End-to-End Encryption - Speaker Deck

Slide 1

Slide 1 text

End-to-End Encryption. Mrinal Wadhwa Ockam

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

hello

Slide 6

Slide 6 text

0xaf3d…

Slide 7

Slide 7 text

hello

Slide 8

Slide 8 text

0xcdfa…

Slide 9

Slide 9 text

hello

Slide 10

Slide 10 text

hello

Slide 11

Slide 11 text

0x14d8…

Slide 12

Slide 12 text

0x14d8…

Slide 13

Slide 13 text

0x14d8…

Slide 14

Slide 14 text

hello

Slide 15

Slide 15 text

They’re both secure channels. The green one is decoupled from the transport layer, which is why it can be - end-to-end.

Slide 16

Slide 16 text

Secure Channels protect en-route data from tampering, forgery and eavesdropping. It’s not just about con fi dentiality.

Slide 17

Slide 17 text

THREAT DESIRED PROPERTY S Spoo fi ng identity Identi fi cation, Authentication T Tampering with data Integrity R Repudiation Non-repudiability (some applications desire the opposite) I Information disclosure Con fi dentiality D Denial of service Availability E Elevation of privilege Authorization The STRIDE threat model.

Slide 18

Slide 18 text

Initiator Responder Shared Secret Shared Secret M1 M2 M3 M4 M5 Secure Channels

Slide 19

Slide 19 text

Initiator Responder Shared Secret Shared Secret M1 M2 M3 M4 M5 The shared secret is then used as a key in Symmetric Key Cryptography to maintain con fi dentiality and integrity of application data. Application Data - Authenticated Encryption The entities involved use Public Key Cryptography to authenticate each other and agree on a shared secret. Authenticated Key Exchange

Slide 20

Slide 20 text

Initiator Responder Shared Secret Shared Secret M1 M2 M3 M4 M5 AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_AES_128_CCM, AEAD_CHACHA20_POLY1305 X3DH, SIGMA protocols, Noise Protocol Framework …. Double Ratchet, Rekey …

Slide 21

Slide 21 text

All Secure Channel designs are not equal …

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Implementing an end-to-end secure channel protocol, from scratch, is complex, error prone, and will take more time than application teams can typically dedicate to this problem. But, if we can make it easy …

Slide 28

Slide 28 text

Mutually Authenticated, End-to-End Encrypted Secure Channels enable an application to enforce least-privileged access to commands, data, con fi guration, machine-learning models, and software updates that are fl owing, as messages, between its distributed parts. We can build applications that have a strikingly smaller vulnerability surface.

Slide 29

Slide 29 text

Remove implicit trust in porous network boundaries

Slide 30

Slide 30 text

A lot of people say their Industrial Control Systems are air-gapped but what they mean is they think they are air-gapped. – Andrew Tierney: Pwning an oil rig, DEF CON 27 creativecommons.org/licenses/by/3.0/legalcode youtube.com/watch?v=JoJ6uzIsQNs

Slide 31

Slide 31 text

Remove implicit trust in porous network boundaries

Slide 32

Slide 32 text

Remove implicit trust in porous network boundaries

Slide 33

Slide 33 text

Lower trust in intermediaries

Slide 34

Slide 34 text

Lower trust in intermediaries

Slide 35

Slide 35 text

Lower trust in intermediaries

Slide 36

Slide 36 text

Lower trust in intermediaries

Slide 37

Slide 37 text

Secure Channels can become considerably more powerful if we decouple them from the transport layer.

Slide 38

Slide 38 text

They’re both secure channels. The green one is decoupled from the transport layer, which is why it can be - end-to-end.

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

Ockam is a suite of open source programming libraries that make it simple for distributed applications to dynamically create any number of lightweight, mutually authenticated, end-to-end encrypted, granularly authorized secure channels.

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

github.com/ockam-network/ockam#next-steps Mrinal Wadhwa CTO, Ockam mrinal 🙏 thank you.