhere
    https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-
    Deserialization-Vulnerabilities.pdf Matthias Kaiser

    View Slide

  76. Re-learning History:
    Deserialization Exploits
    Java Deserializa,on RCEs are
    Everywhere

    View Slide

  77. View Slide

  78. Praetorian
    Root Cause of Compromise Analysis
    Vectors commonly used by a>ackers to
    compromise internal networks aAer achieving
    ini,al access
    Data set includes 100 separate [email protected] test
    engagements spanning 75 unique [email protected]
    https://www.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve
    %20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf

    View Slide

  79. View Slide

  80. I was told there would be crypto.

    View Slide

  81. — Maciej Ceglowski, on the Matasano CryptoPals Challenges
    The crypto problem

    View Slide

  82. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  83. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  84. Network Transport Encryption
    SSL, TLS, IPsec, ssh
    Data exposure (confidentiality)
    Network intercept (passive & active)
    Credential theft (authentication)
    Identity theft (authorization)
    Authenticated cipher suites (integrity)
    Past session decrypt (long-lived key capture)
    Data-in-Motion compliance

    View Slide

  85. View Slide

  86. View Slide

  87. View Slide

  88. View Slide

  89. View Slide

  90. Network Transport Encryption
    SSL, TLS, IPsec, ssh
    Data Exposure (confidentiality)
    Network intercept (passive & active)
    Credential theft (authentication)
    Identity theft (authorization)
    Authenticated cipher suites (integrity)
    Past session decrypt (long-lived key capture)
    Data-in-Motion Compliance

    View Slide

  91. The Problem with
    Unauthenticated Block Modes

    View Slide

  92. The Problem with
    Unauthenticated Block Modes
    “Our new blinky box is awesome!
    It has AES 256!”

    View Slide

  93. The Problem with
    Unauthenticated Block Modes
    “My new vehicle is awesome!
    It has a V6!”

    View Slide

  94. The Problem with
    Unauthenticated Block Modes

    View Slide

  95. The Problem with
    Unauthenticated Block Modes

    View Slide

  96. Real-world Endpoint SSL/TLS

    View Slide

  97. Real-world Endpoint SSL/TLS
    §  Apache
    §  Nginx
    §  HAProxy
    §  Go
    §  AWS ELB & CloudFront
    §  CloudFlare
    §  CDNs

    View Slide

  98. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA

    View Slide

  99. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA

    View Slide

  100. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA

    View Slide

  101. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View Slide

  102. CBC is a problem

    View Slide

  103. CBC is a problem

    View Slide

  104. CBC is a problem

    View Slide

  105. CBC is a problem

    View Slide

  106. CBC is a problem

    View Slide

  107. CBC is a problem
    Though maybe not your
    (biggest) problem

    View Slide

  108. CBC is a problem
    Though maybe not your
    (biggest) problem
    “We show that a network attacker who can
    monitor a long-lived Triple-DES HTTPS
    connection between a web browser and a
    website can recover secure HTTP cookies by
    capturing around 785 GB of traffic”
    — SWEET32 team

    View Slide

  109. CBC is a problem
    Though maybe not your
    (biggest) problem
    “We show that a network attacker who can
    monitor a long-lived Triple-DES HTTPS
    connection between a web browser and a
    website can recover secure HTTP cookies by
    capturing around 785 GB of traffic”
    — SWEET32 team

    View Slide

  110. Getting good data can be hard

    View Slide

  111. Getting good data can be hard
    The report’s most glaring flaw is
    the assertion that the TLS FREAK
    vulnerability is among the top 10
    most exploited on the Internet.
    No experienced security
    practitioner believes that FREAK
    is widely exploited.”
    — Dan Guido

    View Slide

  112. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View Slide

  113. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View Slide

  114. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View Slide

  115. Real-world Endpoint SSL/TLS
    PROTOCOL
    SSL v1
    SSL v2
    SSL v3
    TLS 1.0
    TLS 1.1
    TLS 1.2
    TLS 1.3
    CIPHER
    NULL
    DES
    3DES
    RC4
    Twofish
    Blowfish
    AES
    ChaCha20
    KEYEX
    RSA
    DH
    DHE
    ECDH/E
    MAC
    MD5
    SHA-1
    SHA-256
    SHA-384
    Poly1305
    MODE
    ECB
    CBC
    GCM
    OCB
    CERT
    ECDSA
    RSA
    Also:
    HSTS (strict transport security), HPKP (pinning),
    CT (cert transparency), SNI (virtual hosts)

    View Slide

  116. TLS 1.3 RFC Draft (v. 19, March 2017)

    View Slide

  117. TLS 1.3 RFC Draft (v. 19, March 2017)
    MUST implement cipher suite:
    TLS_AES_128_GCM_SHA256
    SHOULD implement cipher suites:
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    MUST support [email protected]ficate digital signatures:
    rsa_pkcs1_sha256
    rsa_pss_sha256
    ecdsa_secp256r1_sha256
    MUST support key exchange with curve:
    secp256r1 (NIST P-256)
    SHOULD support key exchange with curve:
    X25519

    View Slide

  118. TLS 1.3 RFC Draft (v. 19, March 2017)
    MUST implement cipher suite:
    TLS_AES_128_GCM_SHA256
    SHOULD implement cipher suites:
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    MUST support [email protected]ficate digital signatures:
    rsa_pkcs1_sha256
    rsa_pss_sha256
    ecdsa_secp256r1_sha256
    MUST support key exchange with curve:
    secp256r1 (NIST P-256)
    SHOULD support key exchange with curve:
    X25519

    View Slide

  119. My (point-in-time) Advice
    •  Prefer forward secret authen,cated encryp,on with associated data
    (AEAD) mode of opera,on ciphers
    •  If possible, explicitly declare server cipher suites (vs. wildcards):
    –  Key exchange
    –  Cer,ficate type
    –  Symmetric cipher
    –  Mode of opera,on (if block cipher)
    –  Message authen,cator construc,on

    View Slide

  120. My (point-in-time) Advice
    •  Prefer forward secret authen,cated encryp,on with associated data
    (AEAD) mode of opera,on ciphers (ChaCha20/Poly1305, AES-GCM…)
    •  If possible, explicitly declare server cipher suites (vs. wildcards):
    –  Key exchange (e.g. Ephemeral [email protected] Curve Diffie Hellman)
    –  Cer,ficate type (e.g., ECDSA or RSA)
    –  Symmetric cipher (e.g., ChaCha20, AES 128)
    –  Mode of opera,on (if block cipher, e.g. GCM)
    –  Message authen,cator construc,on or PRF (e.g., SHA256)

    View Slide

  121. My (point-in-time) Advice
    •  Prefer forward secret authen,cated encryp,on with associated data
    (AEAD) mode of opera,on ciphers
    •  If possible, explicitly declare server cipher suites (vs. wildcards):
    –  Key exchange
    –  Cer,ficate type
    –  Symmetric cipher
    –  Mode of opera,on (if block cipher)
    –  Message authen,cator construc,on or PRF
    Example:
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    View Slide

  122. My (point-in-time) Advice
    •  Prefer forward secret authen,cated encryp,on with associated data
    (AEAD) mode of opera,on ciphers
    •  If possible, explicitly declare server cipher suites (vs. wildcards):
    –  Key exchange
    –  Cer,ficate type
    –  Symmetric cipher
    –  Mode of opera,on (if block cipher)
    –  Message authen,cator construc,on or PRF
    Example:
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    View Slide

  123. My (point-in-time) Advice
    These five cipher suites provide broad support for browsers, Android
    and iOS mobile clients, Windows Server 2008 & 2012, and most web
    service endpoints:
    If ECDSA [email protected]ficates
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (0xcca9)
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    If RSA [email protected]ficates
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (0xcc14)
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

    View Slide

  124. TL;DR:
    h_ps://mozilla.github.io/server-side-tls/ssl-config-generator/

    View Slide

  125. And now, a brief rant
    about VPN services.

    View Slide

  126. VPNs provide:
    •  A shiAed trust endpoint
    – from tonys-sketchy-hotspot to, say, us-east-1c
    – from TOTES-LEGIT-FREE-WIFI to, say, duosec-mi-
    vpn

    View Slide

  127. VPNs may provide:
    •  Data confiden,ality, via encryp,on
    – public networks/hotspots
    – cap,ve portals
    – untrusted/hos,le networks (airports, cafes,
    hotels)

    View Slide

  128. VPNs do not guarantee:
    •  Anonymity
    •  Privacy
    (Certainly while using most browsers on the
    modern public web)

    View Slide

  129. VPNs do not guarantee:
    •  Anonymity
    •  Privacy
    (Certainly while using most browsers on the
    modern public web)

    View Slide

  130. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  131. Disk/Volume Encryption
    (dmcrypt, BitLocker, FileVault)
    Media: Logical loss of control
    –  3rd party action, gov/civil capture, e-Discovery
    –  Co-tenant sandbox break (/dev/vg/*)
    –  Multi-tenant media reuse (new VMs on volume)
    Media: Physical loss of control
    –  Disk repurpose
    –  Disk/Server theft
    –  Server repurpose/retirement
    Content Repudiation
    Data-at-Rest Compliance
    Confidentiality from service provider
    –  Adversarial admin, incompetence, live VM motion

    View Slide

  132. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  133. Memory Encryption
    Co-tenant sandbox break (hypervisor host)
    Cold boot attacks
    Multi-tenant reuse (/dev/[k]mem/*)
    Live migration snapshots

    View Slide

  134. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  135. Data-in-Use Encryption
    (TDE, FPE, PPE)
    Local filesystem attack
    Blackbox custodian
    Rogue (weak) admin

    View Slide

  136. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  137. Hardware Security Modules
    Key theft
    Signature manipulation
    Token generation
    Key tampering

    View Slide

  138. (Some) Crypto Defenses
    Network Transport Encryption
    Disk/Volume Encryption
    File Encryption
    Memory Encryption
    Data-in-Use Encryption
    Hardware Security Modules

    View Slide

  139. Putting it all together

    View Slide

  140. View Slide

  141. View Slide

  142. View Slide

  143. Then things got weird

    View Slide

  144. View Slide

  145. View Slide

  146. Emerging Work

    View Slide

  147. Verification & formal methods

    View Slide

  148. View Slide

  149. Verification & formal methods

    View Slide

  150. Verification & formal methods
    - DARPA drone project

    View Slide

  151. Verification & formal methods
    - DARPA drone project
    - Signal

    View Slide

  152. Verification & formal methods
    - DARPA drone project
    - Signal
    - Core network stacks
    - BoringSSL
    - s2n
    - CoreCrypto
    - SChannel

    View Slide

  153. CyberUL Project
    - Peiter (Mudge) & Sarah Zatko

    View Slide

  154. More goodness
    (lec as an exercise to the reader)
    iOS TLS Inspector tlsinspector.com
    Crypto Challenges cryptopals.com
    Nonce Disrespec,ng Adversaries eprint.iacr.org/2016/475.pdf
    Sco> Helme’s Security Headers securityheaders.io
    Mozilla TLS Observatory tls-observatory.services.mozilla.com
    Lucas Garron (Chrome Team) BadSSL.com
    Thomas Pornin’s BearSSL www.bearssl.org/BearSSL-BSidesEdinburgh2017.pdf
    George Tankersley’s Go CryptoPasta github.com/gtank/cryptopasta
    Bad AV www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf
    Vault www.vaultproject.io

    View Slide

  155. Some Parting Thoughts

    View Slide

  156. Revisiting First Principles

    View Slide

  157. Revisiting First Principles
    Security hygiene
    Trusted supply chain
    Root of trust
    Trust Signals

    View Slide

  158. Revisiting First Principles
    Security hygiene
    Trusted supply chain
    Root of trust
    Trust Signals

    View Slide

  159. View Slide

  160. View Slide

  161. View Slide

  162. Humans will always
    game the system

    View Slide

  163. View Slide

  164. This stuff is hard

    View Slide

  165. View Slide

  166. View Slide

  167. View Slide

  168. I don’t care what anything
    was designed to do.
    I care about what it
    can do.

    View Slide

  169. I don’t care what anything
    was designed to do.
    I care about what it
    can do.

    View Slide

  170. View Slide

  171. fin

    View Slide

  172. Ques,ons?
    Twi>er: @kennwhite
    OCAP: opencryptoaudit.org/people

    View Slide

  173. Refs
    TLS Maturity Model
    https://blog.qualys.com/ssllabs/2015/06/08/introducing-tls-maturity-model
    Malver,sing on track for record year
    http://www.cyphort.com/malvertising-on-pace-for-a-record-breaking-year/
    A>acks on SSL: A Comprehensive study of BEAST, CRIME, TIME,
    BREACH, LUCKY 13 & RC4 Biases
    https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf
    DARPA Drone Project
    https://www.wired.com/2016/09/computer-scientists-close-perfect-hack-proof-code/
    A Formal Analysis of the Signal Messaging Protocol
    https://eprint.iacr.org/2016/1013.pdf

    View Slide

  174. Refs
    The Million Dollar Dissident: NSO Group’s iPhone Zero-Days
    (deserializa,on)
    https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-
    group-uae/
    iPhone 6 kernel exploit analysis (deserializa,on)
    http://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-
    explained.html
    Matasano Crypto Challenges
    https://cryptopals.com/
    https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/
    Keys Under Doormats (problems with large-scale escrow)
    https://dspace.mit.edu/handle/1721.1/97690

    View Slide

  175. Refs
    Weak Diffie-Hellman and the Logjam A>ack
    https://weakdh.org/
    Qualys SSL Labs
    https://www.ssllabs.com/ssltest/
    Bulletproof SSL & TLS
    https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
    Mirage TLS Interac,ve Server (pre>y rad)
    https://tls.openmirage.org/
    Adam Langley: Matching primi,ve strengths
    https://www.imperialviolet.org/2014/05/25/strengthmatching.html

    View Slide

  176. Refs
    House Oversight final report on OPM breach
    https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-
    How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-
    Generation.pdf
    NIST 2016 draA guidance on authen,ca,on (depreca,ng
    arbitrary 90 day password rota,on)
    https://pages.nist.gov/800-63-3/sp800-63b.html
    GCHQ (UK Intel) guidance on passwords (depreca,ng arbitrary
    90 day password rota,on)
    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/
    458857/Password_guidance_-_simplifying_your_approach.pdf
    Peiter (Mudge) & Sarah Zatko’s Cyber UL
    https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-
    programs-and-may-revolutionize-software-in-the-process/

    View Slide